Joomla Administrators Security Checklist
From Joomla! Documentation
1. Read Me First![edit]
1. There's no free lunch! Don't be fooled by Joomla's award-winning ease of use. Maintaining a secure, dynamic Web site on the open Internet is not easy. Adequate security requires constant watchfullness and effort.
2. There's no one right way! Due to the variety and complexity of modern web servers, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your web server infrastructure to make valid securitydecisions.
3. There's no substitute for experience! To secure your web site, you must gain real experience much of which will be bitter), or get experienced help from others.
4. Rise above the herd: The Security Forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices (this author included Undecided). If you decided to study documents such as this before your site is compromised, congratulation, you're already ahead of the herd.
5. It's not as hard as it looks: The following checklist may seem intimidating, but you don't have to deal with all of it at once. As you become more familiar with GNU/Linux, Apache, MySQL, PHP, HTTP, and Joomla, you'll add refinements to your combination of security tactics. Security is a moving target, so today's expert might be tomorrow's victim. Welcome to the game...
2. Getting Started[edit]
1. Are you are ready? Can you administer a dynamic, 24x7, world-accessible, database-driven, interactive, user-authenicated web server? Do you have the time and resources to respond to the flow of emerging Internet ecurity issues? Here is a tragic/comic list of the most common administrator security errors. Don't learn these the hard way! Depending on your recent experience, you will either laugh or cry....
Top 10 Stupidest Joomla! Administrator Tricks.
2. Does Joomla! meet your needs? Developers of very large projects may want to check this forum discussion. If you're wondering about Joomla! vs. Drupal, check this forum discussion.
3. Stay informed of security issues: Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To stay in the loop, subscribe to Joomla Security Related Announcements. Select the "Notify" button.
4. Check the FAQs: The most helpful posts in the Joomla! Security Forum (as well as other sources) are converted into Security FAQs on the official Joomla! Help site.
5. Learn from the pros: Hunt down the many nuggets of wisdom in the Joomla! forums. For example, read this great post by CirTap.
3. Choose a Qualified Hosting Provider[edit]
1. Probably no decision is more critical to your site's security than the choice of hosts. Due to the wide variety of hosting options, it's not possible to provide a complete list for every situation.
2. If you are on a tight budget, you can get by on a shared hosting plan, but you must understand the risks, and know how to choose a qualified provider. [Related Discussion] [FAQ].
3. Check this unbiased list of recommended hosts.
4. For a real eye-opener, read this report on thousands of sites that allowed Google to index the results of phpinfo(). Don't make this mistake on your site! The report includes alarming statistics on the percentage of site that use depreciated settings such as register_globals ON or that don't have open_basedir set at all! by the way, if phpini and register_globals are unfamiliar to you, you are NOT ready to securely manage your own site.
4. Setup a Test and Development Environment[edit]
1. Develop and test your site on a local machine first. Installing Joomla locally is not has hard as it may sound, and the exercize will greatly boost your confidence. [FAQ]
2. Consider using an Integrated Development Environment (IDE). [FAQ]
3. Be able to roll back to an earlier version of your site using a modern version control system, such as CVS or Subversion.
4. Check out the Joomla! community's list of popular Developer Software and Tools.
5. Installing, Upgrading, and Configuring Joomla! Core and Apache Server[edit]
1. Always install and upgrade to the latest stable version of Joomla!.
2. Before you upgrade to Joomla! 1.0.13, read this forum thread discussing incompatible extensions. This version of Joomla! includes more powerful password encryption functions that break backward compatibility with important extensions that rely on the earlier password format. This includes complex extensions, such as CommunityBuilder, VirtueMart, and many of the bridges. By now, important extensions have all released stable upgrades. This item is left as a warning for those using abandoned extensions. (By the way, don't use abandoned extensions.)
3. Download Joomla! from official sites only, such as the Joomla! Forge, and check the MD5 hash. See this post for an example of what can happen if you download Joomla! from an unsafe site.
4. Use Joomla Diagnostics to ensure that all files were installed correctly.
5. Delete left over files. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file when finished with it. In general, do not leave any unneeded files (compressed or otherwise) on a public server.
