Joomla Security

Security in Joomla! Ruth Cheesley Suffolk Computer Services [email_address]

Security in Joomla
What do we mean by “security”?
Why bother?
What can I do to keep my sites secure?

A balancing act?

What is Security?
Authorised Access to data & files
Prevention of malicious attacks & unauthorised access via
SQL/Command Injection
Insecure passwords
OS vulnerabilities
Software vulnerabilities
Buffer Overflow
ETC!

Why Bother?

Legal issues
Data Protection Act 1998
Anyone who processes your information must comply with 8 principles, including
Data must be kept securely
Heavy penalties for not taking appropriate measures to safeguard your data
No test cases for Joomla! sites yet.....

Professionalism
Embarrassing and harmful to organisations’ image
The “Fear Factor”

Why target Joomla?
Very popular Content Management System
Lots of “inexperienced” users
Lots of less-than-ideal security practices server-side

How to keep my sites secure?
ALWAYS get your installation files direct from Joomla.org
Use reputable hosting providers – make sure all PHP settings are “Green”
ALWAYS check vulnerability list before installing extensions (esp. obscure ones!)
ALWAYS keep up to date with patches for Joomla and for ALL extensions (use mailing lists, etc)

Finding a reliable host
Consider your requirements
Shared v Dedicated Hosting
Patching of servers (should be on PHP 5 & mySQL 5 at least
Backup & redundancy
Customer support 24/7 is VITAL

THOU SHALT BACK UP!
Backups made as frequently as your site requires
Back up files AND database OFF SITE
ALWAYS back up prior to any upgrade – of ANYTHING!

What to do now?
Create a new Super Administrator & delete original one (id 62)
Hide your administrator URL (jSecure)
Change your default admin username
Ensure system passwords are very strong (hosting a/c, database user, ftp, site admin)

Must Read
Security Checklist - http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
Joomla Security News - http://developer.joomla.org/security/news.html (subscribe at http://developer.joomla.org/security/news.html )

Tools to help
jSecure – hides your administrator page http://www.joomlaserviceprovider.com/
LazyBackup 2 – emails a daily mysql dump http://www.lazybackup.net/
EasySpamKiller – protects your site against attacks from known IP’s http://projects.easy-joomla.org/projects/easyspamkiller.html

Joomla Security

by Virya Technologies Ltd. on Sep 21, 2009

Accessibility

Upload Details

Usage Rights

3 Embeds 5

Statistics

Joomla Security — Presentation Transcript

http://www.slideshare.net	2
http://www.suffolkcomputerservices.co.uk	2
http://www.lmodules.com	1