Difference between revisions of "Security Checklist/Getting Started"
From Joomla! Documentation
< Security Checklist
| Line 25: | Line 25: | ||
===There's no one right way!=== | ===There's no one right way!=== | ||
| − | : Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your server infrastructure to make valid security decisions. | + | : Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your server infrastructure to make valid security decisions. Strong security is a moving target. Today's expert might be tomorrow's victim. Welcome to the game... |
| + | |||
===There's no substitute for experience!=== | ===There's no substitute for experience!=== | ||
Revision as of 16:19, 6 November 2008
Read Me First[edit]
Security is always a concern[edit]
- On the Internet, security is an ever present challenge.
The two most important guidelines[edit]
- There are two simple guidelines that go a long way towards securing any Web site. Following these two guidelines will protect your site from almost any catastrophe.
- Backup Early and Often: Setup (and use and test!) a regular backup and recovery process. This one step ensures that you can always recover from any problem.
- Update Early and Often: Promptly update to the latest stable version of Joomla! and any installed third-party extensions. This one step ensures that your site is protected from all new vulnerabilities as soon as a fix is released, and from all new attacks methods as soon as a defense is developed.
- There are many other important security considerations that you can learn about in this checklist and in the Security FAQ's.
Use a secure host[edit]
- Security is largely a Web hosting issue. So, find a good Web host. Consider hiring professional assistance if you have no experience or knowledge in this area. If you wish to ask questions of the community regarding security issues, please do so using the appropriate board (ex., Installation, Migration and Updating, Administration, etc) in the Joomla! Forums.
Caveats[edit]
There's no free lunch![edit]
- Don't be fooled by Joomla's award winning ease-of-use. Maintaining a secure, dynamic Web site on the open Internet is not easy. Adequate security requires skill, knowledge, constant watchfulness, good backups, and continual effort.
There's no one right way![edit]
- Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your server infrastructure to make valid security decisions. Strong security is a moving target. Today's expert might be tomorrow's victim. Welcome to the game...
There's no substitute for experience![edit]
- To secure your web site, you must gain real experience (some of which will be bitter), or get experienced help from others. Read this tongue-in-cheek description of the Top 10 Stupidest Administrator Tricks.
Encouragements[edit]
Start at the head of the herd[edit]
- The Security Forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices. If you decided to study this checklist before your site is attacked, congratulation, you're already ahead of the herd.
It's not as hard as it looks[edit]
- If this is one of your first Web sites, security considerations may seem intimidating, but you don't have to deal with all of it at once. As you become familiar with tools of modern Open Source Web development, such as GNU/Linux, Apache, MySQL, SQL, PHP, HTTP, CSS, XML, RSS, TCP/IP, FTP, Subversion, JavaScript, Joomla!, you'll add refinements to your set of security tactics.
How to get help[edit]
- If you believe your Web site was attacked, do not post in the Joomla! forums. If there is a vulnerability, publishing that information could put other Web sites at risk. Instead, report possible security vulnerabilities to the Joomla! Security Task Force.
How to read these documents[edit]
- Not all techniques are appropriate for every level of user. Apply the techniques you understand and read up on the ones you don't.
- Not all techniques are appropriate for every server. If you use a shared server, you will need to depend on the settings established by your hosting provider. If you are using a virtual or dedicated server, you will be able to apply more creative and exotic techniques.
- Not all techniques are appropriate for all Joomla! versions. Where a technique applies to only one version, an image is added, such as
or 
.
Getting Started[edit]
Are you ready?[edit]
- Can you administer a dynamic, 24x7, world-accessible, database-driven, interactive, user-authenticated web server?
- Do you have the time and resources to respond to the flow of emerging Internet security issues? The Top 10 Stupidest Administrator Tricks is a comic/tragic look at what can go wrong. Don't learn these tricks the hard way! Depending on your recent experience, reading the Stupidest Tricks will either make you laugh or cry.
Stay informed of security issues[edit]
- Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To receive all security announcements, just subscribe to Joomla Security News. There are several ways to subscribe:
Check the FAQs.[edit]
- The most helpful posts in the Joomla! Security Forum are converted into Security and Performance FAQs. Many of the items on this list are explained in much greater detail in the FAQs.
Learn from the pros[edit]
- Read the excellent Absolute Beginners Guide to Joomla! It has wealth of tips and tricks presented in an easy to understand format. Even experienced Joomlaists find great ideas here.
- Hunt down the many nuggets of wisdom found in the Joomla! Forums, in particular the Joomla! 1.5 Security Forum and the Joomla! 1.0 Security Forum.