1-19-2012 avoid getting hacked joomla! web security northern virginia joomla users group january...
TRANSCRIPT
![Page 1: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/1.jpg)
1-19-2012 www.ursamajorconsulting.com 1
Avoid Getting Hacked
Joomla! Web SecurityNorthern Virginia Joomla Users GroupJanuary 2012Dorothy Firsching, Ursa Major Consulting, [email protected]
![Page 2: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/2.jpg)
1-19-2012 www.ursamajorconsulting.com 2
Agenda
Discuss Security Considerations and Approaches
Identify Resources and References Additional Programs / Presenters?
![Page 3: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/3.jpg)
1-19-2012 www.ursamajorconsulting.com 3
Joomla! Web Security Discussion PHP-based / database driven sites are
vulnerable SQL Injections -- Commands where data
input is expected Validate Inputs and Enforce size Current version of PHP with appropriate
settings Secure coding practices --
http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html
![Page 4: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/4.jpg)
1-19-2012 www.ursamajorconsulting.com 4
Pick a Good Host Shared Host Vulnerabilities
http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup
Choose a good hosting provider – experienced in Joomla; responsiveness; forums /
helps Appropriate permissions
Directories = 755 Files = 644 .htaccess, configuration.php = 644
Webserver is set up to use user account as owner of PHP-created files
![Page 5: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/5.jpg)
1-19-2012 www.ursamajorconsulting.com 5
Upgrade Regularly Upgrade to Latest Version of Joomla
Akeeba Admin Tools Use Safe Extensions Upgrade Extensions
Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List
Subscribe to updates Keep a spreadsheet of your sites
And the versions they use
![Page 6: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/6.jpg)
1-19-2012 www.ursamajorconsulting.com 6
Joomla Setup Password protect folders in control panel Use a site-specific database username and
password Change jos_ table prefix Hide Admin login
jSecure Authentication Plugin add a suffix to your back-end URL to make it look
like this: http://www.mysite.com/administrator?199abbetc
![Page 7: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/7.jpg)
1-19-2012 www.ursamajorconsulting.com 7
Access Control http://docs.joomla.org/Security_Checklist_4_-_Joomla_
Setup Strong Passwords Change Admin Username and Number
Default ID for admin user in Joomla is 62, and this may be used by a hacker Create a new super-administrator with another user
name and a strong password Log out and in again as this new user Change original admin user to a manager and save (you
are not allowed to delete a super-administrator). Delete original admin user (user ID 62) and rename
from the default Admin to a new one.
![Page 8: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/8.jpg)
1-19-2012 www.ursamajorconsulting.com 8
Backups / Upgrades Akeeba Backup Multi-backup scheme Test restoration / upgrades
Test site is helpful Hosting provider backups Hosting provider virus scans or site backup
using local download / scan http://docs.joomla.org/Security_Checklist_6_
-_Site_Recovery
![Page 9: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/9.jpg)
1-19-2012 www.ursamajorconsulting.com 9
Vulnerabilties
Old Joomla! versions Community Builder before 1.7.1 JCE before 2.0.19 Unchecked user input (SQL injection,
buffer overflows) eXtplorer left on site http://docs.joomla.org/
Vulnerable_Extensions_List
![Page 10: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/10.jpg)
1-19-2012 www.ursamajorconsulting.com 10
Check What’s Happening
Logs / AWSTATS / other packages Google Analytics File Modification Dates / Contents
![Page 11: 1-19-2012 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa](https://reader036.vdocuments.site/reader036/viewer/2022082712/56649e575503460f94b4f971/html5/thumbnails/11.jpg)
1-19-2012 www.ursamajorconsulting.com 11
Resources http://docs.joomla.org/Category:Security_C
hecklist http://joomladaymidwest.org/news/slides-
and-video/2011/slides-jeff-channell-secure-php-coding-practices.html
Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009
Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful.