Difference between revisions of "Securing your Joomla website against Hacking"

From Acenet Knowledgebase
Jump to: navigation, search
(test)
 
 
Line 1: Line 1:
<html>Security is a growing concern with all of the hackers and script kiddies waiting to do bad things to your site.  There are ways to improve the security of your blog so that it is more secure than it otherwise might be. This article discusses some measures an ordinary user can take to protect his/her Joomla website.<br /> <br /> <strong>Why are Websites Vulnerable to Hacking and Other Exploits</strong><br /> <br /> All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which may only connect to the Internet sporadically (such as when you turn it on your computer to surf), websites are hosted on servers that are permanently connected to the Internet, exposed to anyone who wants to connect to it.<br /> <br /> Sites that run blog scripts, content management system (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.<br /> <br /> <strong>Symptoms of a Hacked Joomla Website</strong><br /> <br /> If your website has never been hacked before, you may wonder what the consequences are. In the past, hacked websites have exhibited one or more of the following symptoms:<br /> <br /> 1.      The website may be defaced.<br /> 2.      The hackers install hidden links on the blog that point to sites they own. Since Google ranks sites according to the number of links pointing to them (among other things), the intention is to make their site appear more important to Google.<br /> 3.      The hackers may inject some sort of script coding (usually javascript or an iframe) which will install some sort of malware on the computers of unsuspecting visitors. <br /> 4.      As a result of the above things happening, Google may remove the blog from their search engine results. Traffic to the blog will therefore plummet.<br /> <br /> Hence, it's not just a matter of defacement if your site is compromised. There are serious side effects that will cost the webmaster considerable effort just to clean up and recover.<br /> <br /> <strong>Measures to Improve the Security of Your Joomla Website </strong><br /> <br /> The Following are some good security practices to help protect your Joomla! installation from being compromised. <br /> <br /> 1.      Change your Administrator username.  Do not use "Admin" or "Administrator".<br /> <br /> 2.      Make sure your configuration.php is not writeable.  This step is critical, and a world writeable configuration.php file is an invitation for hacking. You can make this non-writable from within Joomla. Go to Site > Global Configuration, and click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Override Write Protection while saving checkbox.<br /> <br /> 3.      Always keep you Joomla upgraded to the latest version. Updating an installation of Joomla! installed with Fantastico is quick and easy. You'll simply need to login to your cPanel and locate the Fantastico icon located under the software section. Next you'll need to locate the Joomla section under "Content Management". You'll then notice a list of all current Joomla! installations on your account, if an update is available you'll see a link entitled "Upgrade" From this point the upgrade is fully automatic.<br /> <br /> 4.      Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts.  You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Unwriteable after saving to make it not writeable.<br /> <br /> <strong>Check your site for vulnerabilities</strong><br /> <br /> There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Amongst these, Joomla Diagnostics ( <a href="http://www.joomla-addons.org/joomla-diagnostics.html"> http://www.joomla-addons.org/joomla-diagnostics.html </a>) is invaluable.  Using Joomla Diagnostics you can easily scan for files that didn't transfer completely during the upload of Joomla. It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the diagnostics page, and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise you will be advising your issues to hackers! <br /> <br /> Another great tool for checking your site is the Joomla Tools Suite. This is another tool which (amongst other uses) allows you to perform a Health,  Installation and Security Audit of your site. This will enable you to identify and remove any issues with your website. For more information on the usage of this great tool visit the following link on the Joomla Forum: http://forum.joomla.org/index.php/topic,136328.0.html<br /> <br /> <strong>Never leave extra files running around</strong><br /> <br /> Ensure that there are no