SECRETS TO A HACK-PROOF JOOMLA

REVEALED!Daniel Kanchev

Joomla Performance Guru

SiteGround.com - Expert Joomla Hosting

BEFORE WE BEGIN...

• 7+ years of Joomla! experience

• 4 years with SiteGround

• Love traveling the world

• Addicted to extreme and not secure sports

2 SiteGround.com - Expert Joomla Hosting

SiteGround.com - Expert Joomla Hosting

WHO SHOULD CARE ABOUT SECURITY?

• Application/Extension developers

• Hosting providers/system administrators

• YOU (end Joomla users)

3

SiteGround.com - Expert Joomla Hosting

WHO SHOULD CARE ABOUT SECURITY?

• Application/Extension developers

• Hosting providers/system administrators

• YOU (end Joomla users)

4

EVERYONE

SiteGround.com - Expert Joomla Hosting

Why should YOU care?

• Be trustworthy by protecting your clients’ data

• Have a healthy site - avoid substantial data loss/downtime

5

SiteGround.com - Expert Joomla Hosting

How hackers work?

6

SiteGround.com - Expert Joomla Hosting

Everyone’s responsible!

7

SiteGround.com - Expert Joomla Hosting

Security is a process!

KEEP

CALM IT’S NOT

ROCKET

SCIENCE

8

SiteGround.com - Expert Joomla Hosting

IS YOUR SERVER SETUP RIGHT?

9

SiteGround.com - Expert Joomla Hosting

Server config & tips• Update server software - Apache, ftp, mail, etc

• Harden the Linux kernel - grsecurity

• Chroot processes

• Use Suexec, secure PHP setup (fastCGI)

• Provide only restricted shell access

• Disable/remove unused services

✓Software solutions: 1H Hive, Better Linux, CloudLinux

10

SiteGround.com - Expert Joomla Hosting

Protect your web server with mod_security

• OWASP rules - http://goo.gl/rC7Uz

• Atomic rules - http://goo.gl/Fv3Vn

• Trustwave paid rules - http://goo.gl/9IAaB

11

SiteGround.com - Expert Joomla Hosting

PROTECT JOOMLA!

12

SiteGround.com - Expert Joomla Hosting

#1: Update Everything!

13

SiteGround.com - Expert Joomla Hosting

SiteGround Auto Updates

14

SiteGround.com - Expert Joomla Hosting

#2: Do The Basics

• Never user admin as username

• Use a secure password

15

SiteGround.com - Expert Joomla Hosting

Use Bullet-proof Passwords

• Avoid password generators

• Don’t use common words - love,pass, admin

• Avoid personal info, names, significant dates - daniel123

16

SiteGround.com - Expert Joomla Hosting

The Perfect Password

• Choose a favorite (not famous) movie quote/large phrase from a book:

We all go a little mad sometimes

• Add punctuation symbols ( ? ! . : ) and capital letters, remove whitespaces

Result: We.all?Go!Alittle1Mad2sometimes

17

SiteGround.com - Expert Joomla Hosting

#3: Password Protect Your Administrator Folder

18

cPanel

Password Protect Directories

Administrator

SiteGround.com - Expert Joomla Hosting

#4: Restrict The Admin Area Access By IP

• Step1: Check your IP -> whatismyip.com

• Step2: Add this rule in the administrator folder .htaccess file

deny from allallow from YOUR_IP_ADDRESS

19

SiteGround.com - Expert Joomla Hosting

#5: Fix your permissions & ownership

• Folders: 0755

• Files: 0644

• Configuration.php: 444

• NEVER EVER USE 777 permissions

20

SiteGround.com - Expert Joomla Hosting

Fix permissions in cPanel

21

cPanel

File Manager

SiteGround.com - Expert Joomla Hosting

#6: Keep PHP Scripts In The Right Folders

In media, libraries, logs, language folders:

<Files *.php>

deny from all

</Files>

22

SiteGround.com - Expert Joomla Hosting23

How To Do It In File Manager

SiteGround.com - Expert Joomla Hosting

#7: Legacy security issues

24

• Change the default admin username

• Change the default jos_ DB prefix

ForJoomla 1.5 or older

SiteGround.com - Expert Joomla Hosting

#8: Check Your Extensions

• Joomla Vulnerable Extensions List

http://vel.joomla.org/

• National Vulnerability Database

http://web.nvd.nist.gov/view/vuln/search

25

SiteGround.com - Expert Joomla Hosting

Stay On Top Of Security Updates

• Subscribe to the Joomla feeds:

✓http://feeds.joomla.org/JoomlaSecurityNews

✓http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions

26

SiteGround.com - Expert Joomla Hosting

Build a Joomla security RSS feed

How to do it: http://is.gd/Vze1Zo

SiteGround.com - Expert Joomla Hosting

#9: Additional protection through .htaccess rules

• Remove PHP sensitive information

• Avoid Visual Fingerprinting

• Block some popular tools used by hackers

How to do it: http://is.gd/pGfVXQ

28

SiteGround.com - Expert Joomla Hosting

#10: Use Joomla Security Extensions for IDS/IPS

• jHackGuard

• Akeeba Admin Tools

• jomDefender

• jSecure

29

SiteGround.com - Expert Joomla Hosting

SQL Injection

• SQL code + search form screenshot

30

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';!!!

SiteGround.com - Expert Joomla Hosting

jHackGuard setup

• SQL Injections

• Remote URL/File Inclusions

• Remote Code Executions

• XSS Based Attacks

Download it here: http://is.gd/01wLhH31

SiteGround.com - Expert Joomla Hosting

#11: Backup! Backup! Backup!

--Manual backups --Your host --Akeeba Backups

SiteGround.com - Expert Joomla Hosting

NOW WHAT?

SiteGround.com - Expert Joomla Hosting

DON’T PANIC!

SiteGround.com - Expert Joomla Hosting

DISASTER RECOVERY PLAN

1. Create a copy of the hacked site + all logs

2. Restore from a clean backup

3. Quarantine your site - enable maintenance mode

4. Check the logs for the malicious code

5. Resolve the security issues/Clean malicious code

6. Unquarantine* your site - disable maintenance mode

35

SiteGround.com - Expert Joomla Hosting

FEW THINGS TO TAKE AWAY

• Security is about making it harder to infiltrate - not making it impossible

• Security is an ongoing process

• Everyone is involved

36

SiteGround.com - Expert Joomla Hosting

QUESTIONS TIME!

SiteGround.com - Expert Joomla Hosting

WWW.SITEGROUND.COM/WEBINAR

THANK YOU!Daniel Kanchev

daniel.k@siteground.com