Actions

Difference between revisions of "Security - Before you go live"

From Joomla! Documentation

(Creating Categories)
m
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{underconstruction}}
 
{{underconstruction}}
 
+
{{RightTOC}}
 
+
 
== Security FAQ - before you go live==
 
== Security FAQ - before you go live==
  
Line 7: Line 6:
  
 
This list for the main part does not provide instructions it is only a list for you to check off each item as you perform the tasks.
 
This list for the main part does not provide instructions it is only a list for you to check off each item as you perform the tasks.
 +
* I Know this list will generate MANY questions, so please post to the Joomla.org [http://forum.joomla.org/viewforum.php?f=432| Security forum]
  
I Know this list will generate MANY questions, so please post to the joomla.org forum:
 
http://forum.joomla.org/viewforum.php?f=432&sid=81c2aa9b5a4a88574ae79a6b176111cc
 
 
-------------------------------------------------------------------------------------------------------------------
 
  
  
 
== During Install ==
 
== During Install ==
 
+
# Change database tables prefix from "jos_" to anything else.
'''2) Change database tables prefix from "jos_" to anything else.'''
+
* When changing this do not use any "reserved" prefixes such as '''bak_'''
 +
** You may use numbers and letters and YES you may use more than 3 characters, so '''b37qm2_''' is a valid name.
 +
** Don't forget the underscore "'''_'''" as this makes it MUCH easier to read your table entries.
  
  
 
== Joomla Backend ==
 
== Joomla Backend ==
 +
# It does not matter if your host does backups. Do it yourself too, and store them anywhere else other than the server.
 +
# Backup up often! You would be amazed at how many sites NEVER perform regular backups.
 +
# Did I mention to BACKUP your site?
  
'''4) It does not matter if your host does backups. Do it yourself too, and store them anywhere else other than the server.'''
 
 
'''5) Backup up often! You would be amazed at how many sites NEVER perform regular backups.'''
 
 
'''6) Did I mention to BACKUP your site?'''
 
  
 +
'''Note:''' The extension '''Akeeba''' is highly recommended for backups.
 +
* You find alternatives under the JED [http://extensions.joomla.org/extensions/access-a-security/site-security/backup| Backup Category]
  
  
 
== PHP ==
 
== PHP ==
 
+
# Ask your server if they offer PHPsuExec, php_suexec or suPHP
'''14) Ask your server if they offer PHPsuExec, php_suexec or suPHP'''
+
# Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous
 
+
# Register_Globals = 0 (off) Many servers deafult this to ON.
'''15) Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous'''
+
# allow_url_fopen = 0 (off)
 
+
# expose_php = 0 (off)
'''16) Register_Globals = 0 (off) Many servers deafult this to ON.'''
+
# safe_mode = 0 (off)
 
+
# Use open_basedir , it limits which files/folders can be opened.
'''17) allow_url_fopen = 0 (off)'''
+
 
+
'''18) expose_php = 0 (off)'''
+
 
+
'''19) safe_mode = 0 (off)'''
+
 
+
'''23) Use open_basedir , it limits which files/folders can be opened.'''
+
 
+
  
  
 
== Files ==
 
== Files ==
 +
# Move configuration.php outside of your public directory.
 +
# On file permissions, in general never use 777 if you don't know what you are doing (755 for directories and 644 for files is sensible for most). See FAQ: [[Verifying_permissions| Verifying permissions]]
  
'''21) Move configuration.php outside of your public directory.'''
 
 
'''25) On file permissions, in general never use 777 if you don't know what you are doing (755 for directories and 644 for files is sensible for most).'''
 
