Difference between revisions of "Joomla Administrators Security Checklist"

This Article Needs Your Help

This article is tagged because it NEEDS REVIEW. You can help the Joomla! Documentation Wiki by contributing to it.
More pages that need help similar to this one are here. NOTE-If you feel the need is satistified, please remove this notice.

Read Me First![edit]

There's no free lunch![edit]

Don't be fooled by Joomla's award-winning ease of use. Maintaining a secure, dynamic Web site on the open Internet is not easy. Adequate security requires constant watchfulness and effort.

There's no one right way![edit]

Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your server infrastructure to make valid security decisions.

There's no substitute for experience![edit]

To secure your web site, you must gain real experience (some of which will be bitter), or get experienced help from others.

Rise above the herd[edit]

The Security Forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices (this author included). If you decided to study documents such as this before your site is attacked, congratulation, you're already above the herd.

It's not as hard as it looks.[edit]

The following checklist may seem intimidating, but you don't have to deal with all of it at once. As you become familiar with GNU/Linux, Apache, MySQL, SQL, PHP, HTTP, CSS, XML, RSS, TCP/IP, FTP, Subversion, Javascript, and Joomla!, you'll add refinements to your combination of security tactics. Security is a moving target, so today's expert might be tomorrow's victim. Welcome to the game...

Getting Started[edit]

Are you are ready?[edit]

Can you administer a dynamic, 24x7, world-accessible, database-driven, interactive, user-authenticated web server? Do you have the time and resources to respond to the flow of emerging Internet security issues? ere is a tragic/comic list of the most common administrator security errors. Don't learn these the hard way! Depending on your recent experience, reading this will either make you laugh or cry.

Stay informed of security issues.[edit]

Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To stay in the loop, subscribe to Joomla Security Related Announcements. Select the "Notify" button.

Check the FAQs.[edit]

The most helpful posts in the Joomla! Security Forum are converted into Security and Performance FAQs. Many of the items on this list are explained in much greater detail in the FAQs.

Learn from the pros.[edit]

Hunt down the many nuggets of wisdom found in the Joomla! Forums.

Choose a Qualified Hosting Provider[edit]

The most important decision[edit]

Probably no decision is more critical to site security than the choice of hosts and servers. However, due to the wide variety of hosting options and configurations, it's not possible to provide a complete list for all situations.

Shared server risks[edit]

If you are on a tight budget and your site does not process highly confidential data, you can probably get by with a shared server, but you must understand the risks.

Avoid sloppy configurations[edit]

For a real eye-opener, read this report on thousands of sites that allowed Google to index the results of phpinfo(). Don't make this mistake on your site! The report includes alarming statistics on the percentage of site that use depreciated settings such as register_globals ON or that don't have open_basedir set at all: By the way, if phpini and register_globals are unfamiliar terms, you are probably not ready to securely manage your own site.

Recommended hosts[edit]

Check this unbiased list of recommended hosts.

Setup a Testing and Development Environment[edit]

Develop locally, deploy globally[edit]

Develop and test your site on a local machine first. Installing Joomla locally is not as hard as it may sound, and the exercise will greatly boost your confidence.

Use an IDE[edit]

Consider using an Integrated Development Environment (IDE).

Use a versioning system[edit]

Be able to roll back to an earlier version of your site using a modern version control system, such as CVS or Subversion.

More suggested tools[edit]

Check out the Joomla! community's list of popular Developer Software and Tools.

