Joomla! Security 101

version 6.0

Mission: ImpossibleTalking in-depth about Joomla! security in 30 minutes or less... but I’ll try!

Put your pens awaySit back and enjoy

Updated server softwarePHP, MySQL, Apache, FTP Server...

Permissions & ownershipWho can do what and where

Sane ownership & permissions

All files and folders owned by the FTP user

Use Joomla!’s FTP mode on shared hosts

Folders 0755 permissions • Files 0644 permissions

If you “must” use 0777 (don’t!), protect with .htaccessorder deny, allowdeny from allallow from none

Better yet, use suPHP or FastCGI

Too much to remember?

Akeeba Backup User’s Guide, Security Informationhttps://www.akeebabackup.com/documentation/akeeba-backup-documentation/security-info.html

777: The number of the beasthttp://www.dionysopoulos.me/blog/777-the-number-of-the-beast

Update, yesterdayJoomla! & extensions

Think before installingDon’t be the mouse in the trap!

Length matters

Your Password’s length matters

A terrifying thoughtPassword hacking super-computer: 2,700 USD(back in 2010; much cheaper now)

How safe is your password?

Password Bits Iterations Time to crack15082005

admin

ortrtaortftaaidbt

0rtrTA0rtfTa&idbT

horse correct battery stapler

13,6 12416 0.00038 msec

15,9 61147 0.00185 msec

67,7 2,39e+20 228.95 years

88,2 3,55e+26 340 million years

107,2 1,86e+32 178179 billion years

Derive from a sentence

Derive from a sentence

thequickbrownfoxjumpedoverthelazydog

Derive from a sentence

thequickbrownfoxjumpedoverthelazydog

tqbfjotld

Derive from a sentence

thequickbrownfoxjumpedoverthelazydog

tqbfjotld

tqbFjotlD

Derive from a sentence

thequickbrownfoxjumpedoverthelazydog

tqbfjotld

tqbFjotlD

+qbFjo+lD

Derive from a sentence

thequickbrownfoxjumpedoverthelazydog

tqbfjotld

tqbFjotlD

+qbFjo+lD

+qbFj0+1D

Derive from a sentence

+qbFj0+1D

Still unsure? Write it downAnd keep it ON YOUR PERSON!

+qbFj0+1D

Use a password managerAnd keep it on your person (mobile device)

Lock it downNothing on my site runs unless I say so

.htaccess Rules

My Master .htaccess - FREEhttp://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txt

Admin Tools Professionalhttps://www.akeebabackup.com/products/46-software/855-admintools.html

Armor upProtect your site

BackupsFrequent, automated, off-site backups

Use myJoomla.comDead easy site auditing – and fixing!

In spite of it all…

Dammit!You got hacked, now what?

DON’TPANIC

We’ve got instructions

Unhacking your sitehttps://www.akeebabackup.com/documentation/walkthroughs/item/1124-unhacking-your-site.html

You do have backups, right?

You did use myJoomla.com, right?

Make sure you read the instructions before getting hacked.

Questions?

Download this presentationhttp://akeeba.info/asjd13bih

Thank you for listening!Image credits for copyrighted images: sxc.hu; istockphoto.comCoprights of the logos and screenshots of software displayed in this presentaiton is owned by their respective companies