Your SlideShare is downloading. ×
Securing Your Joomla Website
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Your Joomla Website

1,810

Published on

Securing Your Joomla Website - By Mike Carson www.joomlashowroom.com - Joomla Day New York City December 5th, 2010

Securing Your Joomla Website - By Mike Carson www.joomlashowroom.com - Joomla Day New York City December 5th, 2010

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • One of the very best presentations I've ever seen. Thanks, Mike.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,810
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Changing this prefix will prevent most exploits. If your site is already set up you can use a tool called “EasySQL” to change your current database prefix.Creating a new super administrator will also create a new user ID. Hackers already know 2/3rds of your original Super Admin information. They know the Username and User ID. They only need to figure out your Password.Turning off the editor site wide in the global configuration will prevent front end users from uploading and manipulating files from the front end. Just select NO EDITOR from the dropdown list.
  • Transcript

    • 1. Securing Your Joomla Website
      Mike Carson
      http://joomlashowroom.com
      Joomla! Day New york CityDecember 4th & 5th, 2010
    • 2. Is Joomla Secure?
      YES! Joomlais 100% Secure.
      Untilyouinstallit on a server
    • 3. WhyWorry?
      BecauseJoomladoesn’t come with a TrunkMonkey.
    • 4. What Can I Do?
      Understandthatsecurityis a layeredapproach
      Select a properhostingcompany
      Follow best practice guidelines
      Use the toolsthat are available
      TAKE IT SERIOUSLY!
      MAKE IT MANDATORY!!!
    • 5. Initial Steps
      Change the jos_databaseprefix
      RemoveAdmin user
      Turn OFF the WYSIWYG editor
      Subscribe to the Joomla Security Updates list
    • 6. Let’s Talk Tools
      Security startsat home
      Use a good anti-virus software likeKaspersky
      Use a passwordgenerator/managerKeepass.info or keepassx.org
      Browser Updates
      Operating System updates
      Use secure SFTP toolsWinSCP, Filezilla, Dreamweaver, Putty SSH
    • 7. Quality Joomla Hosting
      Cloudaccess.net
      Rochenhost.com
      Plexicloud.com
      1and1.com
      Simplweb.com
      Stayawayfrom godaddy.com, siteground.com, dreamhost.com, Yahoo Web Hosting
      General rule of thumb: You getwhatyoupay for!
    • 8. Permissions
      Use proper permissions on files and directories.
      They should never be 777
      What they should be:
      Files = 644
      Directories = 755
    • 9. Akeeba Backup
      Akeeba Backup
      Akeebabackup.com
      2 versions to choosefrom (Core and Pro)
      Backup your entire site and its database with a single click
      Automatic Backups (Cron and Cron-less)
      Offsite Backups to S3, Dropbox, Rackspace, FTP
      Test your backups once in a while
    • 10. Akeeba AdminTools
      AkeebaAdmin Tools Pro – Akeebabackup.com
      IntegratedJoomla Updater
      Web Application Firewall IP Whitelist/Blacklist, Bad Words Filter, Security Exceptions Log
      Htaccess File Maker – Experts ONLY!
      Permissions Fixer
    • 11. OtherAdminSecurity Tools
      Jsecure Plugin - joomlaserviceprovider.com
      JomDefender – corePHP.com
      JooReCapchta - joomla.stefysoft.com
      sh404sef – dev.anything-digital.com
      Secure Live – securelive.net
      PHP Security Suite - opensource-excellence.com
    • 12. Additional Suggestions
      Completelyremoveunused extensions
      Leave FTP File Layer disabled
      From the Joomla administrator area make sure the Register Globals is set to off
      Avoid using PHP4
    • 13. DisasterRecovery Plan
      Create a DisasterRecovery Plan
      A list of the sites you maintain
      A list of user names and passwords for your sites
      The databases names, server addresses or IP, user names and passwords, that are used for your list of sites
      FTP user names and passwords for each of your sites
      Your web hosts tech support number
      Have a backup web host decided in case for some reason you need to move quickly
      Know how to get into your domain registrar so you can change Name Servers if needed
      Name, number, email of a web professional that may be able to help restore your systems if needed
      Practice a FULL recovery
    • 14. So noweverything
      is all good, right?
      UH OH
    • 15. I’ve Been Hacked
      Don’t Panic!
      Remember? You have a disasterrecovery plan.
      Login and change youradminpassword.
      Browseyour files for anythingobviouslyunusualthatdoesn’tbelong.
      Grabyourlatest few backups and compare those to make sure they do not alsocontainanypayloads.
      Downloadyour server log files. Check you logs for IP's calling suspicious files or attempting POST commands to non-form's.
      Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site or hire a professional to help
      Restore yourwebsitewith a clean backup copy.
      EnsureJoomla and your extensions are all using the latest versions.
    • 16. DatabasePasswords
      Changingyour super adminpassword in MySQL
      Go to adamek.biz/md5-generator.php
    • 17. DatabasePasswords
      • Open phpMyAdmin and browse the following table (jos_users)
      • 18. Then browse the Super Admin record you want to change
      • 19. Then paste your new MD5 encrypted password into the password field.
      • 20. Then test your new admin login.
    • Additional Sources
      SalvusAlerts - salvusalerting.com
      Vulnerable Extensions Listhttp://docs.joomla.org/Vulnerable_Extensions_ListWarning! This listis not veryaccuratedespitetheir claims
    • 21. Full security audit services are available for your Joomla website.
      Visit http://joomlashowroom.com

    ×