Installing, Upgrading, and Configuring Joomla! Core and Apache Server[edit]

1. Always upgrade to the latest stable version of Joomla!.
2. Before you upgrading to a new version of Joomla, search the forums for reports of incompatible extensions.
3. Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash.
4. Use Joomla Diagnostics to ensure that all files were installed correctly.
5. Delete leftover files. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file. In general, do not leave any unneeded files (compressed or otherwise) on a public server.
6. Increase the security of the all-critical file, configuration.php, by moving it outside of the public_html directory.
7. Change the user name of the default admin user. This simple step greatly increases the security of this critical account by modifying one of the two variables attackers can use to gain admin access. The admin password is the other variable. Change it early and often.
8. Block typical exploit attempts with .htaccess files. This option is not enabled on all servers. Check with your host if you run into problems.
9. Password protect sensitive directories, such as administrator, with .htaccess files.
10. Restrict access to sensitive directories by IP Address, using .htaccess.
11. Depending on your host, you may be able to increase security by switching from PHP4 to PHP5.
12. Follow the "Least Privilege" principle for running PHP using tools such as PHPsuExec, php_suexec or suPHP. (Note: These are advanced methods that usually require agreement and coordination with your hosting provider. Such options are enabled or disabled on a server-wide bases, and are not individually adjustable on shared servers.)
13. Configure Apache mod_security and mod_rewrite filters to block PHP attacks. (Note: These are advanced methods that usually require agreement and coordination with your hosting provider. Such options are enabled or disabled on a server-wide bases, and are not individually adjustable on shared servers.)
    • Google search for mod_security
    • Google search for mod_rewrite
14. Be sure MySQL accounts are set with limited access. The initial install of MySQL is insecure and careful configuration is required. (Note: This item should apply only to those administering their own servers, such as dedicated servers. Users of shared servers are dependent on their hosting provider to set proper database security.)
    • MySQL Manuals
15. Currently, both PHP4 and PHP5 are maintained. Before PHP4 becomes obsolite, upgrade your custom scripts to PHP5. By the way, don't worry about core Joomla code It's already PHP5 compatible.
    • PHP News
16. Avoid the use of PHP safe_mode.
17. Turn Joomla! Register Globals Emulation OFF.
18. Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories. There is currently no easy way to move the Joomla! /image and /media directories. The best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.
19. Once your site is configured and stable, write-protect critical directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site --> Global Configuration --> Server to set all folder and file permissions at once. Test third party extensions afterwards, and carefully review the code of any extension that has trouble with such settings. Note: Depending on your server's permissions, you may need to temporarily reset to more open permissions when installing more extensions with the Joomla! installer.
20. Remove all design templates not needed by your site. Never put security logic into template files.
21. VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration.
22. Hire a professional Joomla! security consultant to review your configurations.

Extending Joomla! (Components, Modules, Bots, Plugins, Bridges)[edit]

Backup first![edit]

BEFORE installing new extensions backup your site and your site's database. It's very smart to setup a script to make backing up a simple, automated process.

Check for extension vulnerabilities[edit]

Most security vulnerabilities are caused by third party extensions. Before installing extensions, check the Official List of Vulnerable 3rd Party/Non Joomla! Extensions. There's an entire forum dedicated to vulnerable third part extensions. Subscribe to it.

Download from trusted sites[edit]

The fully qualified and official definition of a "trusted site" is one that YOU trust.

User beware! Check the code quality[edit]

Third party extensions come in all flavors of quality and age. Although Joomla! coding standards exist, third party developers are not required to follow them. Extensions listed on the official Joomla! site are not reviewed for compliance, however if verified vulnerabilities are reported, they will be removed from the list until they are fixed.

Test, test, test...[edit]

Test all extensions on a development site before installing on a production site. Then test on the production site. Don't forget the check the logs for runtime errors and warnings.

Remove junk files[edit]

Remove all unused extensions and double check that related folders and files were actually removed by uninstall scripts. Note that during uninstall, many third party extensions will leave related files on your site, and related database tables complete with data. This is either a feature or a bug depending on your point of view. Any files left on your server remain accessible from the Web via direct URLs, such as http://yousite.com/modules/bad_module.

Avoid encrypted code[edit]

Joomla is (and dispite disinformation campaigns, always has been) a GNU GPL project. This means that all extensions to Joomla must also be free (as in freedom) and open (as in readable code). Encrypted code may be safe, but you can't determine this for yourself, and so you must trust the developers. Using others' encrypted code puts you back in the world of proprietary software where you must wait for security patches from the developer, hoping that attackers don't find your site first before a fix is released.