  
  
 
== Others ==
 
== Others ==
 +
# Change username "admin" to anything else in Joomla, PhpBB, and anywhere else it used.
 +
# Instead of renaming, you can also create a second super administrator account and remove the first. This way, the user id will be different.
 +
# Change username or add password to username "root" in PhpMyAdmin. Default is NO password! This is not usually an issue on remote servers however if you have a local server it may be.
 +
# Remove unused templates, extensions and unneeded files from your site. This includes compressed archives.
 +
# Check joomla.org Vulnerable Extensions List (VEL)
 +
# Check regularly for updates for Joomla, PHP, SQL and EVERY extension you use.
 +
# Avoid encrypted code in extensions.
 +
# Use some form of intrusion detection either through a cron job or an extension (like Eyesite).
 +
# Check your log files OFTEN for unusual activity.
 +
# Test your site for weaknesses or hire someone to perform this for you. Make sure you tell your host first what you are doing or you may get your site removed from the server!!!
 +
# Use .htaccess to add extra protection to your administrator directory or use an extension (like kSecure)
 +
# Get an SSL certificate for financial transactions and other sensitive data exchange.
 +
# Change the paths (directories) where your log, temp (tmp) files are stored. Don't just move them, you have to change the setting in Global Config as well. You also have to ensure your new paths fall under the scope of open_basedir
 +
# Don't save FTP user and password in your FTP tool of choice on your workstation (especially if you are on Windows).
 +
# If you don't need them, don't enter the FTP user/password or remove them.
  
'''1) Change username "admin" to anything else in Joomla, PhpBB, and anywhere else it used.'''
 
 
'''28) Instead of renaming, you can also create a second super administrator account and remove the first. This way, the user id will be different.'''
 
 
'''3) Change username or add password to username "root" in PhpMyAdmin. Default is NO password! This is not usually an issue on remote servers however if you have a local server it may be.'''
 
 
'''7) Remove unused templates, extensions and unneeded files from your site. This includes compressed archives.'''
 
 
'''8) Check joomla.org Vulnerable Extensions List (VEL)'''
 
 
'''9) Check regularly for updates for Joomla, PHP, SQL and EVERY extension you use.'''
 
 
'''10) Avoid encrypted code in extensions.'''
 
 
'''11) Use some form of intrusion detection either through a cron job or an extension (like Eyesite).'''
 
 
'''12) Check your log files OFTEN for unusual activity.'''
 
 
'''13) Test your site for weaknesses or hire someone to perform this for you.
 
Make sure you tell your host first what you are doing or you may get your site removed from the server!!!'''
 
 
'''20) Use .htaccess to add extra protection to your administrator directory or use an extension (like kSecure)'''
 
 
'''22) Get an SSL certificate for financial transactions and other sensitive data exchange.'''
 
 
'''24) Change the paths (directories) where your log, temp (tmp) files are stored. Don't just move them, you have to change the setting in Global Config as well. You also have to ensure your new paths fall under the scope of open_basedir'''
 
 
'''26)  Don't save FTP user and password in your FTP tool of choice on your workstation (especially if you are on Windows).'''
 
 
'''27) If you don't need them, don't enter the FTP user/password or remove them.'''
 
 
 
 
'''NOTE:''' If your administrator password is changed by hackers (or you forget it) follow this procedure to restore it:
 
http://docs.joomla.org/How_do_you_recover_your_admin_password%3F
 
 
 
----------------------------------------------------------------------------------------------------------------
 
 
 
7 Great tips from Marco Folio (Some with instructions):
 
http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html
 
  
How to prevent an SQL injection by Marco Folio:
+
'''NOTE:''' If your administrator password is changed by hackers (or you forget it) follow this procedure to restore it: [[How_do_you_recover_your_admin_password%3F | How do you recover your admin password?]]
http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.html
+
  
Joomla Security Primer by Tom Canavan:
 
http://www.howtojoomla.net/how-tos/security/joomla-security-primer
 
  
Joomla.org Security Checklist Wiki:
+
== Additional reading ==
http://docs.joomla.org/Category:Security_Checklist
+
* [http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html 7 Great tips from Marco Folio]  (Some with instructions)
 +
* [http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.html How to prevent an SQL injection by Marco Folio]
 +
* [http://www.howtojoomla.net/how-tos/security/joomla-security-primer Joomla Security Primer by Tom Canavan]
 +
* [http://docs.joomla.org/Category:Security_Checklist Joomla.org Security Checklist Wiki]
 +
* [[Vulnerable_Extensions_List | Joomla.org Vulnerable Extensions List]]
  
