If you can't read please download the document
Upload
virya-group-limited
View
1.368
Download
2
Embed Size (px)
Citation preview
CMS Security
Ruth Cheesley - @RCheesley
Good afternoon, and thank you for inviting me to speak at CMS Africa
Joomla! Community Leadership Team for just over a year User Group team, Marketing Working Group
experiences within Open Source communities, and particularly around the topic of getting more women involved in technology.
Passionate about promoting Science Tech Eng Maths as an exciting and interesting career choice for women.
Laying the foundations
Security starts before you even get to installing the CMS, it starts when you select a hosting provider
- Hosting- experience with CMS's- Linux based (personal preference)
- Security practices
- Trust- Working with contractors- Extensions
refer to joomla docs/JCM for more detail
- Resources.joomla.org
Understand permissions
It's important to understand how file & folder permissions work. Use the best practices for your CMS, don't compromise on this because your hosting environment isn't set up properly.
World
(The world, the universe, and everything)Group
(A set of users)Owner
(owns the file)Understand permissions
Read (r)
Write (w)
Execute (x)
Can view the fileChmod +r / -rNumerical value = 4
Can make changes or modify the fileChmod +w / -wNumerical value = 2
Can run the file (generally applicable at command line)Chmod +x / -xNumerical value = 1
NOTE: Folders cannot be listed and files within can't be accessed if the folder does not have execute permissions
Understand permissions
OwnerGroupWorld
7(Read + Write + Execute)rwx5(Read + Execute)r-x5(Read + Execute)r-x
6(Read + Write)rw-4(Read)(r--)4(Read)(r--)
Joomla! permissions
Your weakest link
James Steidl - Fotolia.com
- Passwords
- Updates
- Vulnerable extensions
- Viruses/compromise
Keep up to date
iQoncept - Fotolia.com
It's your job to stay up to date with security updates
Make sure that you sign up for updates from extensions and template providers
Keep up to date with CMS core updates, apply them.
This is your responsibility as web developer. If you use a CMS, you take the responsibility for keeping it secure.
Sell ethically to your clients
puckillustrations - Fotolia.com
Sell the CMS with the understanding that clients need to update
Opportunity sell them training
Opportunity sell a support contract
Be clear. Be responsible. If they aren't willing to do updates themselves, or pay you to do it, walk away.
Modern security practices
James Steidl - Fotolia.com
Keep up to date with new developments
Md5
Salting
Bcrypt
Things are changing all the time, you have to keep up to date with these changes by keeping your CMS up to date (and/or getting involved with bringing these new features to your CMS through getting involved in OS projects).
Implement 2 Factor Authentication
How many people have 2 factor authentication enabled?
Use YubiKeys or mobile phone app (Google authenticator).
Easy to implement, easy to explain, something you know (Password) and something you have (unique one time password).
Web application firewalls
Problems with spam?
Admin tools for Joomla
Project Honeypot
Stop forum spam
Black/whitelist
Look out for malicious activity and block before it gets to your site
Hide admin panel
Test your backups
Plan for disaster
Sooner or later, with all the best security, you will have a disaster happen.
Client deletes site, server gets compromised, site gets compromised.
To find more information
magazine.joomla.org
docs.joomla.org
Ruth Cheesley - @RCheesley