Difference between revisions of "Security and Performance FAQs"

(need permission for relicensing before copying)

INTRO[edit]

What is the Joomla! Administrator's Security Checklist?[edit]

The Joomla! Administrator's Security Checklist is a concise selection of the best tips and tricks from many contributions in the Joomla Security Forums.

INTRO 2: What are the top 10 stupidest Joomla! security tricks?[edit]

10. Go with the cheapest hosting provider you can find, preferably a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers.

9. Don't waste time with regular backups. Maybe the hosting provider will help you.

8. Don't waste time adjusting PHP and Joomla! settings for increased security. Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

7. Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere.

6. Install your brand new beautiful Joomla!-powered site, celebrate a job well done, and don't worry about it again. After all, if you don't make any more changes, what can go wrong?

5. Do all upgrades and extension installations right there on the live site. Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused.

4. Trust all third-party extensions, and install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!. Hey, nothing has gone wrong so far! Same plan for the third-party extensions. Too much work anyway.

2. When your site gets cracked, panic your way on over to the Joomla! Forums and start a new post with a very familiar title: "Help! My Site's Been Hacked!" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions were installed.

1. Once your site's been cracked, fix the defaced file and then assume all is well. Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming actions. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.

This list was originally born somewhere on Earth late at night in the Joomla! Forums, where a long and lively discussion has developed an interesting life of it's own.

How do I choose a quality hosting provider?[edit]

The following is a short list of security-related requirements. Depending on your specific needs, you may have many other security requirements such as shell access, cron access, SSL server, etc.

• Choose *NIX: Joomla! requires at least PHP and MySQL to run. Because Apache/PHP/MySQL run best on UNIX or GNU/LINUX servers, choose a host that offers these options. Due to zero licensing fees and lower administrative overhead, such offerings are sometimes less expensive as well.

• Use Secure FTP: Choose a host that requires SFTP (Secure FTP) for transferring files. This prevents others from snooping your user name and password from packets as they travel over the Internet.

• Set PHP register_globals OFF: The most security conscious hosts turn PHP's Register Globals directive OFF by default. The next best allow you to turn it off in local .htaccess or php.ini files. A host that requires you to run a site with Register Globals ON should be avoided. This is true for any PHP enabled site, whether or not you are running Joomla!. There is a legitimate argument to be made by hosts for keeping Register Globals ON for PHP4 sites. This is that it would break too much legacy code. This argument should not be accepted for a PHP5 installation. Beginning with PHP5, the official PHP recommendation was to keep Register Globals is OFF. Note that beginning with PHP6, there will not even be a Register Globals setting, so don't get caught in a Register Globals backwater. Modify your code to work without Register Globals, and choose a host that encourages such practices.

• Seek PHP flexibility: Choose a host that allows you to use either PHP4 or PHP5.

• Stay up-to-date: Choose a host that stays up-to-date with the latest stable versions of core applications, including the operating system, database, and scripting languages.

• Avoid cheap shared servers: Be sure users on your shared server can't view each other's files and databases, for example through shell accounts and cpanels.

• Proactive server management: Choose a host that provides real information about security compromises, rather than simply shutting your site down. Check their user forums for evidence of how they've responded to cracks in the past. A good host may for example, inform you immediately that a security breach has occurred and will quarantine the problem file for you, while leaving it there for further investigation. A poor host will shut your site down and provide very limited information on why. Watch out! All too many do this.

• Require raw log access: Be sure you have access to raw server logs. Reading these logs is a vital part of site security and recovery.

• Performance matters: Choose a host that limits the number of users per machine and the average CPU load per machine to some reasonable number (depending on hardware). Be sure they proactively move user sites as needed to balance load. Check the number of domains on a server using reverse IP lookup.

• Data center: Choose a host that manages it's own data center. Check the data center infrastructure, such as redundant Internet access, hot swappable backups, full daily backups, environment and access controls, emergency generators, etc.

• Know your neighbors: Check that your host is not at risk of having its IP addresses blocked because it hosts porn or SMAM sites.

Related Information

• Check this list of recommended hosts.

• As sites grow in complexity, resource requirements, and security requirements, they may need to be moved off of a shared server environment. At that point, good options include:

• Dedicated Servers: Offer the best possible security and performance, but at the highest expense.

• Virtual Servers: Offer almost all the advantages of a dedicated server, but the hardware and configuration cost is shared among multiple virtual servers.

Where can I learn about vulnerable extensions?[edit]

• See the Vulnerable Extensions List

Where can I learn more about file permissions?[edit]

• Unix Permissions Primer
• Windows Permissions Primer
• Using phpSuExec

How do I set up a powerful, compartmentalized password scheme?[edit]

Overview

Most users may not need more than 3 levels of passwords and webmasters no more than 5. Each level must be completely unrelated to the others in terms of which ids and passwords are used.

Directions

• Level 5 (Public) - is the password you use on public sites. It is not imperative that you use a different password on every site. In fact it's more effective to use a different username on every site than it is to use a different password truth be told! Knowing the username allows easy hacking...half the work is done! knowing the password is useless unless you know what account it goes to!

• Level 4 (Webmaster) - Reserved for SQL Only. this is a password that would only be used by SQL and limited to a specific database in SQL. The best way to protect SQL is by limiting each account to just being able to do the minimum that DB requires. In some cases it is even wise to have a read only account for display and a separate write account that the backend write functions use. But that doesn't apply to J! at all... for J! the best practice is to set up an individual account (not root for sure) that only has read and write access to the J! DB nothing else.

