Upload
virya-group-limited
View
1.437
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Ruth's Presentation on Joomla! Security
Citation preview
Security in Joomla
• What do we mean by “security”?
• Why bother?
• What can I do to keep my sites secure?
A balancing act?
What is Security?
• Authorised Access to data & files
• Prevention of malicious attacks & unauthorised access via
–SQL/Command Injection–Insecure passwords–OS vulnerabilities–Software vulnerabilities–Buffer Overflow–ETC!
Why Bother?
Legal issues
• Data Protection Act 1998– Anyone who processes your information must
comply with 8 principles, including • Data must be kept securely
• Heavy penalties for not taking appropriate measures to safeguard your data
• No test cases for Joomla! sites yet.....
Professionalism
• Embarrassing and harmful to organisations’ image
• The “Fear Factor”
Why target Joomla?
• Very popular Content Management System
• Lots of “inexperienced” users
• Lots of less-than-ideal security practices server-side
How to keep my sites secure?• ALWAYS get your installation files direct from
Joomla.org
• Use reputable hosting providers – make sure all PHP settings are “Green”
• ALWAYS check vulnerability list before installing extensions (esp. obscure ones!)
• ALWAYS keep up to date with patches for Joomla and for ALL extensions (use mailing lists, etc)
Finding a reliable host• Consider your requirements
• Shared v Dedicated Hosting
• Patching of servers (should be on PHP 5 & mySQL 5 at least
• Backup & redundancy
• Customer support 24/7 is VITAL
THOU SHALT BACK UP!
• Backups made as frequently as your site requires
• Back up files AND database OFF SITE
• ALWAYS back up prior to any upgrade – of ANYTHING!
What to do now?
• Create a new Super Administrator & delete original one (id 62)
• Hide your administrator URL (jSecure)
• Change your default admin username
• Ensure system passwords are very strong (hosting a/c, database user, ftp, site admin)
Must Read
• Security Checklist - http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
• Joomla Security News - http://developer.joomla.org/security/news.html (subscribe at http://developer.joomla.org/security/news.html)
Tools to help
• jSecure – hides your administrator page http://www.joomlaserviceprovider.com/
• LazyBackup 2 – emails a daily mysql dump http://www.lazybackup.net/
• EasySpamKiller – protects your site against attacks from known IP’s http://projects.easy-joomla.org/projects/easyspamkiller.html