Secrets to a Hack-Proof Joomla Revealed

23,948 views
23,749 views

Published on

The recent spike of hack attempts on various Joomla sites has made it more urgent than ever to take actions and secure your Joomla in the best possible way. In this webinar the SiteGround Joomla Performance Guru Daniel Kanchev shows the best practices and shares insightful tricks how to protect your Joomla from getting hacked:

- Joomla administrator security settings
- Bullet-proof password tips
- Vulnerable extensions to avoid
- Web application firewall configurations
- Recommended server settings
- Intrusion detection and protection tools
- Disaster recovery plans

Published in: Technology
3 Comments
8 Likes
Statistics
Notes
  • My bad! Thanks for sharing :-)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hey, the slides are already downloadable - feel free to get them :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Thanks again for today's webinar.
    I would have been happy to be able to download the presentation slides: having them stored locally would help greatly, since internet connexions are not that good here in Laos.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
23,948
On SlideShare
0
From Embeds
0
Number of Embeds
11,994
Actions
Shares
0
Downloads
424
Comments
3
Likes
8
Embeds 0
No embeds

No notes for slide

Secrets to a Hack-Proof Joomla Revealed

  1. 1. SECRETS TO AHACK-PROOF JOOMLAREVEALED!Daniel KanchevJoomla Performance Guru
  2. 2. SiteGround.com - Expert Joomla HostingBEFORE WE BEGIN...• 7+ years of Joomla!experience• 4 years with SiteGround• Love traveling the world• Addicted to extremeand not secure sports2 SiteGround.com - Expert Joomla Hosting
  3. 3. SiteGround.com - Expert Joomla HostingWHO SHOULD CAREABOUT SECURITY?• Application/Extension developers• Hosting providers/system administrators• YOU (end Joomla users)3
  4. 4. SiteGround.com - Expert Joomla HostingWHO SHOULD CAREABOUT SECURITY?• Application/Extension developers• Hosting providers/system administrators• YOU (end Joomla users)4EVERYONE
  5. 5. SiteGround.com - Expert Joomla HostingWhy shouldYOU care?• Be trustworthy by protecting your clients’data• Have a healthy site - avoid substantial dataloss/downtime5
  6. 6. SiteGround.com - Expert Joomla HostingHow hackers work?6
  7. 7. SiteGround.com - Expert Joomla HostingEveryone’s responsible!7
  8. 8. SiteGround.com - Expert Joomla HostingSecurity is a process!KEEPCALMIT’S NOTROCKETSCIENCE8
  9. 9. SiteGround.com - Expert Joomla HostingISYOUR SERVER SETUP RIGHT?9
  10. 10. SiteGround.com - Expert Joomla HostingServer config & tips• Update server software - Apache, ftp, mail, etc• Harden the Linux kernel - grsecurity• Chroot processes• Use Suexec, secure PHP setup (fastCGI)• Provide only restricted shell access• Disable/remove unused services✓Software solutions: 1H Hive, Better Linux,CloudLinux10
  11. 11. SiteGround.com - Expert Joomla HostingProtect your web serverwith mod_security• OWASP rules - http://goo.gl/rC7Uz• Atomic rules - http://goo.gl/Fv3Vn• Trustwave paid rules - http://goo.gl/9IAaB11
  12. 12. SiteGround.com - Expert Joomla HostingPROTECT JOOMLA!12
  13. 13. SiteGround.com - Expert Joomla Hosting#1: Update Everything!13
  14. 14. SiteGround.com - Expert Joomla HostingSiteGround Auto Updates14
  15. 15. SiteGround.com - Expert Joomla Hosting#2: Do The Basics• Never user admin as username• Use a secure password15
  16. 16. SiteGround.com - Expert Joomla HostingUse Bullet-proof Passwords• Avoid passwordgenerators• Don’t use commonwords - love,pass, admin• Avoid personal info,names, significant dates -daniel12316
