Difference between revisions of "Security Checklist/Getting Started"

From Joomla! Documentation

< Security Checklist
(fix links to new rss feed)
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
== Before You Begin ==
+
== Read Me First==
  
* Are you aware of this important link: [http://feeds.joomla.org/JoomlaSecurityNews Joomla Security News] ? Have you subscribed?
+
:On the Internet, security is always a concern. For that reason, you are strongly encouraged to subscribe to Joomla! Security Announcements for the latest information on releases. You can [http://feeds.joomla.org/JoomlaSecurityNews read the announcements using your favorite feed reader] or have announcements emailed to you the moment they are posted in the Security Center.
:The number one cause of compromised Joomla installs is users failing to keep up to date with security patches. Are '''YOU''' running the latest secure version?
 
  
* The number two reason is insecure hosting setups. ''Is your hosting secure?''
+
:If this is one of your first Web sites, security considerations will no doubt seem complicated and intimidating. There are two simple steps that go a long way towards securing a Web site: regular backups and prompt updates to the latest Joomla! release.
  
Once you have passed the two tests above, you are ready to begin.
+
:There are many other important security considerations that you can learn about by reading the Joomla! Administrator's Security Checklist and the Security FAQ's.
 +
 
 +
:If you believe your Web site was attacked, do not post in the Joomla! forums. If there is a vulnerability, publishing that information could put other Web sites at risk. Instead, report possible security vulnerabilities to the Joomla! Security Task Force.
 +
 
 +
:Security is largely a Web hosting issue. So, find a good Web host. Consider hiring professional assistance if you have no experience or knowledge in this area. If you wish to ask questions of the community regarding security issues, please do so using the appropriate board (ex., Installation, Migration and Updating, Administration, etc) in the Joomla! Forums.
  
 
== Read Me First! (OK, Second!) ==
 
== Read Me First! (OK, Second!) ==

Revision as of 00:07, 29 October 2008

Read Me First[edit]

On the Internet, security is always a concern. For that reason, you are strongly encouraged to subscribe to Joomla! Security Announcements for the latest information on releases. You can read the announcements using your favorite feed reader or have announcements emailed to you the moment they are posted in the Security Center.
If this is one of your first Web sites, security considerations will no doubt seem complicated and intimidating. There are two simple steps that go a long way towards securing a Web site: regular backups and prompt updates to the latest Joomla! release.
There are many other important security considerations that you can learn about by reading the Joomla! Administrator's Security Checklist and the Security FAQ's.
If you believe your Web site was attacked, do not post in the Joomla! forums. If there is a vulnerability, publishing that information could put other Web sites at risk. Instead, report possible security vulnerabilities to the Joomla! Security Task Force.
Security is largely a Web hosting issue. So, find a good Web host. Consider hiring professional assistance if you have no experience or knowledge in this area. If you wish to ask questions of the community regarding security issues, please do so using the appropriate board (ex., Installation, Migration and Updating, Administration, etc) in the Joomla! Forums.

Read Me First! (OK, Second!)[edit]

Not all techniques are appropriate for all Joomla! versions. Where a technique applies to only one version, an image is added. For example:
Joomla! 1.0.x Example
Compat 10.png Set Joomla! Register Globals Emulation OFF.
Joomla! 1.5.x Example
Compat 15.png To take full advantage of new security features, ensure that all third party extensions are Joomla! 1.5 native.
Download extensions from trusted sites, and compare the file's MD5 hash to detect download errors. This suggestions applies to both versions, so no compatibility image is used.


There's no free lunch![edit]

Don't be fooled by Joomla's award winning ease-of-use. Maintaining a secure, dynamic Web site on the open Internet is not easy. Adequate security requires skill, knowledge, constant watchfulness, good backups, and continual effort.

There's no one right way![edit]

Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You, or someone you trust, must learn enough about your server infrastructure to make valid security decisions.

There's no substitute for experience![edit]

To secure your web site, you must gain real experience (some of which will be bitter), or get experienced help from others.

Rise above the herd[edit]

The Security Forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices (this author included). If you decided to study documents such as this before your site is attacked, congratulation, you're already above the herd.

It's not as hard as it looks[edit]

The following checklist may seem intimidating, but you don't have to deal with all of it at once. As you become familiar with tools of modern Open Source Web development, such as GNU/Linux, Apache, MySQL, SQL, PHP, HTTP, CSS, XML, RSS, TCP/IP, FTP, Subversion, JavaScript, Joomla!, you'll add refinements to your set of security tactics.
All complex, dynamic, and open systems require powerful error checking and recovery methods. Web sites are no different. Strong security is a moving target. Today's expert might be tomorrow's victim. Welcome to the game...

Getting Started[edit]

Are you ready?[edit]

  1. Can you administer a dynamic, 24x7, world-accessible, database-driven, interactive, user-authenticated web server?
  2. Do you have the time and resources to respond to the flow of emerging Internet security issues? The Top 10 Stupidest Administrator Tricks is a comic/tragic look at what can go wrong. Don't learn these tricks the hard way! Depending on your recent experience, reading the Stupidest Tricks will either make you laugh or cry.

Stay informed of security issues[edit]

Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To receive all security announcements, just subscribe to Joomla Security News. There are two ways to subscribe: automatic email notification or RSS feed.

Check the FAQs.[edit]

The most helpful posts in the Joomla! Security Forum are converted into Security and Performance FAQs. Many of the items on this list are explained in much greater detail in the FAQs.

Learn from the pros[edit]

Hunt down the many nuggets of wisdom found in the Joomla! Forums.
Hunt down the many nuggets of wisdom found in the Joomla! Forums.


Go To Hosting and Server Setup[edit]

When you're ready, continue on to Security Checklist 2 - Hosting and Server Setup.
Retrieved from "https://docs.joomla.org/index.php?title=Security_Checklist/Getting_Started&oldid=11411"