Avoid Getting Hacked! Presentation on Joomla! Web Security


Published on

Avoid Getting Hacked! Presentation by Dorothy Firsching on Joomla! Web Security at the January 2012 Northern Virginia Joomla! Users Group (JUG).

These tips could keep your Joomla! website from getting hacked.

Published in: Technology
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :            www.goo.gl/i7K0s4
    Are you sure you want to  Yes  No
    Your message goes here
  • I am a newbie in joomla 2.5. Your kind walkthrough on how to set permissions on directories,.htaccess and configuration.php files would be highly appreciated.

    Thanks in anticipation
    Are you sure you want to  Yes  No
    Your message goes here
  • Am a newbie in Joomla, want you to kindly walk me through on how to set permissions on directories, files and config.php.

    Thanks in anticipation.

    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Avoid Getting Hacked! Presentation on Joomla! Web Security

  1. 1. Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com1-19-2012 www.ursamajorconsulting.com 1
  2. 2. Agenda Discuss Security Considerations and Approaches Identify Resources and References Additional Programs / Presenters?1-19-2012 www.ursamajorconsulting.com 2
  3. 3. Joomla! Web Security Discussion PHP-based / database driven sites are vulnerable  SQL Injections -- Commands where data input is expected  Validate Inputs and Enforce size  Current version of PHP with appropriate settings  Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html1-19-2012 www.ursamajorconsulting.com 3
  4. 4. Pick a Good Host Shared Host Vulnerabilities  http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup  Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps  Appropriate permissions  Directories = 755  Files = 644  .htaccess, configuration.php = 644  Webserver is set up to use user account as owner of PHP-created files1-19-2012 www.ursamajorconsulting.com 4
  5. 5. Upgrade Regularly Upgrade to Latest Version of Joomla  Akeeba Admin Tools Use Safe Extensions Upgrade Extensions  Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List  Subscribe to updates Keep a spreadsheet of your sites  And the versions they use1-19-2012 www.ursamajorconsulting.com 5
  6. 6. Joomla Setup Password protect folders in control panel Use a site-specific database username and password Change jos_ table prefix Hide Admin login  jSecure Authentication Plugin  add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc1-19-2012 www.ursamajorconsulting.com 6
  7. 7. Access Control http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu Strong Passwords Change Admin Username and Number  Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one.1-19-2012 www.ursamajorconsulting.com 7
  8. 8. Backups / Upgrades Akeeba Backup  Remove backups from site Multi-backup scheme Test restoration / upgrades  Test site is helpful Hosting provider backups Hosting provider virus scans or site backup using local download / scan http://docs.joomla.org/Security_Checklist_6_-_S1-19-2012 www.ursamajorconsulting.com 8
  9. 9. Vulnerabilties Old Joomla! versions Community Builder before 1.7.1 JCE before 2.0.19 Unchecked user input (SQL injection, buffer overflows) eXtplorer left on site http:// docs.joomla.org/Vulnerable_Extensions_L1-19-2012 www.ursamajorconsulting.com 9
  10. 10. Check What’s Happening Logs / AWSTATS / other packages Google Analytics File Modification Dates / Contents1-19-2012 www.ursamajorconsulting.com 10
  11. 11. Resources http://docs.joomla.org/Category:Security_Check http://joomladaymidwest.org/news/slides-and-v Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009 Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful.1-19-2012 www.ursamajorconsulting.com 11