Presentation is loading. Please wait.

Presentation is loading. Please wait.

1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa.

Published byCalvin Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa."— Presentation transcript:

1 1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com

2 1-19-2012www.ursamajorconsulting.com2 Agenda  Discuss Security Considerations and Approaches  Identify Resources and References  Additional Programs / Presenters?

3 1-19-2012www.ursamajorconsulting.com3 Joomla! Web Security Discussion  PHP-based / database driven sites are vulnerable SQL Injections -- Commands where data input is expected Validate Inputs and Enforce size Current version of PHP with appropriate settings Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html

4 1-19-2012www.ursamajorconsulting.com4 Pick a Good Host  Shared Host Vulnerabilities http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps Appropriate permissions  Directories = 755  Files = 644 .htaccess, configuration.php = 644 Webserver is set up to use user account as owner of PHP-created files

5 1-19-2012www.ursamajorconsulting.com5 Upgrade Regularly  Upgrade to Latest Version of Joomla Akeeba Admin Tools  Use Safe Extensions  Upgrade Extensions Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_L ist http://docs.joomla.org/Vulnerable_Extensions_L ist Subscribe to updates  Keep a spreadsheet of your sites And the versions they use

6 1-19-2012www.ursamajorconsulting.com6 Joomla Setup  Password protect folders in control panel  Use a site-specific database username and password  Change jos_ table prefix  Hide Admin login jSecure Authentication Plugin add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbet c http://www.mysite.com/administrator?199abbet c

7 1-19-2012www.ursamajorconsulting.com7 Access Control  http://docs.joomla.org/Security_Checklist_4_- _Joomla_Setup http://docs.joomla.org/Security_Checklist_4_- _Joomla_Setup  Strong Passwords  Change Admin Username and Number Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one.

8 1-19-2012www.ursamajorconsulting.com8 Backups / Upgrades  Akeeba Backup  Multi-backup scheme  Test restoration / upgrades Test site is helpful  Hosting provider backups  Hosting provider virus scans or site backup using local download / scan  http://docs.joomla.org/Security_Checklist_ 6_-_Site_Recovery http://docs.joomla.org/Security_Checklist_ 6_-_Site_Recovery

9 1-19-2012www.ursamajorconsulting.com9 Vulnerabilties  Old Joomla! versions  Community Builder before 1.7.1  JCE before 2.0.19  Unchecked user input (SQL injection, buffer overflows)  eXtplorer left on site  http://docs.joomla.org/Vulnerable_Ex tensions_List http://docs.joomla.org/Vulnerable_Ex tensions_List

10 1-19-2012www.ursamajorconsulting.com10 Check What’s Happening  Logs / AWSTATS / other packages  Google Analytics  File Modification Dates / Contents

11 1-19-2012www.ursamajorconsulting.com11 Resources  http://docs.joomla.org/Category:Security_ Checklist http://docs.joomla.org/Category:Security_ Checklist  http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell-secure- php-coding-practices.html http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell-secure- php-coding-practices.html  Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009  Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful.

Download ppt "1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
© 2012 Entrinsik, Inc. Informer Administration Exploring the system menu and functions PRESENTER: Jason Vorenkamp| Informer Software Engineer| March 2012.

© 2012 Entrinsik, Inc. Informer Administration Exploring the system menu and functions PRESENTER: Jason Vorenkamp| Informer Software Engineer| March 2012.
Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting

Getting Set-up with Hosting and WordPress Gregory Young Alternative Hosting
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Joomla! Security Ruth Cheesley. Hello, I’m Ruth Cheesley from Virya Technologies Find my social media stuff

Joomla! Security Ruth Cheesley. Hello, I’m Ruth Cheesley from Virya Technologies Find my social media stuff
A WordPress Business Website Checklist THE CHECKLIST MANIFESTO AS APPLIED TO WORDPRESS AND YOUR BUSINESS.

A WordPress Business Website Checklist THE CHECKLIST MANIFESTO AS APPLIED TO WORDPRESS AND YOUR BUSINESS.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Install WordPress with Xampp. By www.00397.com With Thanks to: Rupesh Kumar.

Install WordPress with Xampp. By With Thanks to: Rupesh Kumar.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
The easy way to a nice looking website design By a total non-designer (Me!)

The easy way to a nice looking website design By a total non-designer (Me!)
PHP-Fusion. Introduction PHP-Fusion is a lightweight open source content management system (CMS) written in PHP. PHP-Fusion utilizes a MySQL database.

PHP-Fusion. Introduction PHP-Fusion is a lightweight open source content management system (CMS) written in PHP. PHP-Fusion utilizes a MySQL database.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Sahil Narang 9914515620. What is CMS? A content management system (CMS) is a computer application that allows publishing, editing and modifying content,

Sahil Narang What is CMS? A content management system (CMS) is a computer application that allows publishing, editing and modifying content,
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.

Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.
CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.

CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.
IT FORUM March 23, 2010 RoyalDrive Tony Gazoo Applications Administrator IT Development & Applications.

IT FORUM March 23, 2010 RoyalDrive Tony Gazoo Applications Administrator IT Development & Applications.

Similar presentations

Ads by Google