1. Read Me First!
1. There's no free lunch! Don't be fooled by Joomla's award-winning easy of use. Maintaining a secure, dynamic Web site on the open Internet is not easy. Security requires continual watchfullness and effort.
2. There's no single solution: Due to the variety and complexity of today's web servers, security issues can't be resolved with simple, one-size-fits-all solutions.
3. There's no substitute for experience: To secure your site, you must gain experience (some of which will be bitter) or get experienced help from others.
4. Rise above the herd: The Security Forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices (this author included Undecided). If you decided to study documents such as this before your site is compromised, congratulation, you're already ahead of the herd.
5. It's not as hard as it looks: The following checklist may seem intimidating, but you don't have to deal with all of it at once. As you become more familiar with GNU/Linux, Apache, MySQL, PHP, and Joomla!, you'll quickly see which combination of tactics best applies to your current installation.
2. Getting Started
1. Determine if you are ready: Are you're able to administer a dynamic, database-driven, interactive, user-authenicated web-based system? Do you have the time and resources to respond to the many existing and constantly emerging security issues on the open Internet? Here is a tragic/comic list of the most common administrator security errors. Don't learn these the hard way!
Top 10 Stupidest Joomla! Administrator Tricks.
2. Determine if Joomla! meets your needs: Developers of very large projects may want to check this forum discussion. If you're wondering about Joomla! vs. Drupal, check this forum discussion.
3. Stay informed of security issues: Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To stay in the loop, subscribe to Joomla Security Related Announcements. Select the "Notify" button.
4. Check the FAQs: The most helpful posts in the Joomla! Security Forum (as well as other sources) are converted into Security FAQs on the official Joomla! Help site.
5. Learn from the pros: Hunt down the many nuggets of wisdom in the Joomla! forums. For example, read this great post by CirTap.
3. Choose a Qualified Hosting Provider
1. Probably no decision is more critical to your site's security than the choice of hosts. Due to the wide variety of hosting options, it's not possible to provide a complete check list for every situation.
2. If you are on a tight budget, you can get by on a shared hosting plan, but you must understand the risks, and know how to choose a qualified provider. [Related Discussion] [FAQ].
3. Check this unbiased list of recommended hosts.
4. For a real eye-opener, read this report on thousands of sites that allowed Google to index the results of phpinfo(). Don't make this mistake on your site! The report includes alarming statistics on the percentage of site that use depreciated settings such as register_globals ON or that don't have open_basedir set at all!
4. Setup a Test and Development Environment
1. Develop and test your site on a local machine first. Installing Joomla locally is not has hard as it may sound, and the exercize will greatly boost your confidence. [FAQ]
2. Use an Integrated Development Environment (IDE). [FAQ]
3. Be able to roll back to an earlier version of your site using a modern version control system, such as CVS or Subversion.
4. Check out the Joomla! community's list of popular Developer Software and Tools.
5. Installing, Upgrading, and Configuring Joomla! Core and Apache Server
1. Always install and upgrade to the latest stable Joomla!.
2. Before you upgrade to Joomla! 1.0.13, read this forum thread discussing incompatible extensions. This version of Joomla! includes more powerful password encryption functions that break backward compatibility with important extensions that rely on the earlier password format. This includes CommunityBuilder, VirtueMart, and many of the bridges.
3. Download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash. See this post for an example of what can happen if you download Joomla! from an unsafe site.
4. Use Joomla Diagnostics to ensure that all files were installed correctly.
5. Delete left over files. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file when finished with it. In general, do not leave any files, compressed or otherwise, on a public server unless they are required for the functioning of your site.
6. Increase the security of the all-critical configuration.php file by moving it outside of public_html. [FAQ]
7. Change the user name of the default admin user. This simple step greatly increases the security of this critical account. [FAQ]
8. Block typical exploit attempts with .htaccess files. [FAQ]
9. Password protect sensitive directories, such as administrator, with .htaccess files. [FAQ]
10. Restrict access to sensitive directories by IP Address, using .htaccess. [FAQ]
11. Depending on your host, you may be able to increase security by switching to PHP5. [FAQ]
12. Follow the "Least Privilege" principle for running PHP using tools such as PHPsuExec, php_suexec or suPHP. (Not assessible to shared server users. Check with your host.)
13. Configure Apache mod_security and mod_rewrite filters to block PHP attacks. (Not assessible to shared server users. Check with your host.)
Google Search Example: http://www.google.com/search?q=apache%20mod_security
Google Search Example: http://www.google.com/search?q=apache%20mod_rewrite
14. Be sure MySQL accounts are set with limited access. The initial install of MySQL is insecure; careful configuration is required. (Not assessible to shared server users. Check with your host.)
MySQL Documentation
15. Currently, both PHP4 and PHP5 are maintained. Before PHP4 becomes obsolite, upgrade your code to PHP5. By the way, you don't worry about Joomla! Core. It's already PHP 5 compatible. PHP News
16. Avoid the use of PHP safe_mode. [FAQ]
17. Turn Joomla! Register Globals Emulation OFF. [FAQ]
Related Forum Discussion
18. Ensure that all configurable paths to writable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions, such as DOCMan and Gallery2, for editable path settings to such directories. There is currently no easy way to move the Joomla! /image and /media directories. Best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.
19. Once your site is configured and stable, write-protect directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site --> Global Configuration --> Server to set all folder and file permissions at once. Test third party extensions afterwards. Note: You'll need to reset write permissions to install more extensions.
