I wish security was measured on a scale of 1 to 10. But it\u2019s not a scale, instead, it\u2019s considered by most security experts as a total philosophy, and a set of tools and actions. This does not mean it cannot be measured, and taking singling Joomla out is foolish. But looking at Joomla as part of your total site security makeup is the right answer. It\u2019s a good idea to measure security holistically because if any part of your security is weak, it weakens your entire infrastructure.<\/p>\n
How to secure your Joomla site – First, Joomla is only as secure as the server platform it is on, the extensions installed on it, and the proper safeguards that are put in place. In fact, when a Joomla site is hacked ,in most cases it could be any number of things.\u00a0 It’s not typically Joomla’s fault.\u00a0 It\u2019s many times the webmaster\u2019s or administrator\u2019s fault for failing in some basic areas. To be fair to the administrator, security is an entire practice itself, and in this article I will explain some basic concepts for securing Joomla and non-Joomla to help you understand how to secure your site.<\/p>\n
In most situations, a new Joomla user will install the software and occasionally run into trouble when file and folder permissions need to be modified manually.\u00a0 They set permissions to 777 (r\/w\/x) for everyone and this is a BIG NO NO, AND A BIG RED FLAG.\u00a0 Improperly configured server, and or extension(s), are the culprit here.\u00a0 Don’t use a host that makes you set up your site this way, and avoid extensions that will ONLY run with 777.\u00a0 While there are exceptions to this statement, overall it holds true.<\/p>\n
NOTE: Always set the permission of folders to 755 and files to 644 <\/strong><\/p>\n This is usually a hosting related problem, or a hacker has been here.\u00a0 But sometimes ownership of files (as seen from the Operating Systems Point of View), can cause weird problems, or in some cases expose the system.\u00a0 Sometimes in shared hosting, you will see this problem.\u00a0 The net is, if a bad guy gets in from this level, one you’re hosed… two it wasn’t Joomla.. \ud83d\ude42<\/p>\n NOTE: Get a new host if they have trouble with basic server configuration. (I recommend our hosting – http:\/\/hosting.SaloneTech.com )<\/strong><\/p>\n This one does show up frequently in the Joomla space, but also in every other web property.\u00a0 However it’s one of the most prevalent attacks on the Internet. This is a direct result of the code, typically an extension, not checking its inputs for trouble.\u00a0 For coders, it’s known as “Not sanitizing your inputs”. That\u2019s a very simple explanation, but suffice to say, it happens a lot. Typically, the core Joomla code is scoured and tested with a commercial tool to check for XSS and SQL injections before it’s released and does not suffer from these.\u00a0 Yet, when an extension has one, it Joomla!\u00a0 That gets the wrap.<\/p>\n NOTE: Check the extensions by Googling for extension name<\/em> and vulnerabilities. And check Joomla.org for up to date information.<\/strong><\/p>\n Alright, guess what – P@ssw0rd<\/em><\/strong> does not make a good password. Neither do any of the words on DefaultPassword.com’s<\/a> list. The bad guys have terrific tools, called Brute Force Tools and password crackers. They contain dictionaries of common passwords, combinations, and so forth. Using your dog\u2019s name, such as Lassie1<\/em><\/strong> is not acceptable.<\/p>\n NOTE: Craft a password that is VERY hard by creating it using numbers, letters, and symbols. Using upper and lower case. And change them every 30, 60, or 90 days<\/strong><\/p>\n One HUGE industry problem is patching. This is partly due to lack of a good plan to patch, and partly due to the volume of patches that are released. <\/em>Patching is where older code is updated with new or fixed code.\u00a0 Many times an upgrade will be just fine.\u00a0 However it’s up to you to read \u201cthechangelog\u201d file to see what the developer changed.\u00a0 If you see it contains a security fix, apply, test and release it.\u00a0 One area that often gets missed is your server.\u00a0 There are several easy methods to determine your current levels.\u00a0 It’s solely your responsibility to keep up with the site, but the host has the responsibility to patch the servers. You would be surprised how hosts do not keep servers patched.<\/p>\n NOTE: Stay with a reputable host that offers 24×7 technical support and that will address issues you find wrong.<\/strong><\/p>\n The basic protections that are built into Joomla are fairly good, as long as the server they are on is PROPERLY configured.\u00a0 Joomla uses the following means to keep itself secure:<\/p>\n The basic authentication of Joomla is pretty good and that it’s easy to use, fairly hard to crack the passwords – in fact – it’s not very likely given the SALT. However for added level of protection, you may wish to look at a stronger authentication\/encryption system. There are a few that exist but are beyond the scope of this article.<\/p>\n Database Security:<\/strong><\/p>\n The database itself is typically MySql, so Joomla simply relies on the underlying security of the database.\u00a0 While typically the database itself is not encrypted, the proper security around the db\/web server should prevent access. Providing a strong password is many times sufficient –\u00a0however – remember – a single SQL injection could result in the loss of your data. What I like about MySql is the various levels of inherent protection it offers.\u00a0 Typically it\u2019s configured straight out of the box properly and not too much needs to be done.\u00a0 Again, the areas of concern are the server it is on.<\/p>\n NOTE: Make sure your Database port isn’t open to the world – a good tool for this is NMAP.<\/strong><\/p>\n Scenarios where security of Joomla installations can break down:<\/p>\n First of all ANY site that is not patched, improperly setup, has vulnerable code, dedicated attackers are gunning for the site, then will get broken into. Joomla is not any different. Microsoft, Oracle, HP-UX have published vulnerabilities on a regular basis. And all at one time or another have had their share of troubles.<\/p>\n Here are some common scenarios that may help you be safer.<\/p>\n Scenario 1: Database exposed:<\/p>\n Scenario 2: Cross Site Scripting and Sql Injections<\/p>\n The solution here is to<\/p>\n Scenario 3: Malware<\/strong><\/p>\n Scenario 4: Improper configuration of servers<\/strong><\/p>\n Remedies for these scenarios :<\/strong><\/p>\n If you need help in securing your Joomla, Drupal or WordPress site, feel free to contact me at email@tambalamin.net<\/a> or call (917) 623 4281<\/p>\nServer Ownership\/Permissions<\/h2>\n
XSS\/SQL Injections:<\/h2>\n
Passwords:<\/h2>\n
Patching:<\/h2>\n
Basic Protection Layers of Joomla:<\/h2>\n
\n
\n
\n
\n
\n
\n
\n