The document discusses how to avoid getting hacked when using Joomla for a website. It recommends securing the website by validating inputs, upgrading to the latest versions of Joomla and extensions regularly, using strong passwords, enabling access controls, performing regular backups, monitoring logs for suspicious activity, and referring to security checklist resources. The presentation also suggests choosing a reputable host, hiding the administrator login, and being aware of vulnerable extensions.

1. Avoid Getting Hacked
Joomla! Web Security
Northern Virginia Joomla Users Group
January 2012
Dorothy Firsching, Ursa Major Consulting, LLC
dfirsching@ursamajorconsulting.com
1-19-2012 www.ursamajorconsulting.com 1

2. Agenda
 Discuss Security Considerations and
Approaches
 Identify Resources and References
 Additional Programs / Presenters?
1-19-2012 www.ursamajorconsulting.com 2

3. Joomla! Web Security Discussion
 PHP-based / database driven sites are
vulnerable
 SQL Injections -- Commands where data
input is expected
 Validate Inputs and Enforce size
 Current version of PHP with appropriate
settings
 Secure coding practices --
http://joomladaymidwest.org/news/slides-
and-video/2011/slides-jeff-channell-
secure-php-coding-practices.html
1-19-2012 www.ursamajorconsulting.com 3

4. Pick a Good Host
 Shared Host Vulnerabilities
 http://docs.joomla.org/Security_Checklist_2
_-_Hosting_and_Server_Setup
 Choose a good hosting provider
 – experienced in Joomla; responsiveness; forums
/ helps
 Appropriate permissions
 Directories = 755
 Files = 644
 .htaccess, configuration.php = 644
 Webserver is set up to use user account as
owner of PHP-created files
1-19-2012 www.ursamajorconsulting.com 4

5. Upgrade Regularly
 Upgrade to Latest Version of Joomla
 Akeeba Admin Tools
 Use Safe Extensions
 Upgrade Extensions
 Check the vulnerability list --
http://docs.joomla.org/Vulnerable_Extensions_List
 Subscribe to updates
 Keep a spreadsheet of your sites
 And the versions they use
1-19-2012 www.ursamajorconsulting.com 5

6. Joomla Setup
 Password protect folders in control panel
 Use a site-specific database username and
password
 Change jos_ table prefix
 Hide Admin login
 jSecure Authentication Plugin
 add a suffix to your back-end URL to make it
look like this:
http://www.mysite.com/administrator?199abbetc
1-19-2012 www.ursamajorconsulting.com 6

7. Access Control
 http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu
 Strong Passwords
 Change Admin Username and Number
 Default ID for admin user in Joomla is 62, and this
may be used by a hacker
 Create a new super-administrator with another user
name and a strong password
 Log out and in again as this new user
 Change original admin user to a manager and save (you
are not allowed to delete a super-administrator).
 Delete original admin user (user ID 62) and rename
from the default Admin to a new one.
1-19-2012 www.ursamajorconsulting.com 7

8. Backups / Upgrades
 Akeeba Backup
 Remove backups from site
 Multi-backup scheme
 Test restoration / upgrades
 Test site is helpful
 Hosting provider backups
 Hosting provider virus scans or site backup
using local download / scan
 http://docs.joomla.org/Security_Checklist_6_-_S
1-19-2012 www.ursamajorconsulting.com 8

9. Vulnerabilties
 Old Joomla! versions
 Community Builder before 1.7.1
 JCE before 2.0.19
 Unchecked user input (SQL injection,
buffer overflows)
 eXtplorer left on site
 http://
docs.joomla.org/Vulnerable_Extensions_L
1-19-2012 www.ursamajorconsulting.com 9

10. Check What’s Happening
 Logs / AWSTATS / other packages
 Google Analytics
 File Modification Dates / Contents
1-19-2012 www.ursamajorconsulting.com 10

11. Resources
 http://docs.joomla.org/Category:Security_Check
 http://joomladaymidwest.org/news/slides-and-v
 Securing PHP Web Applications, Tricia
Ballard and William Ballard, 2009
 Joomla! Web Security, Tom Canavan, Packt
Publishing, 2008; out-of-date but still
useful.
1-19-2012 www.ursamajorconsulting.com 11