6. Increase the security of the all-critical file, configuration.php, by moving it outside of the public_html directory. [FAQ]
7. Change the user name of the default admin user. This simple step greatly increases the security of this critical account by modifying one of the two variables attackers can use to gain admin access. (The admin password is the other variable. Change it early and often.) [FAQ]
8. Block typical exploit attempts with .htaccess files. This option is not enabled on all servers. Check with your host if you run into problems. [FAQ]
9. Password protect sensitive directories, such as administrator, with .htaccess files. [FAQ]
10. Restrict access to sensitive directories by IP Address, using .htaccess. [FAQ]
11. Depending on your host, you may be able to increase security by switching from PHP4 to PHP5. [FAQ]
12. Follow the "Least Privilege" principle for running PHP using tools such as PHPsuExec, php_suexec or suPHP. (Note: These are advanced methods that usually require agreement and coordination with your hosting provider. Such options are enabled or disabled on a server-wide bases, and are not individually adjustable on shared servers.)
13. Configure Apache mod_security and mod_rewrite filters to block PHP attacks. (Note: These are advanced methods that usually require agreement and coordination with your hosting provider. Such options are enabled or disabled on a server-wide bases, and are not individually adjustable on shared servers.)
Google Search Example: http://www.google.com/search?q=apache%20mod_security Google Search Example: http://www.google.com/search?q=apache%20mod_rewrite
14. Be sure MySQL accounts are set with limited access. The initial install of MySQL is insecure; careful configuration is required. (Note: These are advanced methods that usually require agreement and coordination with your hosting provider. Such options are enabled or disabled on a server-wide bases, and are not individually adjustable on shared servers.)
MySQL Documentation
15. Currently, both PHP4 and PHP5 are maintained. Before PHP4 becomes obsolite, upgrade your custom scripts to PHP5. By the way, you don't worry about core Joomla code It's already PHP 5 compatible. PHP News
16. Avoid the use of PHP safe_mode. [FAQ]
17. Turn Joomla! Register Globals Emulation OFF. [FAQ]
Related Forum Discussion
18. Ensure that all configurable paths to writable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions, such as DOCMan and Gallery2, for editable path settings to such directories. There is currently no easy way to move the Joomla! /image and /media directories. Best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.
19. Once your site is configured and stable, write-protect directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site --> Global Configuration --> Server to set all folder and file permissions at once. Test third party extensions afterwards, and carefully review the code of any extension that has trouble with such settings. Note: Depending on your server's permissions setup, you may need to temporarily reset to more open permissions while installing extensions with the Joomla installer.
Post: Shell script for setting file and directory permissions
20. Remove all design templates not needed by your site. Never put security logic into template files. (Note: Joomla 'templates' are actually 'themes' or 'skins'.)
Post: Suggest Ability to turn off/on template change
21. If you use a VPS or dedicated server, run TripWire or SAMHAIN (GNU/GPL) . They perform exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration.
22. Hire a professional Joomla! security consultant to review your configurations.
6. Extending Joomla! (Components, Modules, Bots, Plugins, Bridges)[edit]
1. Most security vulnerabilities are caused by third party extensions. In fact there's an entire forum dedicated to this subject. Subscribe to it using the Notify button.
2. BEFORE installing new extensions backup your site and your site's database. It's very smart to setup a script to make backing up a simple, automated process.
3. BEFORE installing third party extensions, check: Official List of Vulnerable 3rd Party/Non Joomla! Extensions
4. Only download extensions from trusted sites. The official definition of a "trusted site" is one that YOU trust.
5. User beware! Third party extensions come in all flavors of quality and age. Although Joomla! coding standards exist, but third party developers are not required to follow them. Extensions listed on the official Joomla! site are not reviewed for compliance, however if verified vulnerabilities are reprted, they will be removed from the list until they are fixed.
6. Test all extensions on a development site before installing on a production site. [FAQ (Part 1)] [FAQ (Part 2)]
7. Remove all unused extensions, and double check that all related folders and files were removed by the uninstall scripts.
8. Note that during uninstall, many third party extensions will leave related files on your site, and related tables complete with date in the database. This is either a feature or a bug depending on your point of view. I'd call it a bug since very few report that they are doing this. Any files life on your server remain accessble from the web via direct URLs, such as http://yousite.com/modules/bad_module.
9. Remove or fix any extension that requires register_globals ON.
How to fix an extension that requires register_globals ON
10. Be wary of encrypted code. Joomla is (and dispite disinformation campaigns, always has been) a GNU/GPL project. This means that all extensions to Joomla must also be free (as in freedom) and open (as in readable code). Encrypted code may be safe, but you can't determine this for yourself, and so you must trust the developer's word. Using encrypted code puts you back in the world of proprietary software, where you must wait for security patches from the developer, hoping that attackers don't find your site first.
