SlideShare uma empresa Scribd logo
1 de 16
Baixar para ler offline
Joomla! Security Essentials
Keeping Your Joomla! Site Secure
Trevor Hatfield
Backup Early and Often
• Set up a regular backup and recovery process.
When done well, this ensures that you can
recover from almost any imaginable disaster.
• Suggested Component
– Akeeba Backup - Simple install and backup
Keeping Your Joomla! Version Up-To-Date
• Why Update You Joomla! Version?
– Bug Fixes
– Security Fixes

• Upgrade Instructions
– J1.5 Upgrade
• Updating for 1.5 or 1.0 versions.
– Utilize Admin Tools by AkeebaBackup

– J2.5 Upgrade
– J3.x Upgrade
Keeping Extensions Up-To-Date
• Some of the most common vulnerabilities in a Joomla! website are
located in outdated or insecure extensions.
• Only use secure extensions supported by the Joomla! Extensions
Directory
• Before finalizing your extensions choice, verify they are not on the
vulnerable extensions list . Also verify it has not already been fixed
by looking at the “Extension Update Link & Date”
Migration
• Migration occurs with the major release of 2.5 and up, all other upgrades
are considered an update.
• Why should I migrate from 1.0x, 1.5x, 1.6x, or 1.7x?
– No longer supported with latest patches
– Security Vulnerabilties

• Migrating from 1.5x (Most Common)
– Joomla! Documentation on 1.5x Migration

• 1.5x Migration Components
–
–
–
–

jUpgrade (2.5x Only)
Migrate Me
SP Upgrade
J2XML Importer (2.5x Only)

• Migrating from 2.5 to 3
– Joomla! Documentation on 2.5 > 3
Secure Your Administrator Access
• Always use a unique username and password
• Multiple Sites? Make each login different.
• Secure your administrator url.
– The best way to secure your admin url is to create a
secret key to access the site. For example:
http://www.mysite.com/administrator/?adminaccess
This will keep excessive hacker login attempts at bay
and hide the obvious fact that you are using a Joomla!
run website.
– Suggested Extension – jSecure
– List of Additional Login Protection Extensions
Choose Hosting Wisely
• Use a high-quality Web host. Do not be fooled by
offers of unlimited bandwidth, unlimited hard
drive space, unlimited databases, etc. Avoid any
host that uses php safe_mode ON, this should be
OFF. Make sure it is running PHP5+. • A Few Suggested Hosts:

Dedicated / VPS Only
Use SEF URL’s or an SEF component.
• What are SEF URL’s?
– Creates a url that is easy for the search engines to read.

• How do they help with security?
– Utilizing SEF (Search Engine Friendly) URL’s is a good way to mask
Joomla! URL’s from attackers. A default Joomla! URL tells the visitor a
lot about the page being visited, including that it is a Joomla! page and
what components are being used. The default Joomla! SEF tool works
great, but if you want to take it to another level of management
sh404SEF by Anything Digital is a great tool. A couple security options
sh404SEF offers that the default Joomla! SEF doesn’t are, the option to
remove the generator tag from your site showing you are running
Joomla!, and it will send warnings when your site has been exposed to
an attack.
• You can also remove the generator tag with the plugin ByeByeGenerator.
• More info on Joomla! meta generator tag and how to remove it.
Changing File Permissions
• Restrict file permissions on some critical files to make it
harder for a hacker to edit or overwrite your files. Here are
some suggestions:
– Set the permission of /index.php to 444
– Set the permission of /configuration.php to 444
– Set the permission of /templates/*yourtemplate*/index.php to
444
– Set the permission of the folder /templates/*yourtemplate*/ to
555