  17. 17. SiteGround.com - Expert Joomla HostingThe Perfect Password• Choose a favorite (not famous) movie quote/large phrase from a book:We all go a little mad sometimes• Add punctuation symbols ( ? ! . : ) and capitalletters, remove whitespacesResult:We.all?Go!Alittle1Mad2sometimes17
  18. 18. SiteGround.com - Expert Joomla Hosting#3: Password ProtectYourAdministrator Folder18cPanelPassword ProtectDirectoriesAdministrator
  19. 19. SiteGround.com - Expert Joomla Hosting#4: Restrict The Admin Area AccessBy IP• Step1: Check your IP -> whatismyip.com• Step2: Add this rule in the administratorfolder .htaccess filedeny from allallow fromYOUR_IP_ADDRESS19
  20. 20. SiteGround.com - Expert Joomla Hosting#5: Fix your permissions &ownership• Folders: 0755• Files: 0644• Configuration.php: 444• NEVER EVER USE 777 permissions20
  21. 21. SiteGround.com - Expert Joomla HostingFix permissions in cPanel21cPanelFile Manager
  22. 22. SiteGround.com - Expert Joomla Hosting#6: Keep PHP Scripts In The RightFoldersIn media, libraries, logs, language folders:<Files *.php>deny from all</Files>22
  23. 23. SiteGround.com - Expert Joomla Hosting23How To Do It In File Manager
  24. 24. SiteGround.com - Expert Joomla Hosting#7: Legacy security issues24• Change the default admin username• Change the default jos_ DB prefixForJoomla 1.5or older
  25. 25. SiteGround.com - Expert Joomla Hosting#8: CheckYour Extensions• JoomlaVulnerable Extensions Listhttp://vel.joomla.org/• NationalVulnerability Databasehttp://web.nvd.nist.gov/view/vuln/search25
  26. 26. SiteGround.com - Expert Joomla HostingStay On Top Of SecurityUpdates• Subscribe to the Joomla feeds:✓http://feeds.joomla.org/JoomlaSecurityNews✓http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions26
  27. 27. SiteGround.com - Expert Joomla HostingBuild a Joomla security RSS feedHow to do it: http://is.gd/Vze1Zo
  28. 28. SiteGround.com - Expert Joomla Hosting#9:Additional protectionthrough .htaccess rules• Remove PHP sensitive information• AvoidVisual Fingerprinting• Block some popular tools used by hackersHow to do it: http://is.gd/pGfVXQ28
  29. 29. SiteGround.com - Expert Joomla Hosting#10: Use Joomla SecurityExtensions for IDS/IPS• jHackGuard• Akeeba Admin Tools• jomDefender• jSecure29
  30. 30. SiteGround.com - Expert Joomla HostingSQL Injection• SQL code + search form screenshot30SELECT * FROM users WHERE name = a;DROP TABLE users; SELECT * FROM userinfo WHERE t = t;!!!
  31. 31. SiteGround.com - Expert Joomla HostingjHackGuard setup• SQL Injections• Remote URL/FileInclusions• Remote CodeExecutions• XSS Based AttacksDownload it here: http://is.gd/01wLhH31
  32. 32. SiteGround.com - Expert Joomla Hosting#11: Backup! Backup! Backup!--Manual backups --Your host --Akeeba Backups
  33. 33. SiteGround.com - Expert Joomla HostingNOW WHAT?
  34. 34. SiteGround.com - Expert Joomla HostingDON’TPANIC!
  35. 35. SiteGround.com - Expert Joomla HostingDISASTER RECOVERY PLAN1. Create a copy of the hacked site + all logs2. Restore from a clean backup3. Quarantine your site - enable maintenance mode4. Check the logs for the malicious code5. Resolve the security issues/Clean malicious code6. Unquarantine* your site - disable maintenancemode35
  36. 36. SiteGround.com - Expert Joomla HostingFEW THINGS TO TAKE AWAY• Security is about making it harder toinfiltrate - not making it impossible• Security is an ongoing process• Everyone is involved36
  37. 37. SiteGround.com - Expert Joomla HostingQUESTIONSTIME!
  38. 38. SiteGround.com - Expert Joomla HostingWWW.SITEGROUND.COM/WEBINAR
  39. 39. THANKYOU!Daniel Kanchevdaniel.k@siteground.com

×