Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Keeping Your Joomla! Site Secure


Published on

Trevor Hatfield's JoomlaDay Houston 2013 Slideshow

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

Keeping Your Joomla! Site Secure

  1. 1. Joomla! Security Essentials Keeping Your Joomla! Site Secure Trevor Hatfield
  2. 2. Backup Early and Often • Set up a regular backup and recovery process. When done well, this ensures that you can recover from almost any imaginable disaster. • Suggested Component – Akeeba Backup - Simple install and backup
  3. 3. Keeping Your Joomla! Version Up-To-Date • Why Update You Joomla! Version? – Bug Fixes – Security Fixes • Upgrade Instructions – J1.5 Upgrade • Updating for 1.5 or 1.0 versions. – Utilize Admin Tools by AkeebaBackup – J2.5 Upgrade – J3.x Upgrade
  4. 4. Keeping Extensions Up-To-Date • Some of the most common vulnerabilities in a Joomla! website are located in outdated or insecure extensions. • Only use secure extensions supported by the Joomla! Extensions Directory • Before finalizing your extensions choice, verify they are not on the vulnerable extensions list . Also verify it has not already been fixed by looking at the “Extension Update Link & Date”
  5. 5. Migration • Migration occurs with the major release of 2.5 and up, all other upgrades are considered an update. • Why should I migrate from 1.0x, 1.5x, 1.6x, or 1.7x? – No longer supported with latest patches – Security Vulnerabilties • Migrating from 1.5x (Most Common) – Joomla! Documentation on 1.5x Migration • 1.5x Migration Components – – – – jUpgrade (2.5x Only) Migrate Me SP Upgrade J2XML Importer (2.5x Only) • Migrating from 2.5 to 3 – Joomla! Documentation on 2.5 > 3
  6. 6. Secure Your Administrator Access • Always use a unique username and password • Multiple Sites? Make each login different. • Secure your administrator url. – The best way to secure your admin url is to create a secret key to access the site. For example: This will keep excessive hacker login attempts at bay and hide the obvious fact that you are using a Joomla! run website. – Suggested Extension – jSecure – List of Additional Login Protection Extensions
  7. 7. Choose Hosting Wisely • Use a high-quality Web host. Do not be fooled by offers of unlimited bandwidth, unlimited hard drive space, unlimited databases, etc. Avoid any host that uses php safe_mode ON, this should be OFF. Make sure it is running PHP5+. • A Few Suggested Hosts: Dedicated / VPS Only
  8. 8. Use SEF URL’s or an SEF component. • What are SEF URL’s? – Creates a url that is easy for the search engines to read. • How do they help with security? – Utilizing SEF (Search Engine Friendly) URL’s is a good way to mask Joomla! URL’s from attackers. A default Joomla! URL tells the visitor a lot about the page being visited, including that it is a Joomla! page and what components are being used. The default Joomla! SEF tool works great, but if you want to take it to another level of management sh404SEF by Anything Digital is a great tool. A couple security options sh404SEF offers that the default Joomla! SEF doesn’t are, the option to remove the generator tag from your site showing you are running Joomla!, and it will send warnings when your site has been exposed to an attack. • You can also remove the generator tag with the plugin ByeByeGenerator. • More info on Joomla! meta generator tag and how to remove it.
  9. 9. Changing File Permissions • Restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions: – Set the permission of /index.php to 444 – Set the permission of /configuration.php to 444 – Set the permission of /templates/*yourtemplate*/index.php to 444 – Set the permission of the folder /templates/*yourtemplate*/ to 555 • More information on Linux file permissions • (If you have already changed your file permissions , make sure to temporarily change it to 644 for editing Global Configuration in admin panel and back to 444 once done.)
  10. 10. Protect directory paths for temp and logs folders All configurable paths to temp and logs directories should be located outside of public_html directory. This can be achieved by editing the path in the Configuration.php, or in the Global Configuration area of your Joomla! Back-End. The path should be adjusted: • From: /home/yoursite/public_html/logs • To: /home/yoursite/logs and • From: /home/yoursite/public_html/temp • To: /home/yoursite/temp Make sure to move your folders to this directory following changing the paths.
  11. 11. Global Configuration View
  12. 12. cPanel View
  13. 13. Site Monitoring • Site Monitoring assists in letting you know if there has been an injection and your site is at risk. This is very helpful in getting your site back live or clean with the least amount of downtime. • Best 2 Options – –
  14. 14. Additional Resources • Joomla Documentation – Security Checklist • CMS Security Handbook – Amazon Link Discounts • Akeeba Products, 20% - Use the following coupon code to save 20% on all Akeeba backup products such as Akeeba Backup Pro. – WATCHFUL
  15. 15. Top 10 Stupidest Administrator Tricks Link: This list originally appeared late one night on the Joomla Forums after one developer ended a particularly long round of crack recovery. The post struck many a nerve among Joomlaists far and wide, and has been translated into several languages. Some nerves were near the funny bone, others painfully far from it. Your experience may vary. • 10. Use the cheapest hosting provider you can find. – • 9. Don't waste time with regular backups. – • Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem. 7. Use the same username and password for everything. – • Maybe the hosting provider will help you out. 8. Don't waste time adjusting PHP and Joomla! settings for increased security. – • Preferably use a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers. FYI: You can use a tool such as Robtex (if you are using a shared Hosting Provider) to see who you are sharing space with and if you should be proactive to request a move to another shared space. For example:, or for REALLY cool information: This shows domain, shared, whois, blacklist, analysis, contact... Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere. 6. Install your brand new beautiful Joomla!-powered site, and celebrate a job well done. – Don't worry about it again. After all, if you don't make any more changes, what can go wrong?
  16. 16. Top 10 Stupidest Administrator Tricks (Cont’d) • 5. Do all upgrades on the live site right away. – • 4. Trust third-party extensions. – • Hey, nothing has gone wrong so far, and if it ain't broke don't fix it! Same plan for the third-party extensions. Too much work; life's a beach. 2. When your site gets cracked, panic your way into the Joomla! Forums. – • Install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing. 3. Don't worry about updating to the latest version of Joomla! – • Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused. Start a new post with a very familiar title: "My Site's Been Hacked! (sic)" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions you installed. 1. Once your site's been cracked, fix the defaced index.php file and assume all else is well. – Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming action. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.