Lista de verificação de segurança/Administração de sites

Security Checklist Articles in this series Primeiros passos Hospedagem e configuração de servidor Habilitando o HTTPS em seu site Saiba mais sobre permissões de arquivo Testes e desenvolvimento Configuração do Joomla! Administração do site Recuperação de sites Você foi hackeado ou adulterado

Site Administration

Use well-formed passwords

Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have strong password generators.

Follow a password leveling scheme

Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. We'll let the UK Government Cyber Security Center give the best and latest advice: Click here

Maintain a strong site backup process

Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you cannot rely solely on their backups.

Monitor crack attempts

VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers cannot use this technique.)

Perform automated intrusion detection

Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.

• Google search

Perform manual intrusion detection

Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs.

Stay current with security patches and upgrades

Apply vendor-released security patches ASAP.

• Review the vulnerable extensions

Proactively seek site vulnerabilities

Perform frequent web scanning.

• Google Search

Proactively seek SQL injections vulnerabilities

Use tools for conducting automated SQL Injection tests against your PHP applications.

• Google Search
• Wikipedia Article

Use shell scripts to automate security tasks

Search the forums for these popular scripts:

• Joomla! Version Checking
• Joomla! Component/Module Version Checking
• Exploit Checking

Learn about security software

There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.

Don't reinvent every wheel

Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool for a client."? The same goes for Web development. Don't expect to catch all of your own security mistakes.