Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secrets to a Hack-Proof Joomla Revealed


Published on

The recent spike of hack attempts on various Joomla sites has made it more urgent than ever to take actions and secure your Joomla in the best possible way. In this webinar the SiteGround Joomla Performance Guru Daniel Kanchev shows the best practices and shares insightful tricks how to protect your Joomla from getting hacked:

- Joomla administrator security settings
- Bullet-proof password tips
- Vulnerable extensions to avoid
- Web application firewall configurations
- Recommended server settings
- Intrusion detection and protection tools
- Disaster recovery plans

Published in: Technology

Secrets to a Hack-Proof Joomla Revealed

  1. 1. SECRETS TO AHACK-PROOF JOOMLAREVEALED!Daniel KanchevJoomla Performance Guru
  2. 2. - Expert Joomla HostingBEFORE WE BEGIN...• 7+ years of Joomla!experience• 4 years with SiteGround• Love traveling the world• Addicted to extremeand not secure sports2 - Expert Joomla Hosting
  3. 3. - Expert Joomla HostingWHO SHOULD CAREABOUT SECURITY?• Application/Extension developers• Hosting providers/system administrators• YOU (end Joomla users)3
  4. 4. - Expert Joomla HostingWHO SHOULD CAREABOUT SECURITY?• Application/Extension developers• Hosting providers/system administrators• YOU (end Joomla users)4EVERYONE
  5. 5. - Expert Joomla HostingWhy shouldYOU care?• Be trustworthy by protecting your clients’data• Have a healthy site - avoid substantial dataloss/downtime5
  6. 6. - Expert Joomla HostingHow hackers work?6
  7. 7. - Expert Joomla HostingEveryone’s responsible!7
  8. 8. - Expert Joomla HostingSecurity is a process!KEEPCALMIT’S NOTROCKETSCIENCE8
  9. 9. - Expert Joomla HostingISYOUR SERVER SETUP RIGHT?9
  10. 10. - Expert Joomla HostingServer config & tips• Update server software - Apache, ftp, mail, etc• Harden the Linux kernel - grsecurity• Chroot processes• Use Suexec, secure PHP setup (fastCGI)• Provide only restricted shell access• Disable/remove unused services✓Software solutions: 1H Hive, Better Linux,CloudLinux10
  11. 11. - Expert Joomla HostingProtect your web serverwith mod_security• OWASP rules -• Atomic rules -• Trustwave paid rules -
  12. 12. - Expert Joomla HostingPROTECT JOOMLA!12
  13. 13. - Expert Joomla Hosting#1: Update Everything!13
  14. 14. - Expert Joomla HostingSiteGround Auto Updates14
  15. 15. - Expert Joomla Hosting#2: Do The Basics• Never user admin as username• Use a secure password15
  16. 16. - Expert Joomla HostingUse Bullet-proof Passwords• Avoid passwordgenerators• Don’t use commonwords - love,pass, admin• Avoid personal info,names, significant dates -daniel12316
  17. 17. - Expert Joomla HostingThe Perfect Password• Choose a favorite (not famous) movie quote/large phrase from a book:We all go a little mad sometimes• Add punctuation symbols ( ? ! . : ) and capitalletters, remove whitespacesResult:We.all?Go!Alittle1Mad2sometimes17
  18. 18. - Expert Joomla Hosting#3: Password ProtectYourAdministrator Folder18cPanelPassword ProtectDirectoriesAdministrator
  19. 19. - Expert Joomla Hosting#4: Restrict The Admin Area AccessBy IP• Step1: Check your IP ->• Step2: Add this rule in the administratorfolder .htaccess filedeny from allallow fromYOUR_IP_ADDRESS19
  20. 20. - Expert Joomla Hosting#5: Fix your permissions &ownership• Folders: 0755• Files: 0644• Configuration.php: 444• NEVER EVER USE 777 permissions20
  21. 21. - Expert Joomla HostingFix permissions in cPanel21cPanelFile Manager
  22. 22. - Expert Joomla Hosting#6: Keep PHP Scripts In The RightFoldersIn media, libraries, logs, language folders:<Files *.php>deny from all</Files>22
  23. 23. - Expert Joomla Hosting23How To Do It In File Manager
  24. 24. - Expert Joomla Hosting#7: Legacy security issues24• Change the default admin username• Change the default jos_ DB prefixForJoomla 1.5or older
  25. 25. - Expert Joomla Hosting#8: CheckYour Extensions• JoomlaVulnerable Extensions List• NationalVulnerability Database
  26. 26. - Expert Joomla HostingStay On Top Of SecurityUpdates• Subscribe to the Joomla feeds:✓✓
  27. 27. - Expert Joomla HostingBuild a Joomla security RSS feedHow to do it:
  28. 28. - Expert Joomla Hosting#9:Additional protectionthrough .htaccess rules• Remove PHP sensitive information• AvoidVisual Fingerprinting• Block some popular tools used by hackersHow to do it:
  29. 29. - Expert Joomla Hosting#10: Use Joomla SecurityExtensions for IDS/IPS• jHackGuard• Akeeba Admin Tools• jomDefender• jSecure29
  30. 30. - Expert Joomla HostingSQL Injection• SQL code + search form screenshot30SELECT * FROM users WHERE name = a;DROP TABLE users; SELECT * FROM userinfo WHERE t = t;!!!
  31. 31. - Expert Joomla HostingjHackGuard setup• SQL Injections• Remote URL/FileInclusions• Remote CodeExecutions• XSS Based AttacksDownload it here:
  32. 32. - Expert Joomla Hosting#11: Backup! Backup! Backup!--Manual backups --Your host --Akeeba Backups
  33. 33. - Expert Joomla HostingNOW WHAT?
  34. 34. - Expert Joomla HostingDON’TPANIC!
  35. 35. - Expert Joomla HostingDISASTER RECOVERY PLAN1. Create a copy of the hacked site + all logs2. Restore from a clean backup3. Quarantine your site - enable maintenance mode4. Check the logs for the malicious code5. Resolve the security issues/Clean malicious code6. Unquarantine* your site - disable maintenancemode35
  36. 36. - Expert Joomla HostingFEW THINGS TO TAKE AWAY• Security is about making it harder toinfiltrate - not making it impossible• Security is an ongoing process• Everyone is involved36
  37. 37. - Expert Joomla HostingQUESTIONSTIME!
  38. 38. - Expert Joomla HostingWWW.SITEGROUND.COM/WEBINAR
  39. 39. THANKYOU!Daniel