SlideShare a Scribd company logo

Avoid Getting Hacked! Presentation on Joomla! Web Security

Download as PPT, PDF
Dorothy Firsching (Ursa Major Consulting), profile picture
Dorothy Firsching (Ursa Major Consulting)

The document discusses how to avoid getting hacked when using Joomla for a website. It recommends securing the website by validating inputs, upgrading to the latest versions of Joomla and extensions regularly, using strong passwords, enabling access controls, performing regular backups, monitoring logs for suspicious activity, and referring to security checklist resources. The presentation also suggests choosing a reputable host, hiding the administrator login, and being aware of vulnerable extensions.

Technology
1 of 11
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com 1-19-2012 www.ursamajorconsulting.com 1
Agenda  Discuss Security Considerations and Approaches  Identify Resources and References  Additional Programs / Presenters? 1-19-2012 www.ursamajorconsulting.com 2
Joomla! Web Security Discussion  PHP-based / database driven sites are vulnerable  SQL Injections -- Commands where data input is expected  Validate Inputs and Enforce size  Current version of PHP with appropriate settings  Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html 1-19-2012 www.ursamajorconsulting.com 3
Pick a Good Host  Shared Host Vulnerabilities  http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup  Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps  Appropriate permissions  Directories = 755  Files = 644  .htaccess, configuration.php = 644  Webserver is set up to use user account as owner of PHP-created files 1-19-2012 www.ursamajorconsulting.com 4
Upgrade Regularly  Upgrade to Latest Version of Joomla  Akeeba Admin Tools  Use Safe Extensions  Upgrade Extensions  Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List  Subscribe to updates  Keep a spreadsheet of your sites  And the versions they use 1-19-2012 www.ursamajorconsulting.com 5
Joomla Setup  Password protect folders in control panel  Use a site-specific database username and password  Change jos_ table prefix  Hide Admin login  jSecure Authentication Plugin  add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc 1-19-2012 www.ursamajorconsulting.com 6
Access Control  http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu  Strong Passwords  Change Admin Username and Number  Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one. 1-19-2012 www.ursamajorconsulting.com 7
Backups / Upgrades  Akeeba Backup  Remove backups from site  Multi-backup scheme  Test restoration / upgrades  Test site is helpful  Hosting provider backups  Hosting provider virus scans or site backup using local download / scan  http://docs.joomla.org/Security_Checklist_6_-_S 1-19-2012 www.ursamajorconsulting.com 8
Vulnerabilties  Old Joomla! versions  Community Builder before 1.7.1  JCE before 2.0.19  Unchecked user input (SQL injection, buffer overflows)  eXtplorer left on site  http:// docs.joomla.org/Vulnerable_Extensions_L 1-19-2012 www.ursamajorconsulting.com 9
Check What’s Happening  Logs / AWSTATS / other packages  Google Analytics  File Modification Dates / Contents 1-19-2012 www.ursamajorconsulting.com 10
Resources  http://docs.joomla.org/Category:Security_Check  http://joomladaymidwest.org/news/slides-and-v  Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009  Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. 1-19-2012 www.ursamajorconsulting.com 11

More Related Content

PPT
Joomla/Mambo CMS
jgarifuna
 
PPT
http://www.slideshare.net/jgarifuna/elgg-presentation-ca-032109
jgarifuna
 
PPT
Joomla Content Management Systems, Part 3
jgarifuna
 
PPTX
Joomla Security v3.0
Ajay Lulia
 
PPT
Joomla/Mambo CMS
jgarifuna
 
PPT
Drupal security
Techday7
 
PDF
Drupal and Security: What You Need to Know
Acquia
 
PPTX
Joomla-Content Management System
silenceIT Inc.
 
Joomla/Mambo CMS
jgarifuna
 
http://www.slideshare.net/jgarifuna/elgg-presentation-ca-032109
jgarifuna
 
Joomla Content Management Systems, Part 3
jgarifuna
 
Joomla Security v3.0
Ajay Lulia
 
Joomla/Mambo CMS
jgarifuna
 
Drupal security
Techday7
 
Drupal and Security: What You Need to Know
Acquia
 
Joomla-Content Management System
silenceIT Inc.
 

What's hot (7)

PPT
Joomla overview via catchy snaps
BUDNET
 
PDF
Using advanced features in joomla
krishnapriya Tadepalli
 
PDF
System prereq
kb_exchange_hk
 
DOCX
Rahul Resume.doc
Rahul Choudhary
 
PPT
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
PDF
Library Management Software
Ranganath Shivaram
 
PDF
Aem authentication vs idp
Saroj Mishra
 
Joomla overview via catchy snaps
BUDNET
 
Using advanced features in joomla
krishnapriya Tadepalli
 
System prereq
kb_exchange_hk
 
Rahul Resume.doc
Rahul Choudhary
 
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Library Management Software
Ranganath Shivaram
 
Aem authentication vs idp
Saroj Mishra
 

Viewers also liked (8)

PPTX
Confoo 2012 - Web security keynote
Antonio Fontes
 
PPT
Web Services Security - Presentation
Muhammad Jawaid Shamshad
 
ODP
Web Application Firewall
Chandrapal Badshah
 
PPT
Web security presentation
John Staveley
 
PPT
Firewall
Amuthavalli Nachiyar
 
PPTX
Firewall presentation
Amandeep Kaur
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPT
Web Security
Bharath Manoharan
 
