Download - Secrets to a Hack-Proof Joomla Revealed
SECRETS TO A HACK-PROOF JOOMLA
REVEALED!Daniel Kanchev
Joomla Performance Guru
SiteGround.com - Expert Joomla Hosting
BEFORE WE BEGIN...
• 7+ years of Joomla! experience
• 4 years with SiteGround
• Love traveling the world
• Addicted to extreme and not secure sports
2 SiteGround.com - Expert Joomla Hosting
SiteGround.com - Expert Joomla Hosting
WHO SHOULD CARE ABOUT SECURITY?
• Application/Extension developers
• Hosting providers/system administrators
• YOU (end Joomla users)
3
SiteGround.com - Expert Joomla Hosting
WHO SHOULD CARE ABOUT SECURITY?
• Application/Extension developers
• Hosting providers/system administrators
• YOU (end Joomla users)
4
EVERYONE
SiteGround.com - Expert Joomla Hosting
Why should YOU care?
• Be trustworthy by protecting your clients’ data
• Have a healthy site - avoid substantial data loss/downtime
5
SiteGround.com - Expert Joomla Hosting
How hackers work?
6
SiteGround.com - Expert Joomla Hosting
Everyone’s responsible!
7
SiteGround.com - Expert Joomla Hosting
Security is a process!
KEEP
CALM IT’S NOT
ROCKET
SCIENCE
8
SiteGround.com - Expert Joomla Hosting
IS YOUR SERVER SETUP RIGHT?
9
SiteGround.com - Expert Joomla Hosting
Server config & tips• Update server software - Apache, ftp, mail, etc
• Harden the Linux kernel - grsecurity
• Chroot processes
• Use Suexec, secure PHP setup (fastCGI)
• Provide only restricted shell access
• Disable/remove unused services
✓Software solutions: 1H Hive, Better Linux, CloudLinux
10
SiteGround.com - Expert Joomla Hosting
Protect your web server with mod_security
• OWASP rules - http://goo.gl/rC7Uz
• Atomic rules - http://goo.gl/Fv3Vn
• Trustwave paid rules - http://goo.gl/9IAaB
11
SiteGround.com - Expert Joomla Hosting
PROTECT JOOMLA!
12
SiteGround.com - Expert Joomla Hosting
#1: Update Everything!
13
SiteGround.com - Expert Joomla Hosting
SiteGround Auto Updates
14
SiteGround.com - Expert Joomla Hosting
#2: Do The Basics
• Never user admin as username
• Use a secure password
15
SiteGround.com - Expert Joomla Hosting
Use Bullet-proof Passwords
• Avoid password generators
• Don’t use common words - love,pass, admin
• Avoid personal info, names, significant dates - daniel123
16
SiteGround.com - Expert Joomla Hosting
The Perfect Password
• Choose a favorite (not famous) movie quote/large phrase from a book:
We all go a little mad sometimes
• Add punctuation symbols ( ? ! . : ) and capital letters, remove whitespaces
Result: We.all?Go!Alittle1Mad2sometimes
17
SiteGround.com - Expert Joomla Hosting
#3: Password Protect Your Administrator Folder
18
cPanel
Password Protect Directories
Administrator
SiteGround.com - Expert Joomla Hosting
#4: Restrict The Admin Area Access By IP
• Step1: Check your IP -> whatismyip.com
• Step2: Add this rule in the administrator folder .htaccess file
deny from allallow from YOUR_IP_ADDRESS
19
SiteGround.com - Expert Joomla Hosting
#5: Fix your permissions & ownership
• Folders: 0755
• Files: 0644
• Configuration.php: 444
• NEVER EVER USE 777 permissions
20
SiteGround.com - Expert Joomla Hosting
Fix permissions in cPanel
21
cPanel
File Manager
SiteGround.com - Expert Joomla Hosting
#6: Keep PHP Scripts In The Right Folders
In media, libraries, logs, language folders:
<Files *.php>
deny from all
</Files>
22
SiteGround.com - Expert Joomla Hosting23
How To Do It In File Manager
SiteGround.com - Expert Joomla Hosting
#7: Legacy security issues
24
• Change the default admin username
• Change the default jos_ DB prefix
ForJoomla 1.5 or older
SiteGround.com - Expert Joomla Hosting
#8: Check Your Extensions
• Joomla Vulnerable Extensions List
http://vel.joomla.org/
• National Vulnerability Database
http://web.nvd.nist.gov/view/vuln/search
25
SiteGround.com - Expert Joomla Hosting
Stay On Top Of Security Updates
• Subscribe to the Joomla feeds:
✓http://feeds.joomla.org/JoomlaSecurityNews
✓http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
26
SiteGround.com - Expert Joomla Hosting
Build a Joomla security RSS feed
How to do it: http://is.gd/Vze1Zo
SiteGround.com - Expert Joomla Hosting
#9: Additional protection through .htaccess rules
• Remove PHP sensitive information
• Avoid Visual Fingerprinting
• Block some popular tools used by hackers
How to do it: http://is.gd/pGfVXQ
28
SiteGround.com - Expert Joomla Hosting
#10: Use Joomla Security Extensions for IDS/IPS
• jHackGuard
• Akeeba Admin Tools
• jomDefender
• jSecure
29
SiteGround.com - Expert Joomla Hosting
SQL Injection
• SQL code + search form screenshot
30
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';!!!
SiteGround.com - Expert Joomla Hosting
jHackGuard setup
• SQL Injections
• Remote URL/File Inclusions
• Remote Code Executions
• XSS Based Attacks
Download it here: http://is.gd/01wLhH31
SiteGround.com - Expert Joomla Hosting
#11: Backup! Backup! Backup!
--Manual backups --Your host --Akeeba Backups
SiteGround.com - Expert Joomla Hosting
NOW WHAT?
SiteGround.com - Expert Joomla Hosting
DON’T PANIC!
SiteGround.com - Expert Joomla Hosting
DISASTER RECOVERY PLAN
1. Create a copy of the hacked site + all logs
2. Restore from a clean backup
3. Quarantine your site - enable maintenance mode
4. Check the logs for the malicious code
5. Resolve the security issues/Clean malicious code
6. Unquarantine* your site - disable maintenance mode
35
SiteGround.com - Expert Joomla Hosting
FEW THINGS TO TAKE AWAY
• Security is about making it harder to infiltrate - not making it impossible
• Security is an ongoing process
• Everyone is involved
36
SiteGround.com - Expert Joomla Hosting
QUESTIONS TIME!
SiteGround.com - Expert Joomla Hosting
WWW.SITEGROUND.COM/WEBINAR