|Joomla - no software is airtight, unless you do your part to secure it!|
|Written by Paul Franklin|
|Friday, 07 December 2012 13:46|
Joomla has been criticized by unknowledgeable people as insecure when in fact the project takes security very seriously. As members of oCert (Oman National CERT) they follow some specific procedures when dealing with security issues.
The truth is that no software is airtight, unless you do your part to secure it. This guilde will provide you with some simple and practical steps to circumvent the most common security holes and help keep your site safe and secure.
1. Make sure your Joomla software is kept up-to-date
Joomla is a powerful application based framework and because its software it requires to be updated with the latest fixes and security patches.
These version updates are released to the public on average about every 8 weeks or so, or even sooner if a high priority vulnerability is found! When this happens, the Joomla project publish these vulnerabilities which is both helpful in knowing the reason for the release but in the same time works to make security holes public (not how to do them, but that they exist).
2. Check that you are not using out-of-date and vulnerable extensions
This is probably one of the top and most common reasons for having your Joomla website compromised.
You should always try to keep your extensions up-to-date, and if you’re using an extension that is listed on the Joomla “Vulnerable Extensions List” you need to uninstall it and try to find an alternative straight away. If you can’t do this for some reason then you might need to employ a developer to take a look at that extension and address the vulnerability.
3. Joomla Hosting (File and directory permissions)
There is widespread use of substandard hosts for hosting Joomla powered websites. If your host doesn’t make use of suPHP – which effectively takes cares of permissions – it is worth employing a strong set of permissions for your files and folder or better, find a different hosting provider!
First, make sure that each and every file on your site has been uploaded through FTP, effectively making your account’s user the owner of the file. Then, make sure that all directories have 0755 permissions and all regular files 0644 permissions. Finally, turn on the FTP layer in Joomla's Global Configuration. This ensures that most known cracking scripts, which require PHP being able to modify arbitrary files on your server, will fail.
4. Block your Joomla ‘user 62’ and rename your username from ‘admin’
When you install Joomla on your site it creates a Super Administrator account with a known user-name (admin) and a known user ID (62). This has been exploited in the past by hackers to gain access to unsuspecting sites. The best approach is to create a new Super Administrator user and block or demote the default admin user all the way down to registered level.
5. You have write permissions on your .htacess file
By default, your .htaccess file has write permissions on it because Joomla has to update it, especially when you’re using SEF. The problem is that this will leave your .htaccess vulnerable to attacks that aim at changing it. You should always set your .htaccess permission to 444.
6. Limit what files can be uploaded through your Joomla website
7. Limit permissions to the database user
Once your Joomla website is setup, the database user should only INSERT rows, UPDATE rows, DELETE rows, SELECT rows and CREATE tables. He should not DROP tables or DROP the database. Ensure that only the necessary permissions are given for the Joomla database user.
I cannot emphasize this enough; you can never have too many backups. Backups are something you never think about until you desperately need one and you don't have it.
Most hacking attempts occur by a script or bot that randomly scouting out sites across the web. So the thought that you can get away without doing this because you run a small site is not always correct! Always take your website’s security seriously, don’t think that if you’re too small no one would consider hacking your website.