Post: Shell script for setting file and directory permissions
20. Remove all design templates not needed by your site. Do not put security logic in template files.
Post: Suggest Ability to turn off/on template change
21. If you use a VPS or dedicated server, run TripWire or SAMHAIN (GNU/GPL) . They perform exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration.
22. Hire a professional Joomla! security consultant to review your configurations.
6. Installing, Upgrading, and Configuring Joomla! Extensions (Components, Modules, Bots, and Plugins)
1. BEFORE installing new extensions backup your site and your site's database.
2. BEFORE installing third party extensions, check: Official List of Vulnerable 3rd Party/Non Joomla! Extensions
3. Only download extensions from trusted sites. The official definition of a "trusted site" is one that YOU trust.
4. User beware! Third party extensions come in all flavors of quality and age. Although Joomla! coding standards exist, extensions listed on the official Joomla! site are not reviewed for compliance. Test all extensions on a development site before installing on a production site. [FAQ (Part 1)] [FAQ (Part 2)]
5. Most security vulnerabilities are caused by third party extensions. In fact there's an entire forum dedicated to this subject. Subscribe to it using the Notify button.
6. Remove unused extensions, and double check that all related folders and files were removed by the uninstall scripts. Note that many third party extensions leave files on your server, and many leave the related database tables untouched. This is either a feature or a bug, depending on your point of view.
7. Remove or fix any Joomla! extension that require register_globals ON.
How to fix an extension that requires register_globals ON
8. Be wary of extesions with encrypted code. Joomla! is, and always has been, a GNU/GPL framework. This means that all extensions to Joomla! must also be free (as in freedom) and open (as in the code is distributed in readable form). Encrypted code may be safe, but you can't judge this for yourself, you must trust the developer's word, and you must wait for a patch if a vulnerability is discovered rather than immediately fixing the code yourself. You are usually also not free to modify, improve, or share encrypted code, which can make it much less valuable to the Joomla! community as a whole. Of course, code that is not distributed to others is exempt from the GNU/GPL distribution rights. Thus you can encrypt your own code as much as you want for security or other reasons.
7. Configuring php.ini
1. Understand how to work with the php.ini file, and how PHP configurations are controlled. Study the Official List of php.ini Directives at www.php.net, and the well-documented default php.ini file included with every PHP install. [Latest default php.ini file]
2. On shared servers you can't edit the main php.ini file, but you may be able to add a custom file. If so, you'll need to copy that file to every sub-directory that requires the custom php.ini settings. Luckily a free set of scripts do the hard work for you:
B&T's Tips and Scripts
3. Read the forum post, Secure it with php.ini, by Beat, Q&T Workgroup Member, for a list of php.ini methods sorted in order of preference.
4. Set register_globals OFF. This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This is an important setting to turn OFF. If you can't gain access to php.ini, see the switch to PHP5 using .htaccess techique above.
ZEND Chapter 29. Using Register Globals
5. Use disable_functions to disable dangerous PHP functions that are not needed by your site.
6. Disable allow_url_fopen. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. Note: This can only be set in php.ini due to security reasons.
7. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
PHP Manual, Chapter 31. Magic Quotes.
8. open_basedir (should be enabled and correctly configured)
Limit the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. To restrict access to only the specified directory, end with a slash.
PHP Security and Safe Mode Configuration Directives
9. Example php.ini directives for the above suggestions:
register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_quotes_gpc = 1
safe_mode = 1
open_basedir = /dir/to/include/change/me
8. Joomla! Hardening for Maximum Security
1. For maximum security, avoid a shared server on which you don't know or can't trust all the other users or their code quality. [FAQ]
2. Use an SSL server for confidential transactions. Read this enlightening discussion on the need for SSL any time security is important. Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forum for the "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly increased options for this. ) [FAQ]
3. For an additional layer of password protection, use .htaccess password protection in critical directories. Unless you combined this with SSL, it is no longer the highly secure method that it once was, but it will certainly block the average script kiddie.
9. Ongoing Site Administration
1. Use Well-Formed Passwords: Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Wizzie has supplied a script that automatically changes passwords. This is a great tool for administrators or multiple sites. Automatic Admin PW Generator
2. Follow a Password Leveling Scheme: Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. [FAQ]
3. Maintain a Strong Site Backup Process: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
4. Perform Automated Intrusion Detection: Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.
Google Search Example:
http://www.google.com/search?q=Intrusion+Prevention
5. Perform Manual Intrusion Detection: Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs. There is a good discussion of creative ways to automatically check log files in this topic.
6. Stay Current with Security Patches and Upgrades Apply vendor-released security patches ASAP.
7. Proactively Seek Web Vulnerabilities: Perform frequent web scanning.
Google Search Example:
http://www.google.com/search?q=%22web+scanning%22
8. Proactively Seek SQL Injections Vulnerabilities: Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
Google Search Example:
http://www.google.com/search?q=%22SQL+Injection%22
Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
9. Use Shell Scripts to Automate Security Tasks: If you're comfortable with shell scripts (and you should be), you may want to try the following scripts supplied for free to the community by Wizzie
Joomla! Version Checking
Joomla! Component/Module Version Checking
Exploit Checking
10. Learn all you can about security software: There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability. Related topic.
11. Prepare for the approaching release of Joomla! 1.5, the most significant upgrade in Joomla!'s history. It includes many powerful security and performance enhancements.
* Monitor 1.5 development status.
* Start playing with the beta version.
* Learn about Model, View, Control (MVC).
* Develop a conversion plan for extensions you've written.
* Develop a conversion plan for your existing sites.
|