unneccesary files on your web server. Delete any files left over from the installation. Delete your installation folder, and any compressed files which you might have uploaded to your web server to install the Joomla! core. Remove any components / modules / templates that you are not using. <br /> <br /> <strong>Protect your configuration files and sensitive directories</strong><br /> <br /> All configuration files should not be put in the public html directory. Some webhosts (e.g. GoDaddy) might not allow you to do this, so the next best thing is to create a password protected directory by using an .htaccess file. If you're not sure about the function of the htaccess file, its a good idea to read about it before you continue. Create a directory, its a good idea to name it something random e.g. ehxum3jq rather than config in your Joomla! directory.<br /> <br /> Create an .htaccess file to protect the directory. Use the .htaccess generator to help you generate the file. Based on the example above you should have an .htaccess file similar to this. Remember that the directory you want to protect is the home directory (if you are not sure you can find it in the Absolute Path of your original configuration.php file) and appending the directory name you will be putting your protected files in e.g. /home/content/a/b/c/abccompany/html/ehxum3jq/<br /> <br /> N.B.: This only gives Basic Authentication which does not offer rigourous secure. In the words from Apache.org:<br /> <br /> Basic authentication should not be considered secure for any particularly rigorous definition of secure.<br /> <br /> To really offer security, you need to send the password through SSL (where it would be encrypted along the way).<br /> <br /> Use strong passwords or pass phrases, or random characters for the .htpasswd file which should be something like this. You can protect your directory even further by using IPs in the .htaccess file as stated in this FAQ<br /> <br /> Test to ensure that the directory is protected. Put a file in it and try to access e.g. http://www.yourcompany.com/ehxum3jq/myfile.txt. You should be prompted for a password. Supplying the username and password specified during generation should grant you access to the file, otherwise you should get a 401 error (Access Denied).<br /> <br /> <strong>3rd Party extensions</strong><br /> <br /> 3rd Party Extensions are one of the best things about Joomla! There is such a wide variety of extensions, that you can probably find something already written for you. However, 3d party extensions come in all shapes and sizes, and are not monitored by the core team. This means that vulnerability exists which can compromise your installation. You need to be extremely careful about installing any extensions. Monitor the List of Vulnerable 3rd Party / Non Joomla Extensions. http://forum.joomla.org/index.php/board,346.0.html.   If you install extensions make sure you monitor their releases and ensure that you follow their security recommendations.<br /> <br /> For more information go to the Joomla! Security FAQ http://forum.joomla.org/index.php/topic,102558.0.html and Joomla! Administrator's Checklist http://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/ and the 10 stupidest Joomla! Security tricks. http://forum.joomla.org/index.php/topic,130926.0.html<br /> <br /> <strong>BACKUP!  BACKUP!  BACKUP!</strong><br /> <br /> Even if you have taken ALL steps to ensure that your website is 100% secure, vulnerabilities might still lurk, waiting to be found and exploited. If your site does get hacked Frown, you MUST ensure that it comes back online as soon as possible with as little loss of content as possible. For this you must ensure that you have good working (daily or more frequently as the need arises) backups. There is a popular free Joomla extension that we recommend.  AkebaBackup is an open-source component for the Joomla! CMS that allows for full site backups (files and database).<br /> <br /> http://extensions.joomla.org/extensions/access- and -security/backup/1606/details <br /> <br /> Additional information on securing your Joomla installation can be found <span style="text-decoration: underline;"><a href="http://docs.joomla.org/Security_Checklist_1_-_Getting_Started"> here </a></span>.<br /></html> [[Category:Joomla]]
+
Security is a growing concern with all of the hackers and script kiddies waiting to do bad things to your site.  There are ways to improve the security of your blog so that it is more secure than it otherwise might be. This article discusses some measures an ordinary user can take to protect his/her Joomla website.
 +
 