• Level 3 (Webmaster) - FTP and Server Access. these can be the same user:pass combo since both if compromised can do the most damage. doesn't matter if the backend or Cpanel is safe if the FTP is not and the same goes the other way!

• Level 2 (Personal Data Access) - This password should be used for any sites or locations that contain personal data with the exception of Banking (see level 1). these sites are often used for social engineering data such as medical records, service accounts and any financial records not directly related to banking! You want these to be secure but also different from the real threat of security...your money!

• Level 1 (Banking!) - this needs to be the most secure in fact if you have two different banks it actually pays to have a different user:pass for each just to be sure!

Jommla! Core Security[edit]

How can I check my Joomla! installation's overall security and health?[edit]

• Use the free Joomla extension, Joomla! Tools Suite.

Why should I immediately change the name of the default admin user?[edit]

Overview

All new Joomla installations start with a Super Administrator account called, 'admin'. During the installation process, you will be asked to give this account a password. That's great as far as it goes, but because the user name of this highly-confidential account is generally well known, 50% of the security of the username/password combination is already exposed. Now all anyone needs to do is guess the password and they're in.

By changing the user name to something more difficult to guess, you greatly increase the difficulty of accessing the account. An attacker must correctly guess both the user name and password at the same time to gain access. This is several magnitudes more difficult than simply guessing the right password.

Directions

1. Log into the Back End

2. Select User Manager

3. Select the 'admin' user record

4. Change the value in username. (Good user names contain a mix of letters and numbers.)

5. Save

6. Remember the new username!

How do I turn RG_EMULATION off?[edit]

How Do I remove the Joomla! security warnings?[edit]

What do Error 1, Error 2, and Error 3 mean?[edit]

What does Joomla! have to do with file permissions?[edit]

What are the recommended file and directory permissions?[edit]

How can I avoid using chmod 0777 to enable installs?[edit]

Isn't locating all Joomla! files inside public_html a security risk?[edit]

How do I move confidential files outside of public_html?[edit]

How do I recursively adjust file and directory permissions?[edit]

How can I set the administrator directory to use an SSL server (https)?[edit]

Why isn't restricting access by IP recommended?[edit]

What are the best practices for site backups?[edit]

Why shouldn't I use phpMyAdmin for database backups?[edit]

Where can I find more general (non-security) site administration FAQs?[edit]

Where is the VULNERABLE EXTENSIONS LIST?[edit]

What is a vulnerable extension?[edit]

Why is there a warning in the extensions install screen?[edit]

Why are there vulnerable extensions?[edit]

Why does the Extensions site include insecure extensions?[edit]

Joomla! Extensions Security[edit]

=How do I choose secure extensions?[edit]

=J! EXT: How do I prevent spam bots from attacking my forums?[edit]

=J! EXT: Why isn't un-publishing a vulnerable extension enough to protect my site?[edit]

Joomla! and Apache Server Secuity[edit]

How do I change PHP settings using .htaccess?[edit]

How does FastCGI effect Joomla?[edit]

How can I check if mod_rewrite is enabled?[edit]

How do I password protect directories using .htaccess?[edit]

AHow do I convert an htaccess.txt file into a .htaccess file?[edit]

Recovery[edit]

How to reset an administrator password[edit]

Introduction Because passwords are stored using a one-way MD5 hash which prevents recovering the password, you cannot recover an existing password, but you can reset it to a new password by editing the password field in the database. In the following directions, you will set the password MD5 value to a known value and then log-in using the password that matches that value. Once logged in, you can change the password again using normal Joomla! user access screens.

Joomla! 1.0.13 Enhanced Password System Initial tests indicate that the method described here also works with Joomla! 1.0.13 salt-enhanced passwords. This is because Joomla! automatically updates password data from earlier versions to the 1.0.13 format.

Directions

1. Use a MySQL utility such as phpMyAdmin or MySQL Query Browser .

2. Open the correct database and select the table, jos_users . (Change default table prefix, 'jos_' to your table prefix if it is different.)

3. Select the record (or table row) for your administrator account.

4. Copy and paste a known MD5 hash, such as one of the samples provided with this FAQ, into the password field. Warning: You must paste the password's hash value, not the password itself. You can use any of the following password = hash pairs, or create your own using one of the tools listed below.

• password = "MD5 hash of password"

• admin = 21232f297a57a5a743894a0e4a801fc3
• secret = 5ebe2294ecd0e0f08eab7690d2a6ee69
• OU812 = 7441de5382cf4fecbaa9a8c538e76783

5. Save the record.

6. Point your browser to your site and log as the administrator using your new password.

7. Once logged in, you should change the password again to one that only you know.

Generating your own MD5 hash from a password of your choice

Alternatively, you can set the password to a value of your own choice. Use tools, such as the following, to create your own strong hashed password. Use the above directions once you've generated a hash with these tools.

Online MD5 hash creation tools

• JavaScript MD5 - http://pajhome.org.uk/crypt/md5/
• MD5er - http://www.md5er.com/

Free MD5 utilities for download

• MD5 & Hashing Utilities - http://www.digital-detective.co.uk/freetools/md5.asp
• SlavaSoft HashCalc - http://www.slavasoft.com/hashcalc/overview.htm

Other MD5 tools

• There are many free online and downloadable MD5 utilities. Google "MD5 hash tool"