Confoo 2012 - Web security keynote
Antonio Fontes
 
Web Services Security - Presentation
Muhammad Jawaid Shamshad
 
Web Application Firewall
Chandrapal Badshah
 
Web security presentation
John Staveley
 
Firewall
Amuthavalli Nachiyar
 
Firewall presentation
Amandeep Kaur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Security
Bharath Manoharan
 

Similar to Avoid Getting Hacked! Presentation on Joomla! Web Security (20)

PPTX
Securing Your Joomla website
Mike Carson
 
PPT
Joomla Security
Ruth Cheesley
 
PPT
Joomla Security
ViryaTechnologies
 
PDF
Joomla! security jday2015
kriptonium
 
PDF
Joomla! security
Yireo
 
PPTX
Brendon Hatcher Joomla Security
Joomla Day South Africa
 
PPTX
Joomla! security jday2015
Shaiffulnizam Mohamad
 
ODP
Joomladay Netherlands - Security
Wilco Jansen
 
PDF
Joomla Security Basics presented by Jeff Mendelson
Jeff Mendelson
 
PDF
Hidden Secrets For A Hack-Proof Joomla! Site
Daniel Kanchev
 
PPTX
Keeping Your Joomla! Site Secure
joomladayhouston
 
PPT
Joomladay Switzerland - security
Wilco Jansen
 
PPTX
Joomla!Day UK 2011 - Virya Technologies - Ruth Cheesley - Joomla! Security
Ruth Cheesley
 
PDF
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
PDF
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
PDF
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
PDF
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
PDF
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
PPTX
Joomla spécialiste
Romain Caisse
 
PPTX
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 
Securing Your Joomla website
Mike Carson
 
Joomla Security
Ruth Cheesley
 
Joomla Security
ViryaTechnologies
 
Joomla! security jday2015
kriptonium
 
Joomla! security
Yireo
 
Brendon Hatcher Joomla Security
Joomla Day South Africa
 
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Joomladay Netherlands - Security
Wilco Jansen
 
Joomla Security Basics presented by Jeff Mendelson
Jeff Mendelson
 
Hidden Secrets For A Hack-Proof Joomla! Site
Daniel Kanchev
 
Keeping Your Joomla! Site Secure
joomladayhouston
 
Joomladay Switzerland - security
Wilco Jansen
 
Joomla!Day UK 2011 - Virya Technologies - Ruth Cheesley - Joomla! Security
Ruth Cheesley
 
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Joomla spécialiste
Romain Caisse
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Tony Perez
 

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

Avoid Getting Hacked! Presentation on Joomla! Web Security

  • 1. Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com 1-19-2012 www.ursamajorconsulting.com 1
  • 2. Agenda  Discuss Security Considerations and Approaches  Identify Resources and References  Additional Programs / Presenters? 1-19-2012 www.ursamajorconsulting.com 2
  • 3. Joomla! Web Security Discussion  PHP-based / database driven sites are vulnerable  SQL Injections -- Commands where data input is expected  Validate Inputs and Enforce size  Current version of PHP with appropriate settings  Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html 1-19-2012 www.ursamajorconsulting.com 3
  • 4. Pick a Good Host  Shared Host Vulnerabilities  http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup  Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps  Appropriate permissions  Directories = 755  Files = 644  .htaccess, configuration.php = 644  Webserver is set up to use user account as owner of PHP-created files 1-19-2012 www.ursamajorconsulting.com 4
  • 5. Upgrade Regularly  Upgrade to Latest Version of Joomla  Akeeba Admin Tools  Use Safe Extensions  Upgrade Extensions  Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List  Subscribe to updates  Keep a spreadsheet of your sites  And the versions they use 1-19-2012 www.ursamajorconsulting.com 5
  • 6. Joomla Setup  Password protect folders in control panel  Use a site-specific database username and password  Change jos_ table prefix  Hide Admin login  jSecure Authentication Plugin  add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc 1-19-2012 www.ursamajorconsulting.com 6
  • 7. Access Control  http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu  Strong Passwords  Change Admin Username and Number  Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one. 1-19-2012 www.ursamajorconsulting.com 7
  • 8. Backups / Upgrades  Akeeba Backup  Remove backups from site  Multi-backup scheme  Test restoration / upgrades  Test site is helpful  Hosting provider backups  Hosting provider virus scans or site backup using local download / scan  http://docs.joomla.org/Security_Checklist_6_-_S 1-19-2012 www.ursamajorconsulting.com 8
  • 9. Vulnerabilties  Old Joomla! versions  Community Builder before 1.7.1  JCE before 2.0.19  Unchecked user input (SQL injection, buffer overflows)  eXtplorer left on site  http:// docs.joomla.org/Vulnerable_Extensions_L 1-19-2012 www.ursamajorconsulting.com 9
  • 10. Check What’s Happening  Logs / AWSTATS / other packages  Google Analytics  File Modification Dates / Contents 1-19-2012 www.ursamajorconsulting.com 10
  • 11. Resources  http://docs.joomla.org/Category:Security_Check  http://joomladaymidwest.org/news/slides-and-v  Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009  Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. 1-19-2012 www.ursamajorconsulting.com 11