 +
==Why are Websites Vulnerable to Hacking and Other Exploits?==
 +
 
 +
All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which may only connect to the Internet sporadically (such as when you turn it on your computer to surf), websites are hosted on servers that are permanently connected to the Internet, exposed to anyone who wants to connect to it.
 +
 
 +
Sites that run blog scripts, content management system (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.
 +
 
 +
==Symptoms of a Hacked Joomla Website==
 +
 
 +
If your website has never been hacked before, you may wonder what the consequences are. In the past, hacked websites have exhibited one or more of the following symptoms:
 +
 
 +
[1] The website may be defaced.
 +
 
 +
[2] The hackers install hidden links on the blog that point to sites they own. Since Google ranks sites according to the number of links pointing to them (among other things), the intention is to make their site appear more important to Google.
 +
 
 +
[3] The hackers may inject some sort of script coding (usually javascript or an iframe) which will install some sort of malware on the computers of unsuspecting visitors.
 +
 
 +
[4] As a result of the above things happening, Google may remove the blog from their search engine results. Traffic to the blog will therefore plummet.
 +
 
 +
Hence, it's not just a matter of defacement if your site is compromised. There are serious side effects that will cost the webmaster considerable effort just to clean up and recover.
 +
 
 +
==Measures to Improve the Security of Your Joomla Website==
 +
 
 +
The Following are some good security practices to help protect your Joomla! installation from being compromised.
 +
 
 +
[1] Change your Administrator username.  Do not use "Admin" or "Administrator".
 +
 
 +
[2] Make sure your configuration.php is not writeable.  This step is critical, and a world writeable configuration.php file is an invitation for hacking. You can make this non-writable from within Joomla. Go to Site > Global Configuration, and click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Override Write Protection while saving checkbox.
 +
 
 +
[3] Always keep you Joomla upgraded to the latest version. Updating an installation of Joomla! installed with Fantastico is quick and easy. You'll simply need to login to your cPanel and locate the Fantastico icon located under the software section. Next you'll need to locate the Joomla section under "Content Management". You'll then notice a list of all current Joomla! installations on your account, if an update is available you'll see a link entitled "Upgrade" From this point the upgrade is fully automatic.
 +
 
 +
[4] Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts.  You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Unwriteable after saving to make it not writeable.
 +
 
 +
==Check your site for vulnerabilities==
 +
 
 +
There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Among these, Joomla Diagnostics (http://www.joomla-addons.org/joomla-diagnostics.html) is invaluable.  Using Joomla Diagnostics you can easily scan for files that didn't transfer completely during the upload of Joomla. It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the diagnostics page, and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise you will be advising your issues to hackers!  
 +
 
 +
Another great tool for checking your site is the Joomla Tools Suite. This is another tool which (among other uses) allows you to perform a Health,  Installation and Security Audit of your site. This will enable you to identify and remove any issues with your website. For more information on the usage of this great tool visit the following link on the Joomla Forum:  
 +
 
 +
http://forum.joomla.org/index.php/topic,136328.0.html
 +
 
 +
==Never leave extra files laying around==
 +
 
 +
Ensure that there are no unnecessary files on your web server. Delete any files left over from the installation. Delete your installation folder, and any compressed files which you might have uploaded to your web server to install the Joomla! core. Remove any components / modules / templates that you are not using.
 +
 
 +
==Protect your configuration files and sensitive directories==
 +
 
 +
All configuration files should not be put in the public html directory. Some web hosts might not allow you to do this, so the next best thing is to create a password protected directory by using an .htaccess file. If you're not sure about the function of the htaccess file, its a good idea to read about it before you continue. Create a directory, its a good idea to name it something random e.g. ehxum3jq rather than config in your Joomla! directory.
 +
 
 +
Create an .htaccess file to protect the directory. Use the .htaccess generator to help you generate the file. Based on the example above you should have an .htaccess file similar to this. Remember that the directory you want to protect is the home directory (if you are not sure you can find it in the Absolute Path of your original configuration.php file) and appending the directory name you will be putting your protected files in e.g. /home/content/a/b/c/abccompany/html/ehxum3jq/
 +
 
 +
N.B.: This only gives Basic Authentication which does not offer rigourous secure. In the words from Apache.org:
 +
 
 +
Basic authentication should not be considered secure for any particularly rigorous definition of secure.
 +
 
 +
To really offer security, you need to send the password through SSL (where it would be encrypted along the way).
 +
 
 +
Use strong passwords or pass phrases, or random characters for the .htpasswd file which should be something like this. You can protect your directory even further by using IPs in the .htaccess file as stated in this FAQ
 +
 
