3. WHY are sites Hacked?
Curiosity
Monetary
Political
Spamming
Reputation Advantages
Testing Systems
Destruction
4. How are sites Hacked?
Insecure communications
• SQL Injection
• Automated Injection
• Backdoor Injection- Modules, Forums, Search etc.
• Remote Injection
SQL Injection in the Browser Address Bar
Cross Site Scripting (XSS)
Authorization Bypass / Broken Authentication
Google Hacking Password Cracking
Malicious file execution
5. What to Secure?
Data
• Files
• Images
• Database
Server Access
Security Details
6. How to Secure Joomla?
Joomla Packages, Always download joomla package from joomla.org
• http://www.joomla.org
• http://extensions.joomla.org
Make sure all PHP settings are “Green” when installing joomla
Change default joomla database prefix jos_
Create a new Super Administrator delete original one (id 62 until j1.5)
Turn-Off User Registration, if no registration is required.
Enable and optimize Joomla .htaccess
7. How to Secure Joomla?
Password protect directory using .htaccess
FTP Layer, disable if not used or used frequently
Mail From Id should not be same as Super
Administrator Email Id
Setting the Global Metadata Information
Ensure all passwords are very strong (hosting
a/c, site admin, database user, ftp)
Always keep Extensions Update to date and
always use mailing lists
8. How to Secure Joomla?
Close all unwanted TCP/IP ports
Change file permissions of configuration.php to 644
Use SFTP instead of FTP
Use SSH instead of rlogin to server
Set permission to 644 which allows Apache to use it and
prevents other from editing
Grant access to only those region your site is dedicated to
9. How to Secure Joomla?
Before installing extensions, always check:
• Reviews
• Vulnerability
Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef)
Hide your administrator URL (using jSecure Authentication,
jAdmin Tools)
Report all possible hack to Joomla! Security Strike Team (JSST)
• http://developer.joomla.org/security
Subscribe to security updates to hit your mail box when they
are available!
• RSS feed:http://feeds.joomla.org/JoomlaSecurityNews
10. Choosing Hosting
Look into your requirements
Choose from the hosting, Shared v Dedicated Hosting
Versions on servers (should be on PHP 5 & mySQL 5 at least)
Server that runs PHP in CGI mode with su_php
Types of Backup
24/7 Customer support is VITAL
11. Is my website a victim?
Be always proactive and not reactive
Server / Application / Extension security is ‘on going’ work.
Always check for upgrades and reviews
Build disaster recovery plan
If you don’t have updates from Joomla! Security Strike Team
(JSST)
• http://developer.joomla.org/security
12. Am Hacked !!!
Create html with a message and save it as index.html
Save Server Access and Error logs
Restore the website using recent backup
Look at the logs and try and find the
reason how the site was hacked.
Report all possible hack to Joomla!
Security Strike Team (JSST)
• http://developer.joomla.org/security
13. Analyze Security
Security can be broken into five distinct functional areas:
• Risk Avoidance
• Restriction
• Prevention
• Detection
• Recovery