OSE Anti-Hacker Joomla Component User Manual

Open Source Excellence Anti‐Hacker Joomla Component User Manual

�

OSE Anti-Hacker Joomla Component

User Manual�Version: 2.0 Build 211209

Released Date: 21-Dec-2009

Manual Date: 21-Dec-2009

Author: OSE Security Team. [email protected]

Copyright: Reproduction and redistribution of the document is disallowed without the

consent of the author.

Notes:

The OSE Security software series is an Open Source software series developed by Open

Source Excellence Team.

Licence: GPL V2, you can install it into UNLIMITED websites FOREVER! No License

Restrictions! No more IONCUBE!

After you buy the software, you can use it FOREVER (INDEFINITELY)

You can download all upgrades within 1 year.

You can receive our support within 1 year.

1

mailto:[email protected]


Table of Contents 1 Introduction ..................................................................................................................................... 3

1.1 What’s It? ................................................................................................................................ 3

1.2 Contents in the Package .......................................................................................................... 4

1.3 Software Download and Support ............................................................................................ 5

2 Installation....................................................................................................................................... 5

2.1 Upgrade from a Previous Version .......................................................................................... 5

2.2 Fresh Installation .................................................................................................................... 6

3 Configuration .................................................................................................................................. 7

3.1 Basic Parameters .................................................................................................................... 7

3.2 File and System Audit ............................................................................................................. 9

4 Activation and Test ....................................................................................................................... 11

5 Whitelisting Strings and Form Fields ........................................................................................... 13

5.1 How to Whitelist a Program? ............................................................................................... 13

5.2 How to Whitelist a Form Field? ........................................................................................... 15

6 Frequently Asked Questions ......................................................................................................... 16

6.1 Anti-Hacker FAQs: Which way is better to activate the Anti-Hacker? ................................ 16

6.2 Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker? ......................... 16

6.3 Anti-Hacker FAQs: How to Whitelist a program? ............................................................... 17

6.4 Anti-Hacker FAQs: How to Whitelist a form field? .............................................................. 17

6.5 Anti-Hacker FAQs: How to customize the blocking message on the ban Page .................... 17

6.6 Anti-Hacker FAQs: How to Update the Signature? ............................................................. 18

6.7 Anti-Hacker FAQs: What if my user account is blocked? .................................................... 19

6.8 Anti-Hacker FAQs: What if my IP is banned? ...................................................................... 20

6.9 Anti-Hacker FAQs: How to set a password to protect a folder with .htaccess? ................... 21

6.10 Anti-Hacker FAQs: How to disable insecure functions for PHP environment? ................... 23

2


1 Introduction

1.1 What’s It?

The Open Source Excellence Anti-Hacker Joomla Component is a Joomla extension

which provides an advanced protection for the Joomla websites, being able to secure you

private data, protect your system files from malicious codes and hacking attacks, and it clean

virus and infected files. It can be installed as a component on your Joomla website or on the

platform of our OSE Virus Scanner.

It’s suitable for all kinds of websites, including online stores, small business, personal

websites, public institutes, etc developed with the Joomla system. It’s easy to use and has

very friendly interface for you to customize for your own demands. The application is

competent to perform an advanced protection for your Joomla system. Further, it can also

protect ALL OTHER PHP systems (for instance Joomla, VirtueMart, Magento, Drupal and

WordPress, etc) on the same server.

The major technical features include:

Double Firewall system providing Three Layers of protection:

Layer 1: Signature-based Detection System - detecting most common hacking behaviours.

a) Surface Scanning, once hacking behaviour is found, the activity and corresponding IP will

be banned immediately.

Layer 2: Pattern-based Instruction Detection Systems - blocking all inbound malicious codes

and hacking activities, including network-, application-, and operating system-level attacks.

b) Scans and monitors all URL, Form Fields, Cookies values.

c) If hacking is found and the Risk Score exceed the secure level, the IP will be banned

immediately.

d) If Suspicious Hacking behaviour is found for Form Fields and Cookies hacking, the

hacking strings in the Form / Cookies value will be stripped and sanitized.

Layer 3: HTTP BlackList System - dynamically linking to a HTTP blacklist database and

blocking access based on network masks or IP addresses.

3


e) Scans users' IPs, once the IP address is located in the HTTP blacklist, the access will be

blocked immediately.

