secrets to a hack-proof joomla revealed
DESCRIPTION
The recent spike of hack attempts on various Joomla sites has made it more urgent than ever to take actions and secure your Joomla in the best possible way. In this webinar the SiteGround Joomla Performance Guru Daniel Kanchev shows the best practices and shares insightful tricks how to protect your Joomla from getting hacked: - Joomla administrator security settings - Bullet-proof password tips - Vulnerable extensions to avoid - Web application firewall configurations - Recommended server settings - Intrusion detection and protection tools - Disaster recovery plansTRANSCRIPT
SECRETS TO A HACK-PROOF JOOMLA
REVEALED!Daniel Kanchev
Joomla Performance Guru
SiteGround.com - Expert Joomla Hosting
BEFORE WE BEGIN...
• 7+ years of Joomla! experience
• 4 years with SiteGround
• Love traveling the world
• Addicted to extreme and not secure sports
2 SiteGround.com - Expert Joomla Hosting
SiteGround.com - Expert Joomla Hosting
WHO SHOULD CARE ABOUT SECURITY?
• Application/Extension developers
• Hosting providers/system administrators
• YOU (end Joomla users)
3
SiteGround.com - Expert Joomla Hosting
WHO SHOULD CARE ABOUT SECURITY?
• Application/Extension developers
• Hosting providers/system administrators
• YOU (end Joomla users)
4
EVERYONE
SiteGround.com - Expert Joomla Hosting
Why should YOU care?
• Be trustworthy by protecting your clients’ data
• Have a healthy site - avoid substantial data loss/downtime
5
SiteGround.com - Expert Joomla Hosting
How hackers work?
6
SiteGround.com - Expert Joomla Hosting
Everyone’s responsible!
7
SiteGround.com - Expert Joomla Hosting
Security is a process!
KEEP
CALM IT’S NOT
ROCKET
SCIENCE
8
SiteGround.com - Expert Joomla Hosting
IS YOUR SERVER SETUP RIGHT?
9
SiteGround.com - Expert Joomla Hosting
Server config & tips• Update server software - Apache, ftp, mail, etc
• Harden the Linux kernel - grsecurity
• Chroot processes
• Use Suexec, secure PHP setup (fastCGI)
• Provide only restricted shell access
• Disable/remove unused services
✓Software solutions: 1H Hive, Better Linux, CloudLinux
10
SiteGround.com - Expert Joomla Hosting
Protect your web server with mod_security
• OWASP rules - http://goo.gl/rC7Uz
• Atomic rules - http://goo.gl/Fv3Vn
• Trustwave paid rules - http://goo.gl/9IAaB
11
SiteGround.com - Expert Joomla Hosting
PROTECT JOOMLA!
12
SiteGround.com - Expert Joomla Hosting
#1: Update Everything!
13
SiteGround.com - Expert Joomla Hosting
SiteGround Auto Updates
14
SiteGround.com - Expert Joomla Hosting
#2: Do The Basics
• Never user admin as username
• Use a secure password
15
SiteGround.com - Expert Joomla Hosting
Use Bullet-proof Passwords
• Avoid password generators
• Don’t use common words - love,pass, admin
• Avoid personal info, names, significant dates - daniel123
16
SiteGround.com - Expert Joomla Hosting
The Perfect Password
• Choose a favorite (not famous) movie quote/large phrase from a book:
We all go a little mad sometimes
• Add punctuation symbols ( ? ! . : ) and capital letters, remove whitespaces
Result: We.all?Go!Alittle1Mad2sometimes
17
SiteGround.com - Expert Joomla Hosting
#3: Password Protect Your Administrator Folder
18
cPanel
Password Protect Directories
Administrator
SiteGround.com - Expert Joomla Hosting
#4: Restrict The Admin Area Access By IP
• Step1: Check your IP -> whatismyip.com
• Step2: Add this rule in the administrator folder .htaccess file
deny from allallow from YOUR_IP_ADDRESS
19
SiteGround.com - Expert Joomla Hosting
#5: Fix your permissions & ownership
• Folders: 0755
• Files: 0644
• Configuration.php: 444
• NEVER EVER USE 777 permissions
20
SiteGround.com - Expert Joomla Hosting
Fix permissions in cPanel
21
cPanel
File Manager
SiteGround.com - Expert Joomla Hosting
#6: Keep PHP Scripts In The Right Folders
In media, libraries, logs, language folders:
<Files *.php>
deny from all
</Files>
22
SiteGround.com - Expert Joomla Hosting23
How To Do It In File Manager
SiteGround.com - Expert Joomla Hosting
#7: Legacy security issues
24
• Change the default admin username
• Change the default jos_ DB prefix
ForJoomla 1.5 or older
SiteGround.com - Expert Joomla Hosting
#8: Check Your Extensions
• Joomla Vulnerable Extensions List
http://vel.joomla.org/
• National Vulnerability Database
http://web.nvd.nist.gov/view/vuln/search
25
SiteGround.com - Expert Joomla Hosting
Stay On Top Of Security Updates
• Subscribe to the Joomla feeds:
✓http://feeds.joomla.org/JoomlaSecurityNews
✓http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
26
SiteGround.com - Expert Joomla Hosting
Build a Joomla security RSS feed
How to do it: http://is.gd/Vze1Zo
SiteGround.com - Expert Joomla Hosting
#9: Additional protection through .htaccess rules
• Remove PHP sensitive information
• Avoid Visual Fingerprinting
• Block some popular tools used by hackers
How to do it: http://is.gd/pGfVXQ
28
SiteGround.com - Expert Joomla Hosting
#10: Use Joomla Security Extensions for IDS/IPS
• jHackGuard
• Akeeba Admin Tools
• jomDefender
• jSecure
29
SiteGround.com - Expert Joomla Hosting
SQL Injection
• SQL code + search form screenshot
30
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';!!!
SiteGround.com - Expert Joomla Hosting
jHackGuard setup
• SQL Injections
• Remote URL/File Inclusions
• Remote Code Executions
• XSS Based Attacks
Download it here: http://is.gd/01wLhH31
SiteGround.com - Expert Joomla Hosting
#11: Backup! Backup! Backup!
--Manual backups --Your host --Akeeba Backups
SiteGround.com - Expert Joomla Hosting
NOW WHAT?
SiteGround.com - Expert Joomla Hosting
DON’T PANIC!
SiteGround.com - Expert Joomla Hosting
DISASTER RECOVERY PLAN
1. Create a copy of the hacked site + all logs
2. Restore from a clean backup
3. Quarantine your site - enable maintenance mode
4. Check the logs for the malicious code
5. Resolve the security issues/Clean malicious code
6. Unquarantine* your site - disable maintenance mode
35
SiteGround.com - Expert Joomla Hosting
FEW THINGS TO TAKE AWAY
• Security is about making it harder to infiltrate - not making it impossible
• Security is an ongoing process
• Everyone is involved
36
SiteGround.com - Expert Joomla Hosting
QUESTIONS TIME!
SiteGround.com - Expert Joomla Hosting
WWW.SITEGROUND.COM/WEBINAR