This presentation provides information about the most common Joomla! attacks and how to protect from them. The basics of securing Joomla! sites are covered in details.

1. HIDDEN SECRETS FOR A
HACK-PROOF JOOMLA!
Daniel Kanchev
@dvkanchev

2. BEFORE WE BEGIN …
✓ 7+ Years Of Joomla! Experience
✓ 6 Years With SiteGround
✓ Love Travelling The World
✓ Addicted To Extreme Sports

3. WHO SHOULD CARE
ABOUT SECURITY ?
✓ Application/Extension Developers
✓ Hosting Providers/System Administrators
✓ YOU (End Joomla! Users)

4. EVERYONE
WHO SHOULD CARE
ABOUT SECURITY ?
✓Application/Extension Developers
✓Hosting Providers/System Administrators
✓YOU (End Joomla! Users)

5. WHY SHOULD YOU
CARE ?
✓ Be Trustworthy By Protecting Your Clients’ Data
✓ Have A Healthy Site - Avoid Substantial Data
Loss/Downtime

6. HOW HACKERS WORK?

7. EVERYONE’S RESPONSIBLE!

8. SECURITY IS A PROCESS!
!
!
KEEP
CALM
IT’S NOT
ROCKET
SCIENCE

9. IS YOUR SERVER SETUP RIGHT?

10. SERVER CONFIG & TIPS
✓ Always Update Your Server Software
✓ Harden The Linux Kernel - grsecurity
✓ Chroot Processes
✓ Provide Only Restricted Shell Access
✓ Disable/Remove Unused Services
SOLUTIONS: 1H Hive, Better Linux, CloudLinux

11. PROTECT YOUR WEB SERVER
✓ OWASP Rules - http://goo.gl/rC7Uz
✓ Atomic Rules - http://goo.gl/Fv3Vn
✓ Trustwave Paid Rules - http://goo.gl/9IAaB

12. PROTECT JOOMLA!

13. #1: UPDATE EVERYTHING!

14. SITEGROUND AUTO UPDATES

15. #2: DO THE BASICS
✓ Change The Default “admin” username
✓ Change The Default “jos_” DB Prefix
✓ Password Protect Your Administrator Folder

16. #3: RESTRICT THE ADMIN AREA BY IP
✓ Step 1: Check Your IP: whatismyip.com
✓ Add This Rule To Your .htaccess File
deny from all
allow from YOUR_IP_ADDRESS

17. #4: KEEP PHP SCRIPTS IN
THE RIGHT FOLDERS
<Files *.php>
deny from all
</Files>

18. #5: USE BULLET-PROOF PASSWORDS
✓ Avoid password generators
✓ Don’t use common words
✓ Avoid personal info, names
and significant dates:
daniel123

19. THE PERFECT PASSWORD
✓ Choose A Favourite (Not Famous) Movie
Quote/Phrase From A Book:
We all go a little mad sometimes
✓ Add Punctuation Symbols (?!.,:) And Capital Letters,
Remove Whitespaces:
We.all?go!AlittleMad2sometimes

20. #6: CHECK YOUR EXTENSIONS
✓Joomla! Vulnerable Extensions List (VEL):
http://vel.joomla.org/
✓National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/search

21. #7: STAY ON TOP OF
SECURITY UPDATES
✓http://feeds.joomla.org/JoomlaSecurityNews
✓http://feeds.joomla.org/
JoomlaSecurityVulnerableExtensions

22. BUILD A JOOMLA! SECURITY RSS FEED
HOW TO DO IT: http://is.gd/Vze1Zo

23. #8: FIX YOUR PERMISSIONS
AND OWNERSHIP
✓Folders: 0755
✓Files: 0644
✓All files/folders should be owned by your
main FTP user
✓NEVER EVER USE 777 permissions

24. #9: ADDITIONAL PROTECTION
THROUGH .htaccess FILE
✓ Remove PHP Sensitive Information
✓ Avoid Visual FingerPrinting
✓ Block Some Popular Tools Used By Hackers
How To Do It: http://is.gd/pGfVXQ

25. #10: USE JOOMLA! SECURITY
EXTENSIONS FOR IDS/IPS
✓jHackGuard
✓ Akeeba Admin Tools
✓ jomDefender
✓jSecure

26. SQL INJECTION
SELECT * FROM users WHERE name = 'a';DROP TABLE
users; SELECT * FROM userinfo WHERE 't' = 't';

27. jHackGuard SETUP
✓ SQL Injections
✓ Remote URL/File Inclusions
✓ Remote Code Execution
✓ XSS Based Attacks

28. #11: BACKUP! BACKUP! BACKUP!

29. NOW WHAT?

30. DON’T
PANIC!

31. DISASTER RECOVERY PLAN
1. Create A Copy Of The Hacked Site + All Logs
2. Restore From A Clean Backup
3. Quarantine Your Site - Maintenance Mode
4. Check The Logs For The Malicious Code
5. Resolve The Security Issues/Clean Malicious Code
6. Unquarantine Your Site

32. FEW THINGS TO TAKE AWAY
✓ Security Is About Making It Harder To
Infiltrate - Not Making It Impossible
✓ Security Is An Ongoing Process
✓ Everyone Is Involved

33. QUESTIONS ?

34. THANK YOU!
Daniel Kanchev
@dvkanchev