Difference between revisions of "Security Checklist/Joomla! Setup"

From Joomla! Documentation

< Security Checklist
(Undo revision 26620 by Knightofmathematics (Talk))
(Remove 1.6 and 1.7 tags and add 3.1)
(22 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{RightTOC}}
+
{{:Security Checklist/TOC}}
 
 
 
== Configuring Joomla!==
 
== Configuring Joomla!==
  
Line 8: Line 7:
 
: Upgrade to the [http://www.joomla.org/download.html latest stable version of Joomla!] as soon as possible.  
 
: Upgrade to the [http://www.joomla.org/download.html latest stable version of Joomla!] as soon as possible.  
  
: Download Joomla! from official sites only, such as [http://joomlacode.org/ JoomlaCode.org], and check the [http://www.joomla.org/content/category/5/39/95/ MD5 hash].
+
: Download Joomla! from official sites only, such as [http://joomlacode.org/ JoomlaCode.org], and check the [http://docs.joomla.org/How_to_determine_a_package_checksum MD5 hash].
  
 
: Use [http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1146/Itemid,35/ Joomla Diagnostics] to ensure that all files were installed correctly. (Note: the version of Joomla Diagnostics made for the initial release of 1.5 does not work for 1.5.3.)
 
: Use [http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1146/Itemid,35/ Joomla Diagnostics] to ensure that all files were installed correctly. (Note: the version of Joomla Diagnostics made for the initial release of 1.5 does not work for 1.5.3.)
 +
 +
Note to editors: This extension has been unpublished for the following reason: UR8-Copyright Violations
  
 
===Change the default administrator username===
 
===Change the default administrator username===
: Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. The password is the other variable. Change it early and often. '''([[Security_and_Performance_FAQs#Why_should_I_immediately_change_the_name_of_the_default_admin_user.3F|FAQ]])'''
+
: Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. The password is the other variable. Change it early and often. '''([[Security_and_Performance_FAQs#Why_should_I_immediately_change_the_name_of_the_default_admin_user_after_a_new_install.3F|FAQ]])'''
  
 
===Protect directories and files===
 
===Protect directories and files===
: Increase the security of the critical ''configuration.php'' file by moving it outside of the ''public_html'' directory. For more information visit '''([[Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F|FAQ]])'''
+
: Increase the security of the critical ''configuration.php'' file by moving it outside of the ''public_html'' directory. For more information visit '''([[Security_and_Performance_FAQs#Moving_sensitive_files_outside_the_web_root|FAQ]])'''
  
 
: Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories.  
 
: Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories.  
  
: [[Image:Compat_15.png]] In the Back-End Global Configuration, change the log path. Some extensions use the built in JLog class. This will, by default write logs to http://yousite/logs. Change this to a place that a casual browser cannot find (and don't pick /tmp/), or lock it down with http authentication. Because we are dealing Open Source software, attackers can read the code of third-party extensions and may be able to guess log file names.
+
: {{JVer|1.5}}{{JVer|2.5}