SlideShare une entreprise Scribd logo

Joomla Security v3.0

Télécharger en tant que PPTX, PDF
Ajay Lulia
Ajay Lulia
1  sur  14
Joomla Security : Secure Your Website
Ajay Lulia Managing Partner & CTO, Synergy Technology Services CEO, Joomla Service Provider @ajaylulia http://www.joomlaserviceprovider.com
WHY are sites Hacked? Curiosity Monetary Political Spamming Reputation Advantages Testing Systems Destruction
How are sites Hacked? Insecure communications • SQL Injection • Automated Injection • Backdoor Injection- Modules, Forums, Search etc. • Remote Injection SQL Injection in the Browser Address Bar Cross Site Scripting (XSS) Authorization Bypass / Broken Authentication Google Hacking Password Cracking Malicious file execution
What to Secure? Data • Files • Images • Database Server Access Security Details
How to Secure Joomla? Joomla Packages, Always download joomla package from joomla.org • http://www.joomla.org • http://extensions.joomla.org Make sure all PHP settings are “Green” when installing joomla Change default joomla database prefix jos_ Create a new Super Administrator delete original one (id 62 until j1.5) Turn-Off User Registration, if no registration is required. Enable and optimize Joomla .htaccess
How to Secure Joomla? Password protect directory using .htaccess FTP Layer, disable if not used or used frequently Mail From Id should not be same as Super Administrator Email Id Setting the Global Metadata Information Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp) Always keep Extensions Update to date and always use mailing lists
How to Secure Joomla? Close all unwanted TCP/IP ports Change file permissions of configuration.php to 644 Use SFTP instead of FTP Use SSH instead of rlogin to server Set permission to 644 which allows Apache to use it and prevents other from editing Grant access to only those region your site is dedicated to
How to Secure Joomla? Before installing extensions, always check: • Reviews • Vulnerability Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef) Hide your administrator URL (using jSecure Authentication, jAdmin Tools) Report all possible hack to Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security Subscribe to security updates to hit your mail box when they are available! • RSS feed:http://feeds.joomla.org/JoomlaSecurityNews
Choosing Hosting Look into your requirements Choose from the hosting, Shared v Dedicated Hosting Versions on servers (should be on PHP 5 & mySQL 5 at least) Server that runs PHP in CGI mode with su_php Types of Backup 24/7 Customer support is VITAL
Is my website a victim? Be always proactive and not reactive Server / Application / Extension security is ‘on going’ work. Always check for upgrades and reviews Build disaster recovery plan If you don’t have updates from Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security
Am Hacked !!! Create html with a message and save it as index.html Save Server Access and Error logs Restore the website using recent backup Look at the logs and try and find the reason how the site was hacked. Report all possible hack to Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security
Analyze Security Security can be broken into five distinct functional areas: • Risk Avoidance • Restriction • Prevention • Detection • Recovery
Thank You Ajay Lulia Twitter : @ajaylulia ajay.lulia@synergytechservices.com http://www.synergytechservices.com http://www.joomlaserviceprovider.com

Recommandé

WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress SecurityChris Dodds
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security HardeningIda Bagus Budanthara
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 

Recommandé

WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress SecurityChris Dodds
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security HardeningIda Bagus Budanthara
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 
PodCamp Ohio 2009
PodCamp Ohio 2009PodCamp Ohio 2009
PodCamp Ohio 2009Brian Lockrey
 
There's a Plugin for That
There's a Plugin for ThatThere's a Plugin for That
There's a Plugin for ThatStephanie Leary
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11Sander Potjer
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 
Fs
FsFs
Fsbashag2
 
Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014Taizo Ito
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
Joomla Features
Joomla FeaturesJoomla Features
Joomla FeaturesUS Joomla Force
 
Top 3 CMS Systems Compared
Top 3 CMS Systems ComparedTop 3 CMS Systems Compared
Top 3 CMS Systems ComparedZoltan Iszlai
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Getting started with azure storage
Getting started with azure storageGetting started with azure storage
Getting started with azure storageShahriar Hossain
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Session wp
Session wpSession wp
Session wpdenish38
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’Brendan Sera-Shriar
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityViryaTechnologies
 
Joomla Security
Joomla SecurityJoomla Security
Joomla SecurityRuth Cheesley
 

Contenu connexe

Tendances

There's a Plugin for That
There's a Plugin for ThatThere's a Plugin for That
There's a Plugin for ThatStephanie Leary
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11Sander Potjer
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 
Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014Taizo Ito
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
Top 3 CMS Systems Compared
Top 3 CMS Systems ComparedTop 3 CMS Systems Compared
Top 3 CMS Systems ComparedZoltan Iszlai
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Getting started with azure storage
Getting started with azure storageGetting started with azure storage
Getting started with azure storageShahriar Hossain
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Session wp
Session wpSession wp
Session wpdenish38
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!stk_jj
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’Brendan Sera-Shriar
 

Tendances (20)