Two Types of reactions:

a) Ban + Email Alert: If the hacking triggers Layer 1 protection or exceed the Risk Score in

Layer 2 protection, the IP will be blocked, and the alert email will be sent to the administrator.

b) Log + Email Alert: If the Risk Score of the suspicious behaviour is lower than the global

setting, the IP will be blocked for monitoring purpose, and the alert email will be sent to the

administrator.

Embedded OSE Virus Scanner application providing on-demand scanning of your source

codes for malicious codes injections, cleaning of the malicious codes from the infected

files, and generating complete scanning reports.

Form Field Filtering Enabled - allowing users to filter the content of the form fields in

order to prevent XSS attacks.

Whitelist Setting Enabled – Unlike other security software which only provides IP

whitelist function, OSE PHP Anti-Hacker also provides the whitelist function for your

programs and form fields, so that it gives you the flexibility to user a wide range of

software while maintaining a high level of protections.

Supports for Search Engine Optimized Websites – providing protection while

maintaining your page ranking.

Instant emails alerts to administrators once suspicious hacking behavior is logged.

1.2 Contents in the Package

The package includes the following components and files:

Anti-Hacker component – managing blacklist and whitelist IPs, whitelist strings and form

fields list.

OSE Update Manager – A component which helps you update the latest signature for the

Anti-Hacker. It does not only work with the Anti-Hacker, but it also supports the update

for all OSE series products.

System Guard – A set of tools to help you change your system setting. It also includes a

file audit system to audit files in the system of the OSE Anti-Hacker Joomla Component

platform.

Anti-Hacker Signiture.

4


1.3 Software Download and Support

Please find the OSE Anti-Hacker Joomla Component on our OSE

website: http://www.opensource-

excellence.co.uk/index.php?page=shop.product_details&flypage=flypage_new.tpl&product_i

d=9&category_id=6&option=com_virtuemart&Itemid=157.

After you purchase the product, you can check and download the latest upgrade on our

OSE website in your “Download Area” after login at: http://www.opensource-

excellence.co.uk/index.php?option=com_osemsc&view=member&Itemid=145.

If you have questions regarding installation, configuration, or usage, please go to our

ticket system to raise a question: http://www.opensource-excellence.co.uk/tickets.

2 Installation

If you have a previous version of the OSE Anti-Hacker Joomla Component installed and

you intend to upgrade it to the latest version, please only read section 2.1 and then use the

Anti-Hacker Joomla Component as before. If you are a new user and going to make a fresh

installation, please read all the contents from section 2.2.

2.1 Upgrade from a Previous Version

1. Uninstalling previous components and plug-ins from the backend

Login to your Joomla website Back-end, and uninstall the Anti-Hacker component.

2. Installing new components and plug-ins

Go to the Joomla website Back-end, and install the new version of the Anti-Hacker. You

might get more details about the installation in Section 2.2 if the latest release is changed a bit

from previous versions.

3. Testing

After finishing all above, please test if the update is successful by entering the following

link: www.yoursite.com/index.php?%20union.

5

http://www.opensource-excellence.co.uk/index.php?page=shop.product_details&flypage=flypage_new.tpl&product_id=9&category_id=6&option=com_virtuemart&Itemid=157



http://www.opensource-excellence.co.uk/index.php?option=com_osemsc&view=member&Itemid=145

http://www.opensource-excellence.co.uk/index.php?option=com_osemsc&view=member&Itemid=145

http://www.opensource-excellence.co.uk/tickets

http://www.yoursite.com/index.php?%20union


2.2 Fresh Installation

For Installing the Joomla Component Version of the Open Source PHP Anti-Hacker, what

you need to do are the following two steps:

Note:

If you have installed Redirect Failed Login

(http://extensions.joomla.org/extensions/6495/details)

AND/OR

If you have installed jSecure Authentication

(http://extensions.joomla.org/extensions/5809/details)

Please uninstall these plugins before you install the Anti-Hacker plugin.

Let's start now:

1. Install the component "com_anti_hackerX_build (X may vary for different versions)",

“OSE Updater Manager” and “System Guard”, separately.

Notes:

com_anti_hacker manages the Blacklist and Whitelist IPs, Whitelist Strings, and Form

Fields that required to be filtered.

Please ensure the proper folders are writable before the installation. The folder is

“Joomla Root/administrator/”.

2. After installing all the three components listed above, please update the latest signature via

the OSE Update Manager.

