Joomla Security v3.0


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Joomla Security v3.0

  1. 1. Joomla Security : Secure Your Website
  2. 2. Ajay LuliaManaging Partner & CTO, Synergy Technology ServicesCEO, Joomla Service Provider@ajaylulia
  3. 3. WHY are sites Hacked? Curiosity Monetary Political Spamming Reputation Advantages Testing Systems Destruction
  4. 4. How are sites Hacked? Insecure communications • SQL Injection • Automated Injection • Backdoor Injection- Modules, Forums, Search etc. • Remote Injection SQL Injection in the Browser Address Bar Cross Site Scripting (XSS) Authorization Bypass / Broken Authentication Google Hacking Password Cracking Malicious file execution
  5. 5. What to Secure? Data • Files • Images • Database Server Access Security Details
  6. 6. How to Secure Joomla? Joomla Packages, Always download joomla package from • • Make sure all PHP settings are “Green” when installing joomla Change default joomla database prefix jos_ Create a new Super Administrator delete original one (id 62 until j1.5) Turn-Off User Registration, if no registration is required. Enable and optimize Joomla .htaccess
  7. 7. How to Secure Joomla? Password protect directory using .htaccess FTP Layer, disable if not used or used frequently Mail From Id should not be same as Super Administrator Email Id Setting the Global Metadata Information Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp) Always keep Extensions Update to date and always use mailing lists
  8. 8. How to Secure Joomla? Close all unwanted TCP/IP ports Change file permissions of configuration.php to 644 Use SFTP instead of FTP Use SSH instead of rlogin to server Set permission to 644 which allows Apache to use it and prevents other from editing Grant access to only those region your site is dedicated to
  9. 9. How to Secure Joomla? Before installing extensions, always check: • Reviews • Vulnerability Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef) Hide your administrator URL (using jSecure Authentication, jAdmin Tools) Report all possible hack to Joomla! Security Strike Team (JSST) • Subscribe to security updates to hit your mail box when they are available! • RSS feed:
  10. 10. Choosing Hosting Look into your requirements Choose from the hosting, Shared v Dedicated Hosting Versions on servers (should be on PHP 5 & mySQL 5 at least) Server that runs PHP in CGI mode with su_php Types of Backup 24/7 Customer support is VITAL
  11. 11. Is my website a victim? Be always proactive and not reactive Server / Application / Extension security is ‘on going’ work. Always check for upgrades and reviews Build disaster recovery plan If you don’t have updates from Joomla! Security Strike Team (JSST) •
  12. 12. Am Hacked !!! Create html with a message and save it as index.html Save Server Access and Error logs Restore the website using recent backup Look at the logs and try and find the reason how the site was hacked. Report all possible hack to Joomla! Security Strike Team (JSST) •
  13. 13. Analyze Security Security can be broken into five distinct functional areas: • Risk Avoidance • Restriction • Prevention • Detection • Recovery
  14. 14. Thank You Ajay Lulia Twitter : @ajaylulia