Joomla.org Vulnerable Extensions List:
 
http://docs.joomla.org/Vulnerable_Extensions_List
 
  
  
 
Built from list by [[User:Ripose|Ripose]]
 
Built from list by [[User:Ripose|Ripose]]

Latest revision as of 12:06, 19 June 2011

Documentation all together tranparent small.png
Under Construction

This article or section is in the process of an expansion or major restructuring. You are welcome to assist in its construction by editing it as well. If this article or section has not been edited in several days, please remove this template.
This article was last edited by Mandville (talk| contribs) 3 years ago. (Purge)

Contents

Security FAQ - before you go live

This security list has been compiled from several sources, some of these sources are linked at the bottom of this article, as such you may find duplicate suggestions. DON'T skip anything because of this!

This list for the main part does not provide instructions it is only a list for you to check off each item as you perform the tasks.

  • I Know this list will generate MANY questions, so please post to the Joomla.org Security forum


During Install

  1. Change database tables prefix from "jos_" to anything else.
  • When changing this do not use any "reserved" prefixes such as bak_
    • You may use numbers and letters and YES you may use more than 3 characters, so b37qm2_ is a valid name.
    • Don't forget the underscore "_" as this makes it MUCH easier to read your table entries.


Joomla Backend

  1. It does not matter if your host does backups. Do it yourself too, and store them anywhere else other than the server.
  2. Backup up often! You would be amazed at how many sites NEVER perform regular backups.
  3. Did I mention to BACKUP your site?


Note: The extension Akeeba is highly recommended for backups.


PHP

  1. Ask your server if they offer PHPsuExec, php_suexec or suPHP
  2. Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous
  3. Register_Globals = 0 (off) Many servers deafult this to ON.
  4. allow_url_fopen = 0 (off)
  5. expose_php = 0 (off)
  6. safe_mode = 0 (off)
  7. Use open_basedir , it limits which files/folders can be opened.


Files

  1. Move configuration.php outside of your public directory.
  2. On file permissions, in general never use 777 if you don't know what you are doing (755 for directories and 644 for files is sensible for most). See FAQ: Verifying permissions


Others

  1. Change username "admin" to anything else in Joomla, PhpBB, and anywhere else it used.
  2. Instead of renaming, you can also create a second super administrator account and remove the first. This way, the user id will be different.
  3. Change username or add password to username "root" in PhpMyAdmin. Default is NO password! This is not usually an issue on remote servers however if you have a local server it may be.
  4. Remove unused templates, extensions and unneeded files from your site. This includes compressed archives.
  5. Check joomla.org Vulnerable Extensions List (VEL)
  6. Check regularly for updates for Joomla, PHP, SQL and EVERY extension you use.
  7. Avoid encrypted code in extensions.
  8. Use some form of intrusion detection either through a cron job or an extension (like Eyesite).
  9. Check your log files OFTEN for unusual activity.
  10. Test your site for weaknesses or hire someone to perform this for you. Make sure you tell your host first what you are doing or you may get your site removed from the server!!!
  11. Use .htaccess to add extra protection to your administrator directory or use an extension (like kSecure)
  12. Get an SSL certificate for financial transactions and other sensitive data exchange.
  13. Change the paths (directories) where your log, temp (tmp) files are stored. Don't just move them, you have to change the setting in Global Config as well. You also have to ensure your new paths fall under the scope of open_basedir
  14. Don't save FTP user and password in your FTP tool of choice on your workstation (especially if you are on Windows).
  15. If you don't need them, don't enter the FTP user/password or remove them.


NOTE: If your administrator password is changed by hackers (or you forget it) follow this procedure to restore it: How do you recover your admin password?


Additional reading


Built from list by Ripose