6


Select the “Signature” file in the package to install under the Update Manager Panel. After

installing it, you will find it in the installation list under the operation section at the bottom of

the screen. Click “install”.

Then tick the Signature to install. That’s it.

After installing the Anti-Hacker, please read the following Section Configuration.

3 Configuration

After installation, you need properly configure the OSE Anti-Hacker Joomla Component

before activating it to work.

3.1 Basic Parameters

Go to the component and the plug-in manager to configure the Anti-Hacker function

before the first time use.

1. Configuring Security Level of the Anti-hacker.

7


The Anti-Hacker Component introduces a 3-Layer protection system and a risk score policy.

A. Layer 1 Protection

The Layer 1 protection is on by default and any activity violating the Layer 1 rules will

be 100% blocked.

B. Layer 2 Protection

Under the Layer 2 protection, all violations will be scored from 1 to 100 according the

potential harm level, based on which the Anti-hacker decides whether block them. The

violation with a higher risk score is more likely to be a real hacking attack and that with a

very low risk score has a high possibility to be a FALSE POSITIVE.

The Anti-Hacker function sets layer 2 protection off by default and it allows you to

switch it on and configure the appropriate security level which is suitable to your websites by

doing the following:

Please access the "Dash Board" of Anti-Hacker component (by going to the Joomla

Backend --> Components --> Anti-Hacker), open the Parameters on your top right corner,

adjust the Security Level.

The security level of Layer 2 protection is optional from Level 1 to Level 10. A higher

security level indicates a stricter protection level. For Level n, the software will block all

violations with risk scores above (100-10*n). For instance, if you set the security level as 8, it

will block violations with scores larger than 20 and those under 20 will be only logged and

altered by emails, but won't be blocked. Your websites can get a full protection by setting the

security level to Level 10, at which all suspicions blocked.

8


We recommend you to set the Lay 2 protection to Level 7, which can protect your

websites very well and at the same time reduces the possibility of FALSE POSITIVE to a

quite low level. However, you can set the security level to any value to match your needs.

You may inspect the alert list over a period and find out the optimal level for your websites.

C. Layer 3 Protection

As shown in the above picture, you can configure the Lay 3 (HTTP BL) protection via

the same "Parameter" button. You can opt to turn on the Layer 3 protection by ticking "Yes"

and go to http://www.projecthoneypot.org/create_account.php to apply a HTTP: black list

key.

2. Next, we need to know how to whitelist a program and whitelist a form field, and then

whitelist proper strings and form fields to make the Anti-Hacker compatible with your

websites. This is one important feature of our Anti-Hacker, which allows you to have the

flexibility to use the Anti-Hacker function on any PHP platform. Please read section 5

Whitelisting programs and form fields on the following topics:

a) How to Whitelist a Program?

b) How to Whitelist a Form Field?

3.2 File and System Audit

This section introduces how to do the file and system audit using the System Guard

provided with the Anti-Hacker Joomla Component. This includes:

Files permissions audit;

System Configuration audit:

• Ensuring you are using a non-default administrator username,

• Set passwords to protect your administrator folder,

• Ensuring the configuration.php file is not writable.

In order to achieve this, we borrow functions from a popular Joomla component -

GuardXT (this can be downloaded for free from: http://www.joomlaxt.com/).

Step 1. Audit your files permissions

The System Guard (a modified version of GuardXT) has been installed, and the files of

the Joomla system have been audited by default. However, ALL of your other websites if

9

http://www.projecthoneypot.org/create_account.php


based on a Joomla system are RECOMMENDED to INSTALL this tool to audit your files as

well.

Step 2. System Configuration Audit

After completing the file permissions checks, we can go to Joomla Component

“System Guard” to load it and now we need to do the following steps:

Step 2.1: Ensuring you are using a non-default administrator username

Change the default administrator's username if the super administrator's user name

"admin" is still being used by clicking the Change Now link in System Guard in the Default

admin user active row.

Step 2.2: Set a password to protect the administrator

You can follow the instruction in FAQs to setup a password, Anti-Hacker FAQs: How

do I set a new password to protect a folder with .htaccess?

Or go to your WEB HOSTING account control panel, check with your web hosting

company to see how you can SET A PASSWORD TO PROTECGT A DIRECTORY, then

set a password to protect the whole Joomla Administrator folder. For example, if your Joomla

is installed in the folder called "home/XXXX/htdocs/JoomlaWebsite", please set a password

to protect this folder.