PodCamp Ohio 2009
PodCamp Ohio 2009PodCamp Ohio 2009
PodCamp Ohio 2009
 
There's a Plugin for That
There's a Plugin for ThatThere's a Plugin for That
There's a Plugin for That
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11Joomla Extensions Directory at JoomlaDay London, UK #jduk11
Joomla Extensions Directory at JoomlaDay London, UK #jduk11
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
Fs
FsFs
Fs
 
Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014Ui testing with splinter - Fri, 30 May 2014
Ui testing with splinter - Fri, 30 May 2014
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
Joomla Features
Joomla FeaturesJoomla Features
Joomla Features
 
Top 3 CMS Systems Compared
Top 3 CMS Systems ComparedTop 3 CMS Systems Compared
Top 3 CMS Systems Compared
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Getting started with azure storage
Getting started with azure storageGetting started with azure storage
Getting started with azure storage
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Session wp
Session wpSession wp
Session wp
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Security? hey, it's only word press!
Security? hey, it's only word press!Security? hey, it's only word press!
Security? hey, it's only word press!
 
It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’It’s a WIN, WIN: ‘WordPress On Windows’
It’s a WIN, WIN: ‘WordPress On Windows’
 

Similaire à Joomla Security v3.0

OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security Akarawuth Tamrareang
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - SecurityWilco Jansen
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - securityWilco Jansen
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better securityMichael Pignataro
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid ThemDaniel Kanchev
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Securitysecuriously
 

Similaire à Joomla Security v3.0 (20)

Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Brendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityBrendon Hatcher Joomla Security
Brendon Hatcher Joomla Security
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - security
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Joomla spécialiste
Joomla spécialisteJoomla spécialiste
Joomla spécialiste
 
Security testing
Security testingSecurity testing
Security testing
 
Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
 

Joomla Security v3.0

  • 1. Joomla Security : Secure Your Website
  • 2. Ajay Lulia Managing Partner & CTO, Synergy Technology Services CEO, Joomla Service Provider @ajaylulia http://www.joomlaserviceprovider.com
  • 3. WHY are sites Hacked? Curiosity Monetary Political Spamming Reputation Advantages Testing Systems Destruction
  • 4. How are sites Hacked? Insecure communications • SQL Injection • Automated Injection • Backdoor Injection- Modules, Forums, Search etc. • Remote Injection SQL Injection in the Browser Address Bar Cross Site Scripting (XSS) Authorization Bypass / Broken Authentication Google Hacking Password Cracking Malicious file execution
  • 5. What to Secure? Data • Files • Images • Database Server Access Security Details
  • 6. How to Secure Joomla? Joomla Packages, Always download joomla package from joomla.org • http://www.joomla.org • http://extensions.joomla.org Make sure all PHP settings are “Green” when installing joomla Change default joomla database prefix jos_ Create a new Super Administrator delete original one (id 62 until j1.5) Turn-Off User Registration, if no registration is required. Enable and optimize Joomla .htaccess
  • 7. How to Secure Joomla? Password protect directory using .htaccess FTP Layer, disable if not used or used frequently Mail From Id should not be same as Super Administrator Email Id Setting the Global Metadata Information Ensure all passwords are very strong (hosting a/c, site admin, database user, ftp) Always keep Extensions Update to date and always use mailing lists
  • 8. How to Secure Joomla? Close all unwanted TCP/IP ports Change file permissions of configuration.php to 644 Use SFTP instead of FTP Use SSH instead of rlogin to server Set permission to 644 which allows Apache to use it and prevents other from editing Grant access to only those region your site is dedicated to
  • 9. How to Secure Joomla? Before installing extensions, always check: • Reviews • Vulnerability Use Search Engine Friendly (e.g. Joomla Core and/or sh404sef) Hide your administrator URL (using jSecure Authentication, jAdmin Tools) Report all possible hack to Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security Subscribe to security updates to hit your mail box when they are available! • RSS feed:http://feeds.joomla.org/JoomlaSecurityNews
  • 10. Choosing Hosting Look into your requirements Choose from the hosting, Shared v Dedicated Hosting Versions on servers (should be on PHP 5 & mySQL 5 at least) Server that runs PHP in CGI mode with su_php Types of Backup 24/7 Customer support is VITAL
  • 11. Is my website a victim? Be always proactive and not reactive Server / Application / Extension security is ‘on going’ work. Always check for upgrades and reviews Build disaster recovery plan If you don’t have updates from Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security
  • 12. Am Hacked !!! Create html with a message and save it as index.html Save Server Access and Error logs Restore the website using recent backup Look at the logs and try and find the reason how the site was hacked. Report all possible hack to Joomla! Security Strike Team (JSST) • http://developer.joomla.org/security
  • 13. Analyze Security Security can be broken into five distinct functional areas: • Risk Avoidance • Restriction • Prevention • Detection • Recovery
  • 14. Thank You Ajay Lulia Twitter : @ajaylulia ajay.lulia@synergytechservices.com http://www.synergytechservices.com http://www.joomlaserviceprovider.com