• More information on Linux file permissions
• (If you have already changed your file permissions , make
sure to temporarily change it to 644 for editing Global
Configuration in admin panel and back to 444 once done.)
Protect directory paths for temp and logs folders
All configurable paths to temp and logs directories should be
located outside of public_html directory. This can be achieved
by editing the path in the Configuration.php, or in the Global
Configuration area of your Joomla! Back-End. The path should
be adjusted:
• From: /home/yoursite/public_html/logs
• To: /home/yoursite/logs
and
• From: /home/yoursite/public_html/temp
• To: /home/yoursite/temp
Make sure to move your folders to this directory following
changing the paths.
Global Configuration View
cPanel View
Site Monitoring
• Site Monitoring assists in letting you know if
there has been an injection and your site is at
risk. This is very helpful in getting your site
back live or clean with the least amount of
downtime.
• Best 2 Options
– Sucuri.net
– Watchful.li
Additional Resources
• Joomla Documentation – Security Checklist
• CMS Security Handbook – Amazon Link
Discounts
• Akeeba Products, 20% - Use the following
coupon code to save 20% on all Akeeba
backup products such as Akeeba Backup Pro.
– WATCHFUL
Top 10 Stupidest Administrator Tricks
Link: http://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks
This list originally appeared late one night on the Joomla Forums after one developer ended a particularly long round of
crack recovery. The post struck many a nerve among Joomlaists far and wide, and has been translated into several
languages. Some nerves were near the funny bone, others painfully far from it. Your experience may vary.
•

10. Use the cheapest hosting provider you can find.
–

•

9. Don't waste time with regular backups.
–

•

Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

7. Use the same username and password for everything.
–

•

Maybe the hosting provider will help you out.

8. Don't waste time adjusting PHP and Joomla! settings for increased security.
–

•

Preferably use a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list
of recommended hosting providers. FYI: You can use a tool such as Robtex (if you are using a shared Hosting Provider) to see
who you are sharing space with and if you should be proactive to request a move to another shared space. For example:
http://www.robtex.com/dns/joomla.org.html, or for REALLY cool information: Google.com:
http://www.robtex.com/dns/google.com.html. This shows domain, shared, whois, blacklist, analysis, contact...

Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo
account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier
to just use the same one all the time, everywhere.

6. Install your brand new beautiful Joomla!-powered site, and celebrate a job well done.
–

Don't worry about it again. After all, if you don't make any more changes, what can go wrong?
Top 10 Stupidest Administrator Tricks (Cont’d)
•

5. Do all upgrades on the live site right away.
–

•

4. Trust third-party extensions.
–

•

Hey, nothing has gone wrong so far, and if it ain't broke don't fix it! Same plan for the third-party extensions.
Too much work; life's a beach.

2. When your site gets cracked, panic your way into the Joomla! Forums.
–

•

Install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide
perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is
provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!
–

•

Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again.
That will hopefully also undo any damage the installation caused.

Start a new post with a very familiar title: "My Site's Been Hacked! (sic)" Be sure not to leave relevant
information, such as which obsolete versions of Joomla! and third party extensions you installed.

1. Once your site's been cracked, fix the defaced index.php file and assume all else is well.
–

Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups,
or take any other overly paranoid-seeming action. When the attackers return the next day, scream loudly
that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is
not even step one in the difficult process of fully recovering a cracked site.

Mais conteúdo relacionado

Mais procurados

Joomla! Installation
Joomla! InstallationJoomla! Installation
Joomla! Installationghessler
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
Big data key-value and column stores redis - cassandra
Big data  key-value and column stores redis - cassandraBig data  key-value and column stores redis - cassandra
Big data key-value and column stores redis - cassandraJWORKS powered by Ordina
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsDana Luther
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
WordPress 4.0 - What's New
WordPress 4.0 - What's NewWordPress 4.0 - What's New
WordPress 4.0 - What's NewWP Australia
 
WordcampNYC 2010 - Wordpress & Multimedia (Updated)
WordcampNYC 2010 - Wordpress & Multimedia (Updated)WordcampNYC 2010 - Wordpress & Multimedia (Updated)
WordcampNYC 2010 - Wordpress & Multimedia (Updated)Digital Strategy Works LLC
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
soft-shake.ch - WebMatrix: Your Web Made Easy
soft-shake.ch - WebMatrix: Your Web Made Easysoft-shake.ch - WebMatrix: Your Web Made Easy
soft-shake.ch - WebMatrix: Your Web Made Easysoft-shake.ch
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Bảo Mật Website WordPress
Bảo Mật Website WordPressBảo Mật Website WordPress
Bảo Mật Website WordPressLê Quốc Toàn
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 

Mais procurados (20)

Joomla! Installation
Joomla! InstallationJoomla! Installation
Joomla! Installation
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPress
 
Big data key-value and column stores redis - cassandra
Big data  key-value and column stores redis - cassandraBig data  key-value and column stores redis - cassandra
Big data key-value and column stores redis - cassandra
 