Step 2.3: Change the permission of the configuration file

Simply click the "Change Now" in the "Joomla Server Configuration Check" Section in

System Guard, and it will help you to change the permission of the configuration.php to be

un-writable.

Please note: If you use the recommended php.ini in System Guard, please note one thing

that you may not be able to install further plug-ins if you enable the "open_basedir" in php.ini.

If you would like to install further plug-ins, please temporarily remove that line in the php.ini,

and once you finish installing new plug-ins, add that line back to the php.ini.

We also recommend you to disable insecure functions for PHP environment. Please view

how to do it in the FAQs: How to disable insecure functions for PHP environment?

10


4 Activation and Test

There are three methods to activate the Anti-Hacker function. Before you perform one of

the activation methods, please notice: replace "/absolute_path_to_antihacker/" with the

absolute path of the Anti-Hacker Joomla Component in the following text of this section. The

path should be the admin folder under the root folder of your Joomla website, e.g.

"/public_html/JoomlaWebsite/administrator/".

Please go to Components --> System Guard --> Version Checks, it lists the lines for you

to add to activate the Anti-Hacker. You can directly add the codes to the corresponding file to

activate the Anti-Hacker.

Please use one of the following methods and we would suggest you to choose to use php.ini

or .htaccess to activate the anti-hacker in order to have a server-wide protection.

A. Via the php.ini file

Activate the Anti-Hacker through php.ini: you can add the following line to the php.ini

file, and copy the php.ini file to the folder or system that you would like to protect:

auto_prepend_file=/absolute_path_to_antihacker/administrator/scan.php

B. Via the .htaccess file

If you are using Apache 1 and you want to use .htaccess to run anti-hacker, you can add

the following line to the .htaccess file, and copy the .htaccess file to the folder or system that

you would like to protect:

php_value auto_prepend_file "/absolute_path_to_antihacker/administrator/scan.php"

If you could not activate it through the above methods (even after reading the FAQs,

Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?), please consult

your hosting company with regard to how to enable the auto_prepend function to activate it

through .htaccess or php.ini, because this will maximize the protection on your websites.

11


While you are waiting for the hosting company to sort out the above problem, you can

use the following method to activate the anti hacker temporarily:

C. Via the index.php file

In the Root folder of the system that you would like to protect, open the index.php, enter the

following code in the first line:

<?php require_once("absolute_path_to_antihacker/administrator/scan.php");

After doing one of these activations, we can go to test the Anti-Hacker function. You can

test it using the url:

www.yoursite.com/index.php?%20union

Then you will be blocked. The screenshot of what your clients will see is as below. You

can customize the blocking message by the "Custom BanPage" function of the Anti-Hacker.

However, when you successfully login to the backend, sometimes you will find that

there is no IP being locked! Why???

That is because our plug-in may change the IP status from "hacking IP" to "suspicious

IP" if you can successfully enter into the back end. Then when you successfully enter the

Administrator login information, your IP would be removed from the blacklist automatically.

Therefore, in that case, you cannot find any blacklist IPs in the backend.

If you would like to know the changes of the IP status, you can log into the phpmyadmin

and see how it changes, and also after you login to the backend successfully.

If the Anti-Hacker doesn't return the expected result meaning the activation is not

successful, please real the FAQs, Anti-Hacker FAQs: What if having difficulties in

Activating Anti-Hacker?

12


5 Whitelisting Strings and Form Fields

Since the OSE Anti-Hacker Joomla Component is only set to allow some basic Joomla

components and programs by default, it only has a basic list of whitelist programs. You may

need to define more to make it compatible with your specific systems, websites, and

programs. This section introduces how to add more allowed-to-access strings and form fields.

5.1 How to Whitelist a Program?

Although we have a long list of backlist strings in the signature data file, sometimes it

would be possible for the anti-hacker to report false positives. So what shall we do? Here is

the instruction to help you add a program to the whitelist.

WHITELISTING Request Fields and Cookies

We bring in a stronger protection which blocks all Request values and cookies between

your browser and the Anti-Hacker.

Example 1

When you encounter false positives like the following:

REQUEST.RokMiniNews={\"0\":{\"active\":5,\"element\":\"section-5\"},\"1\"}

where the violation is

Rule:

[(?:([ws]+([ws]+)[ws]+))|(?:(?<!(?:mozilla/d.ds))([^)[]+[[^]]+][^)]*))|(?:[^s!][{([][^({[]+[{([][^}])]+[}])][

s+",d]*[}])])|(?:")?]W*[)|(?:=s*[^s:;]+s*[{([][^}])]+[}])];)] [Detects self-executing JavaScript functions].

