The document discusses active security measures for Joomla sites, emphasizing the importance of strong foundations like updated software, proper file permissions, and server security settings. It also stresses maintaining site security through regular backups, monitoring for changes, and being vigilant about keeping software updated. Key recommendations include using .htaccess rules, access control lists, and automated off-site backups to protect the site and prepare for any potential security issues.

1. Active security
for Joomla! sites
version 5.2

2. Mission: Impossible
Talking in-depth about Joomla! security in 30 minutes
or less... but I’ll try!

3. Put your pens away
Sit back and enjoy

4. A site is like a building
• Strong foundations
• Careful construction
• Active maintenance

5. Step 1: Strong foundations
Your server setup - Geeky stuff ahead!

6. Updated server software
PHP, MySQL, Apache, FTP Server...

7. Permissions & ownership
Who can do what and where

8. Sane ownership &
permissions
All files and folders owned by the FTP user
Use Joomla!’s FTP mode on shared hosts
Folders 0755 permissions • Files 0644 permissions
If you “must” use 0777 (don’t!), protect with .htaccess
order deny, allow
deny from all
allow from none
Better yet, use suPHP or FastCGI

9. Too much to remember?
Akeeba Backup User’s Guide, Security
Information
https://www.akeebabackup.com/documentation/
akeeba-backup-documentation/security-info.html
777: The number of the beast
http://www.dionysopoulos.me/blog/777-the-number-
of-the-beast

10. Advanced methods
for IT ninjas

11. mod_security for Apache
Your server’s security guard

12. You need some rules
Atomic (GotRoot) Rules:
http://www.atomicorp.com/wiki/index.php/
Atomic_ModSecurity_Rules
OWASP Rules:
https://www.owasp.org/index.php/
Category:OWASP_ModSecurity_Core_Rule_Set_Projec
t

13. Make it all happen
The magic scripts

14. https://github.com/betweenbrain/ubuntu-web-
server-build-script
written by Matt Thomas (@betweenbrain)

15. Step 2: Careful construction
Your site setup

16. Update, yesterday
Joomla! & extensions

17. Think before installing
Don’t be the mouse in the trap!

18. Length matters

19. Your Password’s length matters

20. A terrifying thought
Password hacking super-computer: 2,700 USD
(2 years ago; much cheaper now)

21. How safe is your password?
Password Bits Iterations Time to crack
15082005 13.6 12416 0.00038 msec
admin 15.9 61147 0.00185 msec
ortrtaortftaaidbt 67.7 2.39E+20 228.95 years
0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million years
horse correct battery stapler 107.2 1.86E+32 178179 billion years

22. How safe is your password?
Password Bits Iterations Time to crack
15082005 13.6 12416 0.00038 msec
admin 15.9 61147 0.00185 msec
ortrtaortftaaidbt 67.7 2.39E+20 228.95 years
0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million years
horse correct battery stapler 107.2 1.86E+32 178179 billion years

23. Lock it down
Nothing on my site runs unless I say so

24. .htaccess Rules
My Master .htaccess - FREE
http://akeeba.assembla.com/code/master-htaccess/
git/nodes/htaccess.txt
Admin Tools Professional
https://www.akeebabackup.com/products/46-
software/855-admintools.html

25. Armor up
Protect your site

26. Step 3: Active maintenance
Staying on top of it all

27. Backups
Frequent, automated, off-site backups

28. Monitor file changes
A changed file is usually a bad thing

29. Monitor it
Keep an eye on the logs

30. In spite of it all…

31. Dammit!
You got hacked, now what?

32. DON’T
PANIC

33. We’ve got instructions
Unhacking your site
https://www.akeebabackup.com/documentation/
walkthroughs/item/1124-unhacking-your-site.html
You do have backups, right?
Make sure you read the instructions before getting
hacked.

34. One more thing...
security is a
process

35. Questions?

36. Download this presentation
http://akeeba.info/asjd12de

37. Thank you for listening!
Image credits: sxc.hu; istockphoto.com