110 likes | 217 Views
Avoid Getting Hacked. Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com. Agenda. Discuss Security Considerations and Approaches Identify Resources and References
E N D
Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com www.ursamajorconsulting.com
Agenda • Discuss Security Considerations and Approaches • Identify Resources and References • Additional Programs / Presenters? www.ursamajorconsulting.com
Joomla! Web Security Discussion • PHP-based / database driven sites are vulnerable • SQL Injections -- Commands where data input is expected • Validate Inputs and Enforce size • Current version of PHP with appropriate settings • Secure coding practices -- http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html www.ursamajorconsulting.com
Pick a Good Host • Shared Host Vulnerabilities • http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup • Choose a good hosting provider • – experienced in Joomla; responsiveness; forums / helps • Appropriate permissions • Directories = 755 • Files = 644 • .htaccess, configuration.php = 644 • Webserver is set up to use user account as owner of PHP-created files www.ursamajorconsulting.com
Upgrade Regularly • Upgrade to Latest Version of Joomla • Akeeba Admin Tools • Use Safe Extensions • Upgrade Extensions • Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List • Subscribe to updates • Keep a spreadsheet of your sites • And the versions they use www.ursamajorconsulting.com
Joomla Setup • Password protect folders in control panel • Use a site-specific database username and password • Change jos_ table prefix • Hide Admin login • jSecure Authentication Plugin • add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc www.ursamajorconsulting.com
Access Control • http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setup • Strong Passwords • Change Admin Username and Number • Default ID for admin user in Joomla is 62, and this may be used by a hacker • Create a new super-administrator with another user name and a strong password • Log out and in again as this new user • Change original admin user to a manager and save (you are not allowed to delete a super-administrator). • Delete original admin user (user ID 62) and rename from the default Admin to a new one. www.ursamajorconsulting.com
Backups / Upgrades • Akeeba Backup • Multi-backup scheme • Test restoration / upgrades • Test site is helpful • Hosting provider backups • Hosting provider virus scans or site backup using local download / scan • http://docs.joomla.org/Security_Checklist_6_-_Site_Recovery www.ursamajorconsulting.com
Vulnerabilties • Old Joomla! versions • Community Builder before 1.7.1 • JCE before 2.0.19 • Unchecked user input (SQL injection, buffer overflows) • eXtplorer left on site • http://docs.joomla.org/Vulnerable_Extensions_List www.ursamajorconsulting.com
Check What’s Happening • Logs / AWSTATS / other packages • Google Analytics • File Modification Dates / Contents www.ursamajorconsulting.com
Resources • http://docs.joomla.org/Category:Security_Checklist • http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html • Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009 • Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. www.ursamajorconsulting.com