If you believe this is a FALSE POSITIVE (false alarm), please add the following strings

in the Whitelist Strings ONE BY ONE (generally the string before the “=” mark):

REQUEST.RokMiniNews

GET.RokMiniNews

POST.RokMiniNews

COOKIE.RokMiniNews

This will help you whitelist this program, so that the Anti-Hacker scanner will ignore

these strings in the future.

Example 2

13


For example, if you use sermon manager software, you might receive the following

errors:

Query String: option=com_sermon&task=playaudiofile&file=http://s3.aaa.com/v_81_20090315%20-%20hp

co .mp3&sermonid=67

Violation: Injection - [file=]

Anti-Hacker reports that this IP tries to hack your site using the "file=" command.

However, you are sure that this is an error. Now you can add the following link to the

Whitelist Strings in the Anti-Hakcer by clicking "New" button on the Anti-Hacker -> White

List String menu:

task=playaudiofile

playaudiofile

After this, the anti-hacker will recognize the string as a whitelist string and will not

report the error to you any longer.

Example 3

For Virtuemart users, this is the Whitelis. Please enter each line to the White List String

ONE BY ONE. For example, you should create a new whitelist string, enter

"pshop_mode=admin" into the form and save. Then Create a new whitelist string

14


"/themes/default" and save, then move to the next one. After you finish adding the following

whitelist strings, you should have 5 new whitelist strings in the White List String list.

pshop_mode=admin

/themes/default

filename=resized

wz_tooltip.js

product_attributes.js

5.2 How to Whitelist a Form Field?

In order to maximize the protection, the Anti-Hacker will scan and filter content of all

form fields for suspicious hacking behaviours. Therefore, if you would like to NOT scan or

filter some form fields, you need to add the corresponding name of the form field in the

White List Form Fields list.

You may simply need to add the name of the form field into the Whitelist Form Field

List in order to ignore scanning the content of this form field. For example, the name of the

filed text in the contact form is called "text", and then you could add "text" in one form field

as follows:

Then save the record, the anti-hacker will NOT filter the content of this form field to see

whether that there is suspicious hacking behaviour. Please note that when sometimes the

scanner reports FALSE POSITIVES alerts, this function allows you to have more flexibility

in Anti-hacker filter rules to fit your Joomla system.

15


6 Frequently Asked Questions

6.1 Anti-Hacker FAQs: Which way is better to activate the Anti-Hacker?

There are three ways that you can activate the Anti-Hacker: 1. Index.php; 2. .htaccess;

and 3. php.ini. Which one is better?

We recommend php.ini and .htaccess, because this will protect all PHP programs on

your website. There are usually two modes for a server that runs PHP programs, a) fast-cig

and b) as an Apache module.

For websites running PHP as the apache module, you can use .htaccess to activate the

Anti-Hacker. However, sometimes your hosting company runs it as the fast-cgi mode, and

then if you activate it as .htaccess, you will find the 500 Internal Server Error. In this case,

you have to use the php.ini to activate the anti-hacker.

One more situation is that, your hosting company is running both php4 and php5 in fast-

cgi mode, and in this case, usually you will need to use php5.ini to activate the anti-hacker.

These are all related to how the hosting company setup their server and PHP programs,

and we try to provide both methods to all our clients in order to help you activate it. Read

more in Section 6.2 if you have trouble in activating the Anti-Hacker.

6.2 Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?

If you have trouble in activating the Anti-Hacker using all the ways, please try the

follows.

1. Check the PHP version of your hosting account. The Anti-Hacker is only supported by

PHP5. So please make sure your system is running PHP5.

2. Check if the Anti-Hacker Function program is working by directly opening the url

yourwebsite/administrator/scan.php?%20union (please change yourwensite to the proper

installation path). If you get the blocking message, which means the installation is proper and

the program is running, and the problem is only related to activation.