Code Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application MigrationsCode Coverage for Total Security in Application Migrations
Code Coverage for Total Security in Application Migrations
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
WordPress 4.0 - What's New
WordPress 4.0 - What's NewWordPress 4.0 - What's New
WordPress 4.0 - What's New
 
WordcampNYC 2010 - Wordpress & Multimedia (Updated)
WordcampNYC 2010 - Wordpress & Multimedia (Updated)WordcampNYC 2010 - Wordpress & Multimedia (Updated)
WordcampNYC 2010 - Wordpress & Multimedia (Updated)
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
soft-shake.ch - WebMatrix: Your Web Made Easy
soft-shake.ch - WebMatrix: Your Web Made Easysoft-shake.ch - WebMatrix: Your Web Made Easy
soft-shake.ch - WebMatrix: Your Web Made Easy
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPress
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Jomc463 beginner wordpress(zeoli)
Jomc463 beginner wordpress(zeoli)Jomc463 beginner wordpress(zeoli)
Jomc463 beginner wordpress(zeoli)
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Bảo Mật Website WordPress
Bảo Mật Website WordPressBảo Mật Website WordPress
Bảo Mật Website WordPress
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 

Semelhante a Keeping Your Joomla! Site Secure

WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyAngela Bowman
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - SecurityWilco Jansen
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014Judy Wilson
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - securityWilco Jansen
 
Build a typo3 website in an hour
Build a typo3 website in an hourBuild a typo3 website in an hour
Build a typo3 website in an hourTony Lush
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With LoveUp2 Technology
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityGeoff Harcourt
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
 

Semelhante a Keeping Your Joomla! Site Secure (20)

WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Updating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core SafelyUpdating WordPress Themes, Plugins, and Core Safely
Updating WordPress Themes, Plugins, and Core Safely
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
 
Test
TestTest
Test
 
Joomla 101
Joomla 101Joomla 101
Joomla 101
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - security
 
Build a typo3 website in an hour
Build a typo3 website in an hourBuild a typo3 website in an hour
Build a typo3 website in an hour
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 
Joomla
JoomlaJoomla
Joomla
 
