Joomla - no software is airtight, unless you do your part to secure it!

Members Login

Follow us on Twitter

JCK Editor

about 19 days ago The JCK Project is pleased to announce the immediate availability of JCK Suite v6.1.3 - http://t.co/3n1YVhdnON http://t.co/mZ3LO2fmsd

19 Mar 2013 Working on better multilingual support for the JCK Manager and its Plug-ins. (o:b

21 Feb 2013 NEW ImageWebkitDrag - brings the loved image & resize handlers to WebKit: http://t.co/GDtNpZTE65 http://t.co/18plSoWDaj

21 Feb 2013 "1Pixelout Bridge Plugin" v2 / Updated filebrowser syncs with firectory parameter setting: http://t.co/fzgrJF8PDr http://t.co/9AdbMI6R0w

11 Feb 2013 A plugin that will removes the height & width so it will adapt when viewing on iPhone or iPad:http://t.co/M95P3Pq9 http://t.co/6NKVNbck

6 Feb 2013 We are pleased to announce v6.1.1. This is a maintenance release with a few fixes and improvements. Download:http://t.co/WOLx878C

30 Jan 2013 Without further ado, we are proud to present you with version: 6.1 of the JCK Editor Suite: http://t.co/vwfBs8r6

17 Jan 2013 After the Deadline v3.0 - Spell & Grammar Checker. Write better! Uses artificial intelligence..http://t.co/rMB1lBcL http://t.co/0uJviQOB

16 Jan 2013 Finishing off the 6.1 release – coming soon! (o:b

2 Jan 2013 Happy New Year! Our support service is now fully open, so if you have a question please feel welcome to pop over.

21 Dec 2012 @aoimedia just to let you know, our support service is closed from the 22nd Dec to 2nd January. So we have extended this offer into January.

21 Dec 2012 @aoimedia Thank you John: 10% off your next purchase with the coupon code: Jan2013.

21 Dec 2012 We would like to thank you for your custom over the past year & wish you all a very Merry Christmas & Happy New Year! http://t.co/YBDNnCMh

23 Nov 2012 Announcing JCK Suite v6.0.5. A few little improvements to ensure users install the correct versions. Download: http://t.co/EtYhJ6Vl

7 Nov 2012 If you love the JCK Editor why not vote for it! Please take the time to vote us as your Community Choice Extension: http://t.co/0B9eGVAX

6 Nov 2012 JCK Templates - An exciting new plug-in for the JCK Editor: http://t.co/0B9eGVAX http://t.co/OkFxSVLm

23 Oct 2012 Checkout what the http://t.co/xPfGg4L3 think about our new Drag and Drop image upload. http://t.co/xI4sA31s

19 Oct 2012 Now Joomla 3.0 R3ady - Image Editor for JCK Editor: http://t.co/6D4xYOUN via @Joomla #JED

Prev Next

Joomla - no software is airtight, unless you do your part to secure it!

Written by Paul Franklin

Friday, 07 December 2012 13:46

Joomla has been criticized by unknowledgeable people as insecure when in fact the project takes security very seriously. As members of oCert (Oman National CERT) they follow some specific procedures when dealing with security issues.

The truth is that no software is airtight, unless you do your part to secure it. This guilde will provide you with some simple and practical steps to circumvent the most common security holes and help keep your site safe and secure.

1. Make sure your Joomla software is kept up-to-date

Joomla is a powerful application based framework and because its software it requires to be updated with the latest fixes and security patches.

These version updates are released to the public on average about every 8 weeks or so, or even sooner if a high priority vulnerability is found! When this happens, the Joomla project publish these vulnerabilities which is both helpful in knowing the reason for the release but in the same time works to make security holes public (not how to do them, but that they exist).

This makes it more probable that someone may try to exploit the weakness in older legacy versions of Joomla which make its imperative to update to maintain a stable and secure system.

2. Check that you are not using out-of-date and vulnerable extensions

This is probably one of the top and most common reasons for having your Joomla website compromised.

You should always try to keep your extensions up-to-date, and if you’re using an extension that is listed on the Joomla “Vulnerable Extensions List” you need to uninstall it and try to find an alternative straight away. If you can’t do this for some reason then you might need to employ a developer to take a look at that extension and address the vulnerability.

3. Joomla Hosting (File and directory permissions)

There is widespread use of substandard hosts for hosting Joomla powered websites. If your host doesn’t make use of suPHP – which effectively takes cares of permissions – it is worth employing a strong set of permissions for your files and folder or better, find a different hosting provider!

First, make sure that each and every file on your site has been uploaded through FTP, effectively making your account’s user the owner of the file. Then, make sure that all directories have 0755 permissions and all regular files 0644 permissions. Finally, turn on the FTP layer in Joomla's Global Configuration. This ensures that most known cracking scripts, which require PHP being able to modify arbitrary files on your server, will fail.

4. Block your Joomla ‘user 62’ and rename your username from ‘admin’

When you install Joomla on your site it creates a Super Administrator account with a known user-name (admin) and a known user ID (62). This has been exploited in the past by hackers to gain access to unsuspecting sites. The best approach is to create a new Super Administrator user and block or demote the default admin user all the way down to registered level.

5. You have write permissions on your .htacess file

By default, your .htaccess file has write permissions on it because Joomla has to update it, especially when you’re using SEF. The problem is that this will leave your .htaccess vulnerable to attacks that aim at changing it. You should always set your .htaccess permission to 444.

6. Limit what files can be uploaded through your Joomla website

For example, if a component accepts images, you should ensure that only images are allowed to be uploaded. Users should not be able to upload scripts such as PHP and JavaScript files.

7. Limit permissions to the database user

Once your Joomla website is setup, the database user should only INSERT rows, UPDATE rows, DELETE rows, SELECT rows and CREATE tables. He should not DROP tables or DROP the database. Ensure that only the necessary permissions are given for the Joomla database user.

8. Backup

I cannot emphasize this enough; you can never have too many backups. Backups are something you never think about until you desperately need one and you don't have it.

Don't assume there's an automatic backup going - check it regularly (set an appointment in your calendar to remind you,
Set up redundancy - do regular additional backups yourself’
Install Akeeba Backup on all your Joomla sites.

Conclusion

Most hacking attempts occur by a script or bot that randomly scouting out sites across the web. So the thought that you can get away without doing this because you run a small site is not always correct! Always take your website’s security seriously, don’t think that if you’re too small no one would consider hacking your website.

Who's Online