Joomla Security

Embed Size (px)

DESCRIPTION

Ruth's Presentation on Joomla! Security

Text of Joomla Security

  • 1. Security in Joomla! Ruth Cheesley Suffolk Computer Services [email_address]

2. Security in Joomla

  • What do we mean by security?
  • Why bother?
  • What can I do to keep my sites secure?

3. 4. A balancing act? 5. What is Security?

  • Authorised Access to data & files
  • Prevention of malicious attacks & unauthorised access via
    • SQL/Command Injection
    • Insecure passwords
    • OS vulnerabilities
    • Software vulnerabilities
    • Buffer Overflow
    • ETC!

6. Why Bother? 7. Legal issues

  • Data Protection Act 1998
    • Anyone who processes your information must comply with 8 principles, including
      • Data must be kept securely
  • Heavy penalties for not taking appropriate measures to safeguard your data
  • No test cases for Joomla! sites yet.....

8. Professionalism

  • Embarrassing and harmful to organisations image
  • The Fear Factor

9. Why target Joomla?

  • Very popular Content Management System
  • Lots of inexperienced users
  • Lots of less-than-ideal security practices server-side

10. How to keep my sites secure?

  • ALWAYS get your installation files direct from Joomla.org
  • Use reputable hosting providers make sure all PHP settings areGreen
  • ALWAYS check vulnerability list before installing extensions (esp. obscure ones!)
  • ALWAYS keep up to date with patches for Joomla and forALLextensions (use mailing lists, etc)

11. Finding a reliable host

  • Consider your requirements
  • Shared v Dedicated Hosting
  • Patching of servers (should be on PHP 5 & mySQL 5 at least
  • Backup & redundancy
  • Customer support 24/7 isVITAL

12. THOU SHALT BACK UP!

  • Backups made as frequently as your site requires
  • Back up files AND databaseOFF SITE
  • ALWAYS back up prior to any upgrade of ANYTHING!

13. What to do now?

  • Create a new Super Administrator & delete original one (id 62)
  • Hide your administrator URL (jSecure)
  • Change your default admin username
  • Ensure system passwords are very strong (hosting a/c, database user, ftp, site admin)

14. Must Read

  • Security Checklist -http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
  • Joomla Security News -http://developer.joomla.org/security/news.html (subscribe athttp://developer.joomla.org/security/news.html )

15. Tools to help

  • jSecure hides your administrator pagehttp://www.joomlaserviceprovider.com/
  • LazyBackup 2 emails a daily mysql dumphttp://www.lazybackup.net/
  • EasySpamKiller protects your site against attacks from known IPshttp://projects.easy-joomla.org/projects/easyspamkiller.html