Secrets to a Hack-Proof Joomla Revealed
10 likes26,814 views
The document outlines essential security practices and measures for Joomla users to protect their sites against hacking. Key recommendations include keeping software updated, using secure passwords, limiting access to the admin area by IP, and regularly backing up data. It emphasizes that security is a continuous process involving all stakeholders, including developers, hosting providers, and end-users.
Secrets to a Hack-Proof Joomla Revealed
- 1. SECRETS TO A HACK-PROOF JOOMLA REVEALED! Daniel Kanchev Joomla Performance Guru
- 2. SiteGround.com - Expert Joomla Hosting BEFORE WE BEGIN... • 7+ years of Joomla! experience • 4 years with SiteGround • Love traveling the world • Addicted to extreme and not secure sports 2 SiteGround.com - Expert Joomla Hosting
- 3. SiteGround.com - Expert Joomla Hosting WHO SHOULD CARE ABOUT SECURITY? • Application/Extension developers • Hosting providers/system administrators • YOU (end Joomla users) 3
- 4. SiteGround.com - Expert Joomla Hosting WHO SHOULD CARE ABOUT SECURITY? • Application/Extension developers • Hosting providers/system administrators • YOU (end Joomla users) 4 EVERYONE
- 5. SiteGround.com - Expert Joomla Hosting Why shouldYOU care? • Be trustworthy by protecting your clients’ data • Have a healthy site - avoid substantial data loss/downtime 5
- 6. SiteGround.com - Expert Joomla Hosting How hackers work? 6
- 7. SiteGround.com - Expert Joomla Hosting Everyone’s responsible! 7
- 8. SiteGround.com - Expert Joomla Hosting Security is a process! KEEP CALM IT’S NOT ROCKET SCIENCE 8
- 9. SiteGround.com - Expert Joomla Hosting ISYOUR SERVER SETUP RIGHT? 9
- 10. SiteGround.com - Expert Joomla Hosting Server config & tips • Update server software - Apache, ftp, mail, etc • Harden the Linux kernel - grsecurity • Chroot processes • Use Suexec, secure PHP setup (fastCGI) • Provide only restricted shell access • Disable/remove unused services ✓Software solutions: 1H Hive, Better Linux, CloudLinux 10
- 11. SiteGround.com - Expert Joomla Hosting Protect your web server with mod_security • OWASP rules - http://goo.gl/rC7Uz • Atomic rules - http://goo.gl/Fv3Vn • Trustwave paid rules - http://goo.gl/9IAaB 11
- 12. SiteGround.com - Expert Joomla Hosting PROTECT JOOMLA! 12
- 13. SiteGround.com - Expert Joomla Hosting #1: Update Everything! 13
- 14. SiteGround.com - Expert Joomla Hosting SiteGround Auto Updates 14
- 15. SiteGround.com - Expert Joomla Hosting #2: Do The Basics • Never user admin as username • Use a secure password 15
- 16. SiteGround.com - Expert Joomla Hosting Use Bullet-proof Passwords • Avoid password generators • Don’t use common words - love,pass, admin • Avoid personal info, names, significant dates - daniel123 16
- 17. SiteGround.com - Expert Joomla Hosting The Perfect Password • Choose a favorite (not famous) movie quote/ large phrase from a book: We all go a little mad sometimes • Add punctuation symbols ( ? ! . : ) and capital letters, remove whitespaces Result:We.all?Go!Alittle1Mad2sometimes 17
- 18. SiteGround.com - Expert Joomla Hosting #3: Password ProtectYour Administrator Folder 18 cPanel Password Protect Directories Administrator
- 19. SiteGround.com - Expert Joomla Hosting #4: Restrict The Admin Area Access By IP • Step1: Check your IP -> whatismyip.com • Step2: Add this rule in the administrator folder .htaccess file deny from all allow fromYOUR_IP_ADDRESS 19
- 20. SiteGround.com - Expert Joomla Hosting #5: Fix your permissions & ownership • Folders: 0755 • Files: 0644 • Configuration.php: 444 • NEVER EVER USE 777 permissions 20
- 21. SiteGround.com - Expert Joomla Hosting Fix permissions in cPanel 21 cPanel File Manager
- 22. SiteGround.com - Expert Joomla Hosting #6: Keep PHP Scripts In The Right Folders In media, libraries, logs, language folders: <Files *.php> deny from all </Files> 22
- 23. SiteGround.com - Expert Joomla Hosting23 How To Do It In File Manager
- 24. SiteGround.com - Expert Joomla Hosting #7: Legacy security issues 24 • Change the default admin username • Change the default jos_ DB prefix For Joomla 1.5 or older
- 25. SiteGround.com - Expert Joomla Hosting #8: CheckYour Extensions • JoomlaVulnerable Extensions List http://vel.joomla.org/ • NationalVulnerability Database http://web.nvd.nist.gov/view/vuln/search 25
- 26. SiteGround.com - Expert Joomla Hosting Stay On Top Of Security Updates • Subscribe to the Joomla feeds: ✓http://feeds.joomla.org/JoomlaSecurityNews ✓http://feeds.joomla.org/ JoomlaSecurityVulnerableExtensions 26
- 27. SiteGround.com - Expert Joomla Hosting Build a Joomla security RSS feed How to do it: http://is.gd/Vze1Zo
- 28. SiteGround.com - Expert Joomla Hosting #9:Additional protection through .htaccess rules • Remove PHP sensitive information • AvoidVisual Fingerprinting • Block some popular tools used by hackers How to do it: http://is.gd/pGfVXQ 28
- 29. SiteGround.com - Expert Joomla Hosting #10: Use Joomla Security Extensions for IDS/IPS • jHackGuard • Akeeba Admin Tools • jomDefender • jSecure 29
- 30. SiteGround.com - Expert Joomla Hosting SQL Injection • SQL code + search form screenshot 30 SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';!!!
- 31. SiteGround.com - Expert Joomla Hosting jHackGuard setup • SQL Injections • Remote URL/File Inclusions • Remote Code Executions • XSS Based Attacks Download it here: http://is.gd/01wLhH 31
- 32. SiteGround.com - Expert Joomla Hosting #11: Backup! Backup! Backup! --Manual backups --Your host --Akeeba Backups
- 33. SiteGround.com - Expert Joomla Hosting NOW WHAT?
- 34. SiteGround.com - Expert Joomla Hosting DON’T PANIC!
- 35. SiteGround.com - Expert Joomla Hosting DISASTER RECOVERY PLAN 1. Create a copy of the hacked site + all logs 2. Restore from a clean backup 3. Quarantine your site - enable maintenance mode 4. Check the logs for the malicious code 5. Resolve the security issues/Clean malicious code 6. Unquarantine* your site - disable maintenance mode 35
- 36. SiteGround.com - Expert Joomla Hosting FEW THINGS TO TAKE AWAY • Security is about making it harder to infiltrate - not making it impossible • Security is an ongoing process • Everyone is involved 36
- 37. SiteGround.com - Expert Joomla Hosting QUESTIONS TIME!
- 38. SiteGround.com - Expert Joomla Hosting WWW.SITEGROUND.COM/WEBINAR