The document discusses how to avoid getting hacked when using Joomla for a website. It recommends securing the website by validating inputs, upgrading to the latest versions of Joomla and extensions regularly, using strong passwords, enabling access controls, performing regular backups, monitoring logs for suspicious activity, and referring to security checklist resources. The presentation also suggests choosing a reputable host, hiding the administrator login, and being aware of vulnerable extensions.
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Avoid Getting Hacked: Joomla! Web Security Tips
1. Avoid Getting Hacked
Joomla! Web Security
Northern Virginia Joomla Users Group
January 2012
Dorothy Firsching, Ursa Major Consulting, LLC
dfirsching@ursamajorconsulting.com
1-19-2012 www.ursamajorconsulting.com 1
3. Joomla! Web Security Discussion
PHP-based / database driven sites are
vulnerable
SQL Injections -- Commands where data
input is expected
Validate Inputs and Enforce size
Current version of PHP with appropriate
settings
Secure coding practices --
http://joomladaymidwest.org/news/slides-
and-video/2011/slides-jeff-channell-
secure-php-coding-practices.html
1-19-2012 www.ursamajorconsulting.com 3
4. Pick a Good Host
Shared Host Vulnerabilities
http://docs.joomla.org/Security_Checklist_2
_-_Hosting_and_Server_Setup
Choose a good hosting provider
– experienced in Joomla; responsiveness; forums
/ helps
Appropriate permissions
Directories = 755
Files = 644
.htaccess, configuration.php = 644
Webserver is set up to use user account as
owner of PHP-created files
1-19-2012 www.ursamajorconsulting.com 4
5. Upgrade Regularly
Upgrade to Latest Version of Joomla
Akeeba Admin Tools
Use Safe Extensions
Upgrade Extensions
Check the vulnerability list --
http://docs.joomla.org/Vulnerable_Extensions_List
Subscribe to updates
Keep a spreadsheet of your sites
And the versions they use
1-19-2012 www.ursamajorconsulting.com 5
6. Joomla Setup
Password protect folders in control panel
Use a site-specific database username and
password
Change jos_ table prefix
Hide Admin login
jSecure Authentication Plugin
add a suffix to your back-end URL to make it
look like this:
http://www.mysite.com/administrator?199abbetc
1-19-2012 www.ursamajorconsulting.com 6
7. Access Control
http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu
Strong Passwords
Change Admin Username and Number
Default ID for admin user in Joomla is 62, and this
may be used by a hacker
Create a new super-administrator with another user
name and a strong password
Log out and in again as this new user
Change original admin user to a manager and save (you
are not allowed to delete a super-administrator).
Delete original admin user (user ID 62) and rename
from the default Admin to a new one.
1-19-2012 www.ursamajorconsulting.com 7
8. Backups / Upgrades
Akeeba Backup
Remove backups from site
Multi-backup scheme
Test restoration / upgrades
Test site is helpful
Hosting provider backups
Hosting provider virus scans or site backup
using local download / scan
http://docs.joomla.org/Security_Checklist_6_-_S
1-19-2012 www.ursamajorconsulting.com 8
9. Vulnerabilties
Old Joomla! versions
Community Builder before 1.7.1
JCE before 2.0.19
Unchecked user input (SQL injection,
buffer overflows)
eXtplorer left on site
http://
docs.joomla.org/Vulnerable_Extensions_L
1-19-2012 www.ursamajorconsulting.com 9
11. Resources
http://docs.joomla.org/Category:Security_Check
http://joomladaymidwest.org/news/slides-and-v
Securing PHP Web Applications, Tricia
Ballard and William Ballard, 2009
Joomla! Web Security, Tom Canavan, Packt
Publishing, 2008; out-of-date but still
useful.
1-19-2012 www.ursamajorconsulting.com 11