You are often not free to modify, improve, or share encrypted code. These restrictions make encrypted code less valuable to the community as a whole, and reduce the overall viability of the Joomla project which depends on open sharing among all participants.

Of course, code that is not distributed to others is exempt from GNU GPL distribution requirements. Thus you can encrypt Joomla-related code your own servers providing you do not share it with others.

Configuring php.ini[edit]

• Understand how to work with the php.ini file, and how PHP configurations are controlled. Study the Official List of php.ini Directives at http://www.php.net, and the well-documented default php.ini file included with every PHP install. Here is the latest default php.ini file on the official PHP site.

• On shared servers you can't edit the main php.ini file, but you may be able to add a custom file. If so, you'll need to copy that file to every sub-directory that requires the custom php.ini settings. Luckily a set of scripts at B & T Scripts and Tips can do the hard work for you.

• Set register_globals OFF. This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This is an important setting to turn OFF. If you can't gain access to php.ini, see the switch to PHP5 using .htaccess techique above. For more information, see ZEND Chapter 29. Using Register Globals.

• Use disable_functions to disable dangerous PHP functions that are not needed by your site.

• Disable allow_url_fopen. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. Note: This can only be set in php.ini due to security reasons.

• Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way. For more information, see PHP Manual, Chapter 31. Magic Quotes.

• open_basedir (should be enabled and correctly configured). Limit the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. To restrict access to only the specified directory, end with a slash. For more information, see PHP Security and Safe Mode Configuration Directives.

• Example php.ini directives for the above suggestions:

     register_globals = 0
     disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
     allow_url_fopen = 0
     magic_quotes_gpc = 1
     safe_mode = 1
     open_basedir = /dir/to/include/change/me

Joomla! Hardening for Maximum Security[edit]

Avoid shared servers if possible[edit]

For maximum security, avoid a shared server on which you don't know or can't trust all the other users or their code quality.

Use an SSL server for confidential transactions and user authentication.[edit]

Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forums for "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly improved SSL options.

Use Apache's .htaccess[edit]

For an additional layer of password protection, use .htaccess password protection in critical directories. Note that unless you combined .htaccess with SSL, it is no longer the highly secure method that it once was, but it will certainly block the average script kiddie.

Ongoing Site Administration[edit]

1. Use Well-Formed Passwords: Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Wizzie has supplied a script that automatically changes passwords. This is a great tool for administrators or multiple sites. Automatic Admin PW Generator
2. Follow a Password Leveling Scheme: Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used.
3. Maintain a Strong Site Backup Process: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
4. Perform Automated Intrusion Detection: Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Google Search Example: http://www.google.com/search?q=Intrusion+Prevention
5. Perform Manual Intrusion Detection: Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs. There is a good discussion of creative ways to automatically check log files in this topic.
6. Stay Current with Security Patches and Upgrades Apply vendor-released security patches ASAP.
7. Proactively Seek Web Vulnerabilities: Perform frequent web scanning. Google Search Example: http://www.google.com/search?q=%22web+scanning%22
8. Proactively Seek SQL Injections Vulnerabilities: Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications. Google Search Example: http://www.google.com/search?q=%22SQL+Injection%22 Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
9. Use Shell Scripts to Automate Security Tasks: If you're comfortable with shell scripts (and you should be), you may want to try the following scripts. Search the forums for these names:
   • Joomla! Version Checking
   • Joomla! Component/Module Version Checking
   • Exploit Checking
10. Learn all you can about security software: There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.
11. Prepare for Joomla! 1.5, the most significant upgrade in Joomla!'s history. It includes powerful security and performance enhancements.

Site Recovery[edit]

1. Always have complete backups.
2. Know how to find exploit attempts using the *NIX shell.
3. Have a tested plan for how you will recover when your site's been compromised.

Your Turn...[edit]

1. If you discover a bug in Joomla! core files, report it here.