Joomla
JoomlaJoomla
Joomla
 

Último

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 

Último (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 

Keeping Your Joomla! Site Secure

  • 1. Joomla! Security Essentials Keeping Your Joomla! Site Secure Trevor Hatfield
  • 2. Backup Early and Often • Set up a regular backup and recovery process. When done well, this ensures that you can recover from almost any imaginable disaster. • Suggested Component – Akeeba Backup - Simple install and backup
  • 3. Keeping Your Joomla! Version Up-To-Date • Why Update You Joomla! Version? – Bug Fixes – Security Fixes • Upgrade Instructions – J1.5 Upgrade • Updating for 1.5 or 1.0 versions. – Utilize Admin Tools by AkeebaBackup – J2.5 Upgrade – J3.x Upgrade
  • 4. Keeping Extensions Up-To-Date • Some of the most common vulnerabilities in a Joomla! website are located in outdated or insecure extensions. • Only use secure extensions supported by the Joomla! Extensions Directory • Before finalizing your extensions choice, verify they are not on the vulnerable extensions list . Also verify it has not already been fixed by looking at the “Extension Update Link & Date”
  • 5. Migration • Migration occurs with the major release of 2.5 and up, all other upgrades are considered an update. • Why should I migrate from 1.0x, 1.5x, 1.6x, or 1.7x? – No longer supported with latest patches – Security Vulnerabilties • Migrating from 1.5x (Most Common) – Joomla! Documentation on 1.5x Migration • 1.5x Migration Components – – – – jUpgrade (2.5x Only) Migrate Me SP Upgrade J2XML Importer (2.5x Only) • Migrating from 2.5 to 3 – Joomla! Documentation on 2.5 > 3
  • 6. Secure Your Administrator Access • Always use a unique username and password • Multiple Sites? Make each login different. • Secure your administrator url. – The best way to secure your admin url is to create a secret key to access the site. For example: http://www.mysite.com/administrator/?adminaccess This will keep excessive hacker login attempts at bay and hide the obvious fact that you are using a Joomla! run website. – Suggested Extension – jSecure – List of Additional Login Protection Extensions
  • 7. Choose Hosting Wisely • Use a high-quality Web host. Do not be fooled by offers of unlimited bandwidth, unlimited hard drive space, unlimited databases, etc. Avoid any host that uses php safe_mode ON, this should be OFF. Make sure it is running PHP5+. • A Few Suggested Hosts: Dedicated / VPS Only
  • 8. Use SEF URL’s or an SEF component. • What are SEF URL’s? – Creates a url that is easy for the search engines to read. • How do they help with security? – Utilizing SEF (Search Engine Friendly) URL’s is a good way to mask Joomla! URL’s from attackers. A default Joomla! URL tells the visitor a lot about the page being visited, including that it is a Joomla! page and what components are being used. The default Joomla! SEF tool works great, but if you want to take it to another level of management sh404SEF by Anything Digital is a great tool. A couple security options sh404SEF offers that the default Joomla! SEF doesn’t are, the option to remove the generator tag from your site showing you are running Joomla!, and it will send warnings when your site has been exposed to an attack. • You can also remove the generator tag with the plugin ByeByeGenerator. • More info on Joomla! meta generator tag and how to remove it.
  • 9. Changing File Permissions • Restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions: – Set the permission of /index.php to 444 – Set the permission of /configuration.php to 444 – Set the permission of /templates/*yourtemplate*/index.php to 444 – Set the permission of the folder /templates/*yourtemplate*/ to 555 • More information on Linux file permissions • (If you have already changed your file permissions , make sure to temporarily change it to 644 for editing Global Configuration in admin panel and back to 444 once done.)
  • 10. Protect directory paths for temp and logs folders All configurable paths to temp and logs directories should be located outside of public_html directory. This can be achieved by editing the path in the Configuration.php, or in the Global Configuration area of your Joomla! Back-End. The path should be adjusted: • From: /home/yoursite/public_html/logs • To: /home/yoursite/logs and • From: /home/yoursite/public_html/temp • To: /home/yoursite/temp Make sure to move your folders to this directory following changing the paths.
  • 13. Site Monitoring • Site Monitoring assists in letting you know if there has been an injection and your site is at risk. This is very helpful in getting your site back live or clean with the least amount of downtime. • Best 2 Options – Sucuri.net – Watchful.li
  • 14. Additional Resources • Joomla Documentation – Security Checklist • CMS Security Handbook – Amazon Link Discounts • Akeeba Products, 20% - Use the following coupon code to save 20% on all Akeeba backup products such as Akeeba Backup Pro. – WATCHFUL
  • 15. Top 10 Stupidest Administrator Tricks Link: http://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks This list originally appeared late one night on the Joomla Forums after one developer ended a particularly long round of crack recovery. The post struck many a nerve among Joomlaists far and wide, and has been translated into several languages. Some nerves were near the funny bone, others painfully far from it. Your experience may vary. • 10. Use the cheapest hosting provider you can find. – • 9. Don't waste time with regular backups. – • Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem. 7. Use the same username and password for everything. – • Maybe the hosting provider will help you out. 8. Don't waste time adjusting PHP and Joomla! settings for increased security. – • Preferably use a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers. FYI: You can use a tool such as Robtex (if you are using a shared Hosting Provider) to see who you are sharing space with and if you should be proactive to request a move to another shared space. For example: http://www.robtex.com/dns/joomla.org.html, or for REALLY cool information: Google.com: http://www.robtex.com/dns/google.com.html. This shows domain, shared, whois, blacklist, analysis, contact... Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere. 6. Install your brand new beautiful Joomla!-powered site, and celebrate a job well done. – Don't worry about it again. After all, if you don't make any more changes, what can go wrong?
  • 16. Top 10 Stupidest Administrator Tricks (Cont’d) • 5. Do all upgrades on the live site right away. – • 4. Trust third-party extensions. – • Hey, nothing has gone wrong so far, and if it ain't broke don't fix it! Same plan for the third-party extensions. Too much work; life's a beach. 2. When your site gets cracked, panic your way into the Joomla! Forums. – • Install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing. 3. Don't worry about updating to the latest version of Joomla! – • Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused. Start a new post with a very familiar title: "My Site's Been Hacked! (sic)" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions you installed. 1. Once your site's been cracked, fix the defaced index.php file and assume all else is well. – Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming action. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.