Tuesday, 10 February 2009
Tips to keep your Joomla website secure from hackers
* Use only secure third party plugins and keep them updated
* Use secure username and password for administrators
* Use an SEF component that makes your Joomla more secure
* Use a secure web host / secure server configuration
* Don’t tell everyone about your configuration
* Write-protect your Joomla configuration file (make unwritable)
* Delete Joomla templates and extensions that you do not use
I have explained most of the above tips in my previous article - Top Ten Joomla Security problems and how to avoid them.
I will go through tips that I have not explained before.
Use an SEF component that makes your Joomla more secure
A SEF component is used to make the url:s of your Joomla website more Search Engine Friendly. But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.
The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack. It also gives you the option to remove the generator tag from your site. The generator tag tells the world that your site is generated by Joomla. Of course it is a nice thing to give credit to Joomla, but there are other ways to pay back to the Joomla community that does not help hackers. If you do not tell the hacker that your website is built with Joomla, you make it a lot harder for him to know where to start hackning.
Don’t tell everyone about your configurations
* Make sure that no outsider can view php information (server configuration) by phpinfo.
* Hide the generator tag that shows that you use Joomla CMS. Note that we are not suggesting that Joomla would be insecure. This suggestion is just to make it harder for Joomla-specialized hackers to recognize that your website is Joomla-powered.
* Use an SEF component that masks what components are used on your website.
Write-protect your Joomla configuration file (make unwriteable)
You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.
Use the correct CHMOD for each folder and file
Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:
* PHP files: 644
* Config files: 666
* Other folders: 755
Check your site for vulnerabilites
There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Amongst these, the following tool is invaluable. Using Joomla Diagnostics ,GuardXT etc you can easily scan for vulnerable files . It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the page http://www.yourdomain.com/diagnostics.php and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise you will be advising your issues to hackers!
Sunday, 8 February 2009
Top Ten Joomla Security Problems and how to avoid them
Joomla Security is a hot issue. Unfortunately there are some security problems which are done over and over again and which can easily be avoided. The Joomla system is created to provide a great deal of turnkey security, so even a default installation will be fairly secure. However, there are a number of fine adjustments that you can make to tighten up a few Joomla weak points. New security problems arise all the time as hackers devise new methods of breaching security.
Here are the problems and what you should do to avoid them.
10. Cheap Hosting Providers - Never go for the cheapest hosting provider you can find. Typically cheap hosting providers use shared servers that hosts hundreds of other sites, some of which are high-traffic porn sites. Check the list of recommended and Joomla approved hosting providers.
9. No Backups - Make sure you have regular Joomla backups . In case your site gets hacked or something happens, you will be able to rebuild from scratch . Use JoomlaPack component which is an open-source component for the Joomla! CMS that allows for full site backups (files and database).
8. Skipping hardening of PHP and Joomla! settings - Forgetting or skipping the adjusting PHP and Joomla! settings for increased security is a huge no . There are many small settings and tweaks you can do to make your PHP server and Joomla! more secure.
7. Weak Passwords or Same passwords - Using the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, is another mistake you should avoid like the plague. Always use strong passwords which are different from those for your other accounts. Remember also to change the name of the admin account.
6. Install and forget - After install your brand new beautiful Joomla!-powered site, check it regularly making sure nothing has gone wrong. Lots of things can go wrong if you don't maintain all the components of your Joomla installations.
5. Having no development server - All upgrades and extension installations should be first tried on a development server, before being done on the live site. If something goes wrong on the development server, you can avoid creating the same problem on the server, and you'll make sure your live site stays clean.
4. Trusing all 3rd party extensions - You should only install the barest minimum extensions you require. Not all 3rd party extensions are free from trouble, and some are just plain horrible, buggy and contain vulnerabilites. Each 3rd party extension, is another component which might expose you to vulnerabilities and must be kept up to date. Be wary of the 3rd party extensions you install, preferably go for the professional components from reputable companies.
