Download presentation
Presentation is loading. Please wait.
Published byCalvin Cummings Modified over 9 years ago
1
1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com
2
1-19-2012www.ursamajorconsulting.com2 Agenda Discuss Security Considerations and Approaches Identify Resources and References Additional Programs / Presenters?
3
1-19-2012www.ursamajorconsulting.com3 Joomla! Web Security Discussion PHP-based / database driven sites are vulnerable SQL Injections -- Commands where data input is expected Validate Inputs and Enforce size Current version of PHP with appropriate settings Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html
4
1-19-2012www.ursamajorconsulting.com4 Pick a Good Host Shared Host Vulnerabilities http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup Choose a good hosting provider – experienced in Joomla; responsiveness; forums / helps Appropriate permissions Directories = 755 Files = 644 .htaccess, configuration.php = 644 Webserver is set up to use user account as owner of PHP-created files
5
1-19-2012www.ursamajorconsulting.com5 Upgrade Regularly Upgrade to Latest Version of Joomla Akeeba Admin Tools Use Safe Extensions Upgrade Extensions Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_L ist http://docs.joomla.org/Vulnerable_Extensions_L ist Subscribe to updates Keep a spreadsheet of your sites And the versions they use
6
1-19-2012www.ursamajorconsulting.com6 Joomla Setup Password protect folders in control panel Use a site-specific database username and password Change jos_ table prefix Hide Admin login jSecure Authentication Plugin add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbet c http://www.mysite.com/administrator?199abbet c
7
1-19-2012www.ursamajorconsulting.com7 Access Control http://docs.joomla.org/Security_Checklist_4_- _Joomla_Setup http://docs.joomla.org/Security_Checklist_4_- _Joomla_Setup Strong Passwords Change Admin Username and Number Default ID for admin user in Joomla is 62, and this may be used by a hacker Create a new super-administrator with another user name and a strong password Log out and in again as this new user Change original admin user to a manager and save (you are not allowed to delete a super-administrator). Delete original admin user (user ID 62) and rename from the default Admin to a new one.
8
1-19-2012www.ursamajorconsulting.com8 Backups / Upgrades Akeeba Backup Multi-backup scheme Test restoration / upgrades Test site is helpful Hosting provider backups Hosting provider virus scans or site backup using local download / scan http://docs.joomla.org/Security_Checklist_ 6_-_Site_Recovery http://docs.joomla.org/Security_Checklist_ 6_-_Site_Recovery
9
1-19-2012www.ursamajorconsulting.com9 Vulnerabilties Old Joomla! versions Community Builder before 1.7.1 JCE before 2.0.19 Unchecked user input (SQL injection, buffer overflows) eXtplorer left on site http://docs.joomla.org/Vulnerable_Ex tensions_List http://docs.joomla.org/Vulnerable_Ex tensions_List
10
1-19-2012www.ursamajorconsulting.com10 Check What’s Happening Logs / AWSTATS / other packages Google Analytics File Modification Dates / Contents
11
1-19-2012www.ursamajorconsulting.com11 Resources http://docs.joomla.org/Category:Security_ Checklist http://docs.joomla.org/Category:Security_ Checklist http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell-secure- php-coding-practices.html http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell-secure- php-coding-practices.html Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009 Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.