3. Create a php5.ini file under the root folder, and please add the following codes in:

;;;;;;;;;;;;;;;;;;;;;;; ; PREPEND ANTI HACKER ; ;;;;;;;;;;;;;;;;;;;;;;; register_globals = off

16


safe_mode = off allow_url_fopen = off display_errors = off; disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source; ;; The following needs to be changed according to the server setting (please check the System Guard to achieve them); open_basedir = yoursite/public_html:yoursite/public_html/tmp:yoursite/public_html/logs:/tmp auto_prepend_file = yoursite/public_html/administrator/scan.php ;;;;;;;;;;;;;;;;;;;;;;;

4. Also copy a php5.ini file to the administrator folder, and only change the line

"auto_preappend_file=******/scan.php" to " "auto_preappend_file=" (so that there is no

files pre appending in all php files in the administrator folder).

5. If the above way doesn't work, try the other two ways, .htaccess and index.php as in

Section 4, again.

6. If the Anti-Hacker still cannot be activated, please confirm to your hosting service that the

auto_preappend function is enabled.

7. Please contact use via our support desk if the problem persists with trying all the ways.

6.3 Anti-Hacker FAQs: How to Whitelist a program?

Please read Section 5.1.

6.4 Anti-Hacker FAQs: How to Whitelist a form field?

Please read Section 5.2.

6.5 Anti-Hacker FAQs: How to customize the blocking message on the ban Page

You are allowed to customize the blocking message on the Ban Page which your clients

will see when they are suspected to make suspicious activities. You can edit the message via

the "Custom BanPage" button in the main menu of Anti-Hacker.

17


6.6 Anti-Hacker FAQs: How to Update the Signature?

The signature can be updated via our UpdateMan component. Please go to our website

My Downloads Menu to download the latest signature file.

First, install the UpdateMan component in the SignatureUpdate Package/Update

Manager package at Extensions Install/Uninstall. Then go to the UpdateManager

component at Components/OSE UPMan. Upload the Signature file in the package.

After this, you can find the signature package will be listed out at the bottom of the page.

Select it to install and follow the screen tips to finish the update.

Finally, you can go to System Guard to check the current Signature version of the system.

18


6.7 Anti-Hacker FAQs: What if my user account is blocked?

If you or someone try to login with your admin account with more than the number of

attempts that you set in the Open Source Excellence Authentication plugin, your admin

account will be blocked. You will see the following screen the first time of the failed login

(assuming that you set the maximum attempts to be 3):

When you have tried more than 3 times, your account will be blocked and you will see

the following:

If you would like to unlock your account, you need to go to your database management

tool, for example, phpmyadmin, to unlock your account. Go to the jos_users table, and

change the value of "block" of that account FROM 1 TO 0 as presented in the following

screenshot:

19


6.8 Anti-Hacker FAQs: What if my IP is banned?

If you are an administrator of the website, but you are banned, what should you do?

1. Temporarily remove the following lines in the corresponding files depending on which

way you used to activate the Anti-Hacker function:

A) require_once ('/absolute_path_to_antihacker/scan.php'); from the index.php

B) auto_prepend_file=/absolute_path_to_antihacker/scan.php from php.ini

C) php_value auto_prepend_file "/absolute_path_to_antihacker/scan.php" from .htaccess

20


Then login the Joomla back-end to remove your IP from the blacklist of Anti-Hacker or

whitelist it.

OR

2. If you have PHPMyadmin or any database management tools, you can find the table

"jos_anti_hacker_iptable", and remove your IP from the table. That will help you gain the

access back to the backend.

6.9 Anti-Hacker FAQs: How to set a password to protect a folder with .htaccess?

You could easily create it using the System guard.

Please go to System Guard (originally the GuardXT component), and click the Start

wizard in the Joomla Server Configuration Check Section:

21


In the wizard, please enter the username, password, and the path you would like to store

your .htpasswd file. For instance, you may set them as follows:

username: testinguser password: testinguser

path to store .htpasswd: /home/youraccount/.htpasswd/admin/

22


After you click the Create button, you will see the following page. Please note that after

clicking the Create button, the password has been create, therefore, you don't need to copy

codes to .htaccess and .htpasswd files (shown under "Your Password has been created").

The password will be created and you will be asking for the user name or password you

just setup.

6.10 Anti-Hacker FAQs: How to disable insecure functions for PHP environment?

In order to enhance the security of your Joomla website, we recommend you to disable

some insecure functions for the PHP environment.

Please disable these functions using any of below methods by adding the following

codes into the corresponding file.

In the .htaccess:

php_value disable_functions"exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Or in the php.ini:

disable_functions="exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

23


24

Thank You!

Hope You Enjoy the Software.

Documents

OSE Anti-Hacker Joomla Component User Manual