 +
Test to ensure that the directory is protected. Put a file in it and try to access e.g. http://www.yourcompany.com/ehxum3jq/myfile.txt. You should be prompted for a password. Supplying the username and password specified during generation should grant you access to the file, otherwise you should get a 401 error (Access Denied).
 +
 
 +
==3rd Party extensions==
 +
 
 +
3rd Party Extensions are one of the best things about Joomla! There is such a wide variety of extensions, that you can probably find something already written for you. However, 3rd party extensions come in all shapes and sizes, and are not monitored by the core team. This means that vulnerability exists which can compromise your installation. You need to be extremely careful about installing any extensions. Monitor the List of Vulnerable 3rd Party / Non Joomla Extensions.  
 +
 
 +
http://forum.joomla.org/index.php/board,346.0.html     
 +
 
 +
If you install extensions make sure you monitor their releases and ensure that you follow their security recommendations.
 +
 
 +
For more information go to the Joomla! Security FAQ  
 +
 
 +
http://forum.joomla.org/index.php/topic,102558.0.html  
 +
 
 +
and Joomla! Administrator's Checklist  
 +
 
 +
http://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/  
 +
 
 +
and the 10 stupidest Joomla! Security tricks  
 +
 
 +
http://forum.joomla.org/index.php/topic,130926.0.html
 +
 
 +
==Backup your Site==
 +
 
 +
Even if you have taken ALL steps to ensure that your website is 100% secure, vulnerabilities might still lurk, waiting to be found and exploited. If your site does get hacked Frown, you MUST ensure that it comes back online as soon as possible with as little loss of content as possible. For this you must ensure that you have good working (daily or more frequently as the need arises) backups. There is a popular free Joomla extension that we recommend.  AkebaBackup is an open-source component for the Joomla! CMS that allows for full site backups (files and database).
 +
 
 +
http://extensions.joomla.org/extensions/access-&-security/backup/1606/details
 +
 
 +
 
 +
Additional information on securing your Joomla installation can be found here:
 +
 
 +
http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
 +
 
 +
[[Category:Joomla]]

Latest revision as of 17:13, 9 October 2012

Security is a growing concern with all of the hackers and script kiddies waiting to do bad things to your site. There are ways to improve the security of your blog so that it is more secure than it otherwise might be. This article discusses some measures an ordinary user can take to protect his/her Joomla website.

Why are Websites Vulnerable to Hacking and Other Exploits?

All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which may only connect to the Internet sporadically (such as when you turn it on your computer to surf), websites are hosted on servers that are permanently connected to the Internet, exposed to anyone who wants to connect to it.

Sites that run blog scripts, content management system (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.

Symptoms of a Hacked Joomla Website

If your website has never been hacked before, you may wonder what the consequences are. In the past, hacked websites have exhibited one or more of the following symptoms:

[1] The website may be defaced.

[2] The hackers install hidden links on the blog that point to sites they own. Since Google ranks sites according to the number of links pointing to them (among other things), the intention is to make their site appear more important to Google.

[3] The hackers may inject some sort of script coding (usually javascript or an iframe) which will install some sort of malware on the computers of unsuspecting visitors.

[4] As a result of the above things happening, Google may remove the blog from their search engine results. Traffic to the blog will therefore plummet.

Hence, it's not just a matter of defacement if your site is compromised. There are serious side effects that will cost the webmaster considerable effort just to clean up and recover.

Measures to Improve the Security of Your Joomla Website

The Following are some good security practices to help protect your Joomla! installation from being compromised.

[1] Change your Administrator username. Do not use "Admin" or "Administrator".

[2] Make sure your configuration.php is not writeable. This step is critical, and a world writeable configuration.php file is an invitation for hacking. You can make this non-writable from within Joomla. Go to Site > Global Configuration, and click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Override Write Protection while saving checkbox.

[3] Always keep you Joomla upgraded to the latest version. Updating an installation of Joomla! installed with Fantastico is quick and easy. You'll simply need to login to your cPanel and locate the Fantastico icon located under the software section. Next you'll need to locate the Joomla section under "Content Management". You'll then notice a list of all current Joomla! installations on your account, if an update is available you'll see a link entitled "Upgrade" From this point the upgrade is fully automatic.