11. You are rarely free to modify, improve, or share encrypted code. These restrictions make encrypted code less valuable to the community as a whole, and reduce the overall viability of the Joomla project, which depends on open sharing among all participants.
12. Of course, code that is not distributed to others is exempt from the GNU/GPL distribution requirements. Thus you can encrypt your own code as much as you want for security or other reasons.
7. Configuring php.ini[edit]
1. Understand how to work with the php.ini file, and how PHP configurations are controlled. Study the Official List of php.ini Directives at www.php.net, and the well-documented default php.ini file included with every PHP install. [Latest default php.ini file]
2. On shared servers you can't edit the main php.ini file, but you may be able to add a custom file. If so, you'll need to copy that file to every sub-directory that requires the custom php.ini settings. Luckily a free set of scripts do the hard work for you:
B&T's Tips and Scripts
3. Read the forum post, Secure it with php.ini, by Beat, Q&T Workgroup Member, for a list of php.ini methods sorted in order of preference.
4. Set register_globals OFF. This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This is an important setting to turn OFF. If you can't gain access to php.ini, see the switch to PHP5 using .htaccess techique above.
ZEND Chapter 29. Using Register Globals
5. Use disable_functions to disable dangerous PHP functions that are not needed by your site.
6. Disable allow_url_fopen. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. Note: This can only be set in php.ini due to security reasons.
7. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
PHP Manual, Chapter 31. Magic Quotes.
8. open_basedir (should be enabled and correctly configured)
Limit the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. To restrict access to only the specified directory, end with a slash.
PHP Security and Safe Mode Configuration Directives
9. Example php.ini directives for the above suggestions:
register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_quotes_gpc = 1
safe_mode = 1
open_basedir = /dir/to/include/change/me
8. Joomla! Hardening for Maximum Security[edit]
1. For maximum security, avoid a shared server on which you don't know or can't trust all the other users or their code quality. [FAQ]
2. Use an SSL server for confidential transactions. Read this enlightening discussion on the need for SSL any time security is important. Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forum for the "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly increased options for this. ) [FAQ]
3. For an additional layer of password protection, use .htaccess password protection in critical directories. Unless you combined this with SSL, it is no longer the highly secure method that it once was, but it will certainly block the average script kiddie. [FAQ]
9. Ongoing Site Administration[edit]
1. Use Well-Formed Passwords: Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Wizzie has supplied a script that automatically changes passwords. This is a great tool for administrators or multiple sites. Automatic Admin PW Generator
2. Follow a Password Leveling Scheme: Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. [FAQ]
3. Maintain a Strong Site Backup Process: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
4. Perform Automated Intrusion Detection: Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.
Google Search Example: http://www.google.com/search?q=Intrusion+Prevention
5. Perform Manual Intrusion Detection: Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs. There is a good discussion of creative ways to automatically check log files in this topic.
6. Stay Current with Security Patches and Upgrades Apply vendor-released security patches ASAP.
7. Proactively Seek Web Vulnerabilities: Perform frequent web scanning.
Google Search Example: http://www.google.com/search?q=%22web+scanning%22
8. Proactively Seek SQL Injections Vulnerabilities: Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
Google Search Example: http://www.google.com/search?q=%22SQL+Injection%22 Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
9. Use Shell Scripts to Automate Security Tasks: If you're comfortable with shell scripts (and you should be), you may want to try the following scripts supplied for free to the community by Wizzie
Joomla! Version Checking
Joomla! Component/Module Version Checking
Exploit Checking
10. Learn all you can about security software: There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability. Related topic.
11. Prepare for the approaching release of Joomla! 1.5, the most significant upgrade in Joomla!'s history. It includes many powerful security and performance enhancements.
* Monitor 1.5 development status.
* Start playing with the beta version.
* Learn about Model, View, Control (MVC).
* Develop a conversion plan for extensions you've written.
* Develop a conversion plan for your existing sites.
10. Site Recovery[edit]
1. Know how to hack free when your site's been compromised. [FAQ]
2. Know how to find exploit attempts using the *NIX shell. [FAQ]
11. Your Turn...[edit]
1. Please post critical security issues with the Joomla! core here.
2. Please post any correction/additions to this document here.