JoomlaRescue Home

How can we help YOU be secure?

Health Check One - $299.00

NEW LOWER PRICE!!!
Do you just need a quick checkup? Then this is for you. We perform basic diagnostics and make sure your site is right

 
$299.00 per domain
 
Add to Cart

Health Check Two -$699.95

Our most comprehensive checkup. Includes deep dive looking for problems, install backup/restoration and notification tools and more. Includes Health Chk One
 
$699.95 per domain
 
Add to Cart

We recommend

PotentiaHosting.com
Potentia Hosting -Domains,hosting, 24x7x365 US Based Tech Support and more

Sign up today

WordPress

JoomlaRescue NOW Supports WordPress sites.
Complete clean up of viruses, trojans and other malware. Contact us for more info - help@joomlarescue.com

 
$499.00
 
Add to Cart
JoomlaRescue - We rescue hacked sites
Security is more important than ever

(from an article I posted on HowToJoomla.net)

 

As a security guy, I get asked frequently about Joomla, and if it's secure. I start to answer, and am always interrupted with something along the lines of:

"..I know it's not, I just want to know how insecure it is.."

As if security is measured on a 1 to 10 scale..Security is not a scale, but a total philosophy, a set of tools and actions. Yes, it can be measured, but taking Joomla and singling it out is foolish. Looking at Joomla as part of your total site security makeup IS the right answer. You must measure security holistically. Any part of your security that is weak,weakens the entire infrastructure.

So how do you answer it? To begin with, Joomla is only as secure as the platform it is on, the extensions installed on it and the proper safeguards that are put in place. In fact, many times if a Joomla site is hacked, it could be any number of things. But here's the part that is hard for some to swallow...It's not typically Joomla's fault. it's many times the administrators fault for failing in some basic areas. Now to be fair to the admin, security is an entire practice itself, and in this article I will lay out some basic concepts both Joomla and non-joomla to help you understand how to secure your site.

Permissions:

Many times, a new Joomla user will install the product, and occasionally run into trouble. They set permissions to 777 (r/w/x) for everyone. This is a big no no. And a big red flag. An improperly configured server, and some extensions, are the culprit here. Don't use a host that makes you setup your site this way, and avoid extensions that will ONLY run with 777. While there are exceptions to this statement, overall it holds true.

Tip: Always set folders to 755 and Files to 644

Server Ownership / Permissions

This is usually a hosting related problem, or a hacker has been here. But sometimes ownership of files (as seen from the Operating Systems Point of View), can cause weird problems, or in some cases expose the system. Sometimes in shared hosting, you will see this problem. The net is, if a bad guy gets in from this level, one you're hosed...two it wasn't Joomla.. :)

TIP: Get a new host if they have trouble with basic server configuration. (I recommend our hosting-- Potentia Hosting )

XSS/SQL Injections:

Ah yes..This one does show up kind of frequently in the Joomla space, but also in every other web property. However it's one of the most prevalent attacks on the Internet. This is a direct result of the code, typically an extension, not checking its inputs for trouble. In code speak it's known as "Not sanitizing your inputs". That's a very simple explanation, but suffice to say, it happens a lot.Typically, the core Joomla code is scoured and tested with a commercial tool to check for XSS and SQL injections before it's released and does not suffer from these. Yet, when an extension has one, it Joomla! that gets the wrap.

Tip: Check the extensions by Googling for extension name and vulnerabilities. And check Joomla.org for up to date information.

Passwords:

Alright, guess what. P@ssw0rd does not make a good password. Neither do any of the words on DefaultPassword.com's list.. The bad guys have terrific tools, called Brute Force Tools and password crackers. They contain dictionaries of common passwords, combination's and so forth.Using your dogs name, such as Lassie1 is not acceptable.

Tip: Craft a password that is VERY hard by creating it numbers, letters, and symbols. Using upper and lower case. And change them every 30 days..

Patching:

One HUGE industry problem is patching. This is partly due to lack of a good plan to patch, and partly due to the volume of patches that are released. Patching is where older code is updated with new or fixed code. Many times an upgrade will be just that, an upgrade. However it's up to you to read thechangelog to see what the developer changed. If you see it contains a security fix, apply, test and release it. One area that often gets missed is your server. There are several easy methods to determine your current levels. It's solely your responsibility to keep up with the site, but the host has the responsibility to patch the servers. You would be surprised how hosts do not keep servers patched.

Tip: Stay with a reputable host that offers 24x7 technical support and that will address issues you find wrong.

Basic Protection Layers of Joomla:

The basic protections that are built into Joomla are fairly good. As long as the server they are on is PROPERLY configured. Joomla uses the following means to keep its self secure:

  • Permissions are set to 755 for folders, 644 for files
  • Apache has been configured to not allow browsing/indexing,etc
  • Passwords are MD5 Encrypted + SALTED
  • Database access is password protected at the MySQL level.

The basic authentication of Joomla is pretty good in terms that it's easy to use, fairly hard to crack the passwords - in fact - it's not very likely given the SALT. However for added level of protection, you may wish to look at a stronger authentication/encryption system. There are a few that exist but are beyond the scope of this article.

Database Security:

The database itself is typically MySql, so Joomla simply relies on the underlying security of the database. While typically the database itself is not encrypted, the proper security around the db/web server should prevent access. Providing a strong password is many times sufficient - however - remember - a single SQL injection could result in the loss of your data. What I like about MySqlthough is the various levels of inherent protection if offers. Typically its configured straight out of the box properly and not too much needs to be done. Again, the areas of concern are the server its on.

Tip: Make sure your Database port isn't open to the world - a good tool for this is NMAP.

Scenarios where security of Joomla installations can break down

First of all ANY site that is not patched, improperly setup, has vulnerable code, dedicated attackers are gunning for the site, then will get broken into. Joomla is not any different. Microsoft, Oracle, HP-UXhave published vulnerabilities on a regular basis. And all at one time or another have had their share of troubles.

Here are some common scenarios that may help you be safer.

 
Read more...
 
E-junkie Shopping Cart and Digital Delivery Joomla! is trademark Opensource matters, inc. We ARE NOT affiliated with Open Source Matters, Inc or joomla.org