[4] Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts. You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Unwriteable after saving to make it not writeable.

Check your site for vulnerabilities

There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Among these, Joomla Diagnostics (http://www.joomla-addons.org/joomla-diagnostics.html) is invaluable. Using Joomla Diagnostics you can easily scan for files that didn't transfer completely during the upload of Joomla. It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the diagnostics page, and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise you will be advising your issues to hackers!

Another great tool for checking your site is the Joomla Tools Suite. This is another tool which (among other uses) allows you to perform a Health, Installation and Security Audit of your site. This will enable you to identify and remove any issues with your website. For more information on the usage of this great tool visit the following link on the Joomla Forum:

http://forum.joomla.org/index.php/topic,136328.0.html

Never leave extra files laying around

Ensure that there are no unnecessary files on your web server. Delete any files left over from the installation. Delete your installation folder, and any compressed files which you might have uploaded to your web server to install the Joomla! core. Remove any components / modules / templates that you are not using.

Protect your configuration files and sensitive directories

All configuration files should not be put in the public html directory. Some web hosts might not allow you to do this, so the next best thing is to create a password protected directory by using an .htaccess file. If you're not sure about the function of the htaccess file, its a good idea to read about it before you continue. Create a directory, its a good idea to name it something random e.g. ehxum3jq rather than config in your Joomla! directory.

Create an .htaccess file to protect the directory. Use the .htaccess generator to help you generate the file. Based on the example above you should have an .htaccess file similar to this. Remember that the directory you want to protect is the home directory (if you are not sure you can find it in the Absolute Path of your original configuration.php file) and appending the directory name you will be putting your protected files in e.g. /home/content/a/b/c/abccompany/html/ehxum3jq/

N.B.: This only gives Basic Authentication which does not offer rigourous secure. In the words from Apache.org:

Basic authentication should not be considered secure for any particularly rigorous definition of secure.

To really offer security, you need to send the password through SSL (where it would be encrypted along the way).

Use strong passwords or pass phrases, or random characters for the .htpasswd file which should be something like this. You can protect your directory even further by using IPs in the .htaccess file as stated in this FAQ

Test to ensure that the directory is protected. Put a file in it and try to access e.g. http://www.yourcompany.com/ehxum3jq/myfile.txt. You should be prompted for a password. Supplying the username and password specified during generation should grant you access to the file, otherwise you should get a 401 error (Access Denied).

3rd Party extensions

3rd Party Extensions are one of the best things about Joomla! There is such a wide variety of extensions, that you can probably find something already written for you. However, 3rd party extensions come in all shapes and sizes, and are not monitored by the core team. This means that vulnerability exists which can compromise your installation. You need to be extremely careful about installing any extensions. Monitor the List of Vulnerable 3rd Party / Non Joomla Extensions.

http://forum.joomla.org/index.php/board,346.0.html

If you install extensions make sure you monitor their releases and ensure that you follow their security recommendations.

For more information go to the Joomla! Security FAQ

http://forum.joomla.org/index.php/topic,102558.0.html

and Joomla! Administrator's Checklist

http://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/

and the 10 stupidest Joomla! Security tricks

http://forum.joomla.org/index.php/topic,130926.0.html

Backup your Site

Even if you have taken ALL steps to ensure that your website is 100% secure, vulnerabilities might still lurk, waiting to be found and exploited. If your site does get hacked Frown, you MUST ensure that it comes back online as soon as possible with as little loss of content as possible. For this you must ensure that you have good working (daily or more frequently as the need arises) backups. There is a popular free Joomla extension that we recommend. AkebaBackup is an open-source component for the Joomla! CMS that allows for full site backups (files and database).

http://extensions.joomla.org/extensions/access-&-security/backup/1606/details


Additional information on securing your Joomla installation can be found here:

http://docs.joomla.org/Security_Checklist_1_-_Getting_Started