The Joomla core has been proved to be quite stable, and Joomla sites that contain no 3rd party extensions rarely are vulnerable to hacking. Things are very different when it comes to 3rd party components though. There is a huge number of components on the official Joomla extensions directory, a good number of which are in alpha or beta stages (under development), and have not been fully tested. This means that these components may contain code problems which make them hackable. There are also quite a few components developed by people whose programming skills are "poor", and who do not follow code security recommendations. This results in some components being vulnerable.
So what happens when these components are installed. They sit quietly there ticking away like a bomb, performing their function but still ticking away. Then somebody discovers a vulnerability in a component you are using. There are simple ways and means of using Google to find files which are vulnerable on any site which contains these files (the practive is called Google Hacking). So using a simple query, a lot of people will be able to find your vulnerable site. It is therefore just a matter of time before your site is hacked via this problematic component.
Even though some components are not visible by most of your users, if you did not uninstall the component, then the code still exists on your website. Therefore any problems in these components still exist on your site, and can be exploited even if the actual component is not published / visible. Also maybe a new version which addresses a security issue is available but you forgot to apply it to your site, because you forgot that the component still exists on your site!
To take full advantage of new security features, ensure that all third party extensions are Joomla! 1.5 native. Download extensions from trusted sites, and compare the file's MD5 hash to detect download errors. This suggestions applies to both versions.what to do?
- Use as few components as possible. This ensures that there are fewer possibilites of components being vulnerable.
- Uninstall completely any 3rd party components or other extensions which you are not using and which are not required for your site.Simply removing the menu links to an extension, or unpublishing a module is NOT enough to protect your site! As long as the extension's files exist on your server, you are vulnerable.
- Keep yourself subscribed to the Joomla Security Forum , and keep yourself updated with any new component vulnerabilities . Subscribe to Joomla! Security Announcements - Click Here
- Always upgrade your components to the latest versions. New versions of components typically contain bug and security fixes.
- Use the Joomla Tools Suite to perform an Extensions Audit to determine which components you have installed, and check if there is a new version of the components installed. Remove any components which your site can live without.
- Be minimalistic - keep the number of components installed down to the barest minimum. Each additional components installed, is an additional risk.
- Always review the code of the extensions to find whether there is malicious code in it.
These are general recommendations, and may not apply in all cases.
- For production sites you should be sticking to Stable releases as much as possible. If you cannot wait until a Stable release has been made available, Release Candidates are the only other option you should consider.Try to avoid components which are in alpha or beta stages unless absolutely necessary. If they are still under development, make sure you subscribe to the author's newsletter when this exists, to ensure that any vulnerabilities are removed if they surface.
- Use popular components, marked as Hot or Editor's pick. These are usually stable components.
- Use commercial components when possible. When you have paid for a component, you expect a certain level of coding and service which is not always availabe in free components. Also, if a vulnerability is found, a fix will be issued and users notified in a much faster manner in commercial components.
- Use common sense. If you install a component which contains a lot of bugs, do not use it because this is a sign that the developer is careless. If their site looks careless and unmaintained, avoid the component.
- If the extension has been over a year ( ie without any updates ), consider the project abandoned and find something else. Do not install old components.
- Go through User's comment about the extension, so that u can understand whether the extension is good or not.
- If there is a support community for an extension there is a better chance of security issues being known and dealt with. A support community means that people would like to continue using the extension and that they care about the extension. This furthers the chance that security issues will be found, disclosed, and dealt with promptly.
- Check this list for vulnerable 3rd party/non Joomla! extensions.
2. Lack of infomation when asking for help - If your site gets hacked / cracked, go to the Joomla forums, and before you start posting away like crazy, make sure you have all relevant information available, such as the version of Joomla you have installed, what version of 3rd party extensions you have installed. This information will help to identify what could have caused your hack, and how to fix and avoid it happening again.
1. Fix and cracked file and forget it - Once your site's been cracked, fixing the defaced file is not enough. Check your site's logs, change your old passwords, remove the entire directory and rebuild it from clean backups, and take all precautionary actions!
If u are little careful, you can build a beautiful & Stable website with Joomla