Your SlideShare is downloading. ×
Brendon Hatcher Joomla Security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Brendon Hatcher Joomla Security


Published on

Published in: Technology

1 Comment
  • You Can Download Only ---
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Balaclava -
  • Pickpocket -
  • Onion -
  • Shhh -
  • Transcript

    • 1. JoomlaSecurity
      Bare essentials to serious measures
      Brendon Hatcher
      Technical Director
    • 2. Understanding hackers and hacking
      Definitions of “hacker”
      Hacker’s motivations
      Evidence of hacking
    • 3. What is a hacker?
      Someone who deliberately seeks to bypass a server’s security
      Black, grey, white hats
      A hacked site is a broken/compromised site
      A skilled computer programmer
      A hacked site is a tweaked and improved site
      A script kiddie
      Junior hacker using otherhacker’s tools and techniques
    • 4. Hacker’s motivations
      To see if they can
      To create mayhem
      For social standing in the sub-culture
      For political reasons – hacktivism
      For financial reasons
      Theft – steal ebooks, videos, games, online services etc
      Sell data – user profiles, credit card details etc
      Industrial sabotage - paid to break competitor sites
      Set up zombie farms
      Steal bandwidth
      Host phishing pages
      Collect passwords
    • 5. Evidence of hacking
      Site trashed
      Hacking message
      High bandwidth use
      Changed admin password
      New user with admin rights
      Server logs
    • 6. Why be concernedabout security?
      No-one is safe
      Hacking is actually quite easy
      Fixing hacked sites is tricky
      Hacked sites are a big problem
    • 7. No-one is safe
    • 8. Why worry about hacking? 
      Sites are targeted at random
      Hacking is actually quite easy
      Vulnerable sites are easy to find
      Vulnerable sites are easy to hack
      Fixing hacked sites is quite tricky
      Hacks can be invisible
      Clients may not notice a hacked site for some time
      Finding a clean backup may be impossible
      Determining what has been done can be really hard
      May be difficult to restore
      Hardening site to avoid future hacks requires skill and focus
    • 9. Why worry about hacking? 
      Hacked sites are a big problem
      Business reputation
      Angry clients
      Site shutdown by host
      Loss of business
      Data theft
    • 10. Hacking aJoomla site
      Is Joomla less secure than other systems?
      The site must be vulnerable
      3 steps to hacking for fun and profit
    • 11. Is Joomla less secure than other systems?
      Yes and No
      Joomla has to strike a balance between security and ease of use
      Joomla an attractive target for hackers
      The critical mass of sites
      Large amateur web developer user base
      Extensions have variable security
      The site must be vulnerable
    • 12. 3 steps to hacking for fun and profit
      Find a vulnerability (and instructions on how to exploit it)
      Find a vulnerable site
      Hack the site
      Then, sit back and enjoy fame and fortune!
    • 13.
      Find a vulnerability
      Security sites,
      Various hacking sites/forums
      Joomlavulnerable extensions list
    • 14.
      Find a vulnerable site
      Google Dork - a search phrase to find vulnerable sites
      Vulnerable extensions
    • 15.
      Cut and paste hack code
    • 16. Securityaction plan
      Web sites are like onions
      Levels of security
      Web development tools
      Strong, unique passwords everywhere
      Continuous attention
    • 17. Web sites arelike onions
      Server operating system
      PHP + MySQL
      • Joomla
      • 18. Extensions
      • 19. Users and their behaviour
    • Levels of security
      [1] Basic actions
      [2] More complex actions
      [3] Actions that require significant modification rights on the server (unless already implemented by default)
      Image by echiner1
    • 20. Web development tools
      WHM – server administration
      cPanel – hosting account administration
      FileZilla – FTP app
      Keepass – password vault
    • 21. General advice
      Strong, unique passwords everywhere
      A password vault removes the need to have a single, simple password
      Continuous attention needed
    • 22. Creating a safehome for Joomla
      Shared, VPS or dedicated servers?
    • 23. Shared, VPS or dedicated servers?
      A shared server
      Your site(s) live in the same hosting space as other sites that you do not administer
      This is the cheapest hosting option.
      No say over the security of the other sites on the server
      Old shared server is the worst location for your hosting
      A Virtual Private Server
      Better than shared
      Still can’t change many settings
    • 24. Shared, VPS or dedicated servers?
      A dedicated server
      Still a “shared” server
      Allow you to upgrade and tweak all the settings on a dedicated server
      Host retains responsibility for maintenance
    • 25. Additional security
      Suhosin – hardens PHP
      Samhain or Tripwire
      Configserver firewall
    • 26. Apache
      [3] suExec
      CGI scripts run under the user of the website instead of the Apache user
      [3] Mod_security
      Intrusion detection and prevention engine
    • 27. PHP
      [2] PHP5, not PHP4
      [3] suPHP
      PHP files are run under the user of the website instead of the Apache user
      Globally reset all files
      Owner – AccountUsername:AccountUsernamechown -R user:group *
      Files – 644find . -type f -exec chmod 644 {} ;
      Folders – 755find . -type d -exec chmod 755 {} ;
    • 28. Hosting account
      .htaccess files
      [1] Activate the htaccess file in the Joomla root
      [1] Use an .htpasswd for the /administrator/ folder
      [3] Advanced .htaccess files
      A LOT more important detail in the manual
    • 29. Keeping up to date
      Avoiding the obvious
      Hide, and be very, very quiet
      Spam form submissions
      Install sh404SEF

      Securing aJoomla site
    • 30. Keeping up to date
      Must update Joomla core and extensions
      Remove unused extensions
    • 31. Avoiding the obvious
      [1] The default database extension is jos_
      [1] The default admin username is admin
      [1] The default admin user ID is 62
      [1] Change administrator access URL
    • 32. Hide, and be very, very quiet
      [1] SEF all URLs
      [1] Clear the default Joomlametatags
      [1] Clear the default Home page title
      [1] Remove generator tag
      [1] Change favicon
      [2] Hide component credits
    • 33. Spam form submissions
      Trying to inject spam content onto your site
      Targets Joomla core forms and extension forms
      Install a captcha system
    • 34. Install sh404SEF
      SEF URLS hide from Google Dorks
      Flood control
      Other security settings
    • 35. Creating a safe working environment
      PC vulnerability to hacks
      FTP access hacks
      A note about users
      “Burglar bars, electric fences, alarms…and a key left under the doormat”
    • 36. PC vulnerability to hacks
      [1] Install all operating system patches
      [1] Install all application system patches
      [1] Run comprehensive real-time protection apps
      [1] Install Secunia PSI
      [1] Secure your PC login
      [1] Secure your backup storage
      [2] Use a secure web browser
    • 37. FTP access hacks
      If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.
      FTP passwords are stored unencrypted in your FTP program!
      FTP authentication details pass unencrypted to the server!
      There are several common FTP apps that store their passwords in a standard location with a standard name!
    • 38. FTP configuration
      [1] cPanel setup
      Make sure that the FTP password is strong
      [1] PC setup
      Password vault (LastPass , Keepass ) to store the strong password
      Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)
      [1] FileZilla
      Copy all passwords to the password vault
      Delete all passwords from the Site Manager
      Set FileZilla to run in Kiosk mode
    • 39. FTP configuration
      [2] Joomla
      Remove the FTP details from the configuration file
      [3] WHM
      Disable FTP access and allow only SFTP access
      A note about users
      You should ideally create separate user accounts for each staff member
    • 40. Preparing forthe worst
      Site monitoring
      A disaster recovery plan
      Joomla site backups
      Restoring a hacked site
    • 41. Site monitoring
      Site down
      Home page content changes
      Mod_security logs (shows attempts)
      Bandwidth use
      Spam blacklisting
      [3] Searching and browsing server logs
    • 42. Disaster Recovery Plan
      Depending on how central your web site is to your business, you may need a DRP
      See Tom Canavan’s presentation
    • 43. Joomla site backups
      Long-cycle Joomla backups are critical
      Redundant backups lead to restful sleep
      See my Joomla for Web Developer talk for MUCH more detail
    • 44. Restoring a hacked site
      Fixes the obvious problems
      Does not address:
      Hidden hacks
      Shell scripts
      Continuing vulnerabilities
      Impacts of data exposure
    • 45. Credits/Disclaimer
      Brendon Hatcher is the compiler of this presentation
      The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives
      If you don’t know what this licence means, go to
      The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.