Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Your Joomla website


Published on

Published in: Technology
  • Be the first to comment

Securing Your Joomla website

  1. 1. Securing Your Joomla Website<br />Mike Carson<br /><br />
  2. 2. Is Joomla Secure?<br />YES! Joomlais 100% Secure.<br />Untilyouinstallit on a server<br />
  3. 3. Short Video<br />
  4. 4. WhyWorry?<br />BecauseJoomladoesn’t come with a TrunkMonkey.<br />
  5. 5. What Can I Do?<br />Understandthatsecurityis a layeredapproach<br />Select a properhostingcompany<br />Follow best practice guidelines<br />Use the toolsthat are available<br />TAKE IT SERIOUSLY! <br />MAKE IT MANDATORY!!!<br />
  6. 6. Initial Steps<br />Change the jos_databaseprefix<br />RemoveAdmin user<br />Turn OFF the WYSIWYG editor<br />Subscribe to the Joomla Security Updates list<br />
  7. 7. Let’s Talk Tools<br />Security startsat home<br />Use a good anti-virus software likeKaspersky<br />Use a passwordgenerator/ or<br />Browser Updates<br />Operating System updates<br />Use secure SFTP toolsWinSCP, Filezilla, Dreamweaver, Putty SSH<br />
  8. 8. HostingCompanies<br /><br /><br /><br /><br /><br />Stayawayfrom,,, Yahoo Web Hosting<br />General rule of thumb: You getwhatyoupay for!<br />
  9. 9. Permissions<br />Use proper permissions on files and directories. <br />They should never be 777<br />What they should be:<br />Files = 644 <br />Directories = 755<br />
  10. 10. Backups<br />Akeeba Backup<br /><br />2 versions to choosefrom (Core and Pro)<br />Backup your entire site and its database with a single click<br />Automatic Backups (Cron and Cron-less)<br />Offsite Backups to S3, Dropbox, Rackspace, FTP<br />Test your backups once in a while<br />
  11. 11. Admin Tools<br />AkeebaAdmin Tools Pro –<br />IntegratedJoomla Updater<br />Web Application Firewall IP Whitelist/Blacklist, Bad Words Filter, Security Exceptions Log<br />Htaccess File Maker – Experts ONLY!<br />Permissions Fixer<br />
  12. 12. OtherAdmin Tools<br />Jsecure Plugin -<br />JomDefender –<br />JooReCapchta -<br />sh404sef –<br />Secure Live –<br />PHP Security Suite -<br />
  13. 13. Additional Suggestions<br />Completelyremoveunused extensions<br />Leave FTP File Layer disabled<br />From the Joomla administrator area make sure the Register Globals is set to off<br />Avoid using PHP4<br />
  14. 14. DisasterRecovery Plan<br />Create a DisasterRecovery Plan<br />A list of the sites you maintain <br />A list of user names and passwords for your sites <br />The databases names, server addresses or IP, user names and passwords, that are used for your list of sites <br />FTP user names and passwords for each of your sites <br />Your web hosts tech support number <br />Have a backup web host decided in case for some reason you need to move quickly <br />Know how to get into your domain registrar so you can change Name Servers if needed <br />Name, number, email of a web professional that may be able to help restore your systems if needed <br />Practice a FULL recovery<br />
  15. 15. So noweverything<br />is all good, right?<br />UH OH<br />
  16. 16. I’ve Been Hacked<br />Don’t Panic! <br />Remember? You have a disasterrecovery plan.<br />Login and change youradminpassword.<br />Browseyour files for anythingobviouslyunusualthatdoesn’tbelong.<br />Grabyourlatest few backups and compare those to make sure they do not alsocontainanypayloads.<br />Downloadyour server log files. Check your logs for IP's calling suspicious files or attempting POST commands to non-form's.<br />Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site or hire a professional to help<br />Restore yourwebsitewith a clean backup copy.<br />EnsureJoomla and your extensions are all using the latest versions.<br />
  17. 17. DatabasePasswords<br />Changingyour super adminpassword in MySQL<br />Go to<br />
  18. 18. DatabasePasswords<br /><ul><li>Open phpMyAdmin and browse the following table (jos_users)
  19. 19. Then browse the Super Admin record you want to change
  20. 20. Then paste your new MD5 encrypted password into the password field.
  21. 21. Then test your new admin login.</li></li></ul><li>Additional Sources<br />SalvusAlerts -<br />Vulnerable Extensions List! This listis not veryaccuratedespitetheir claims<br />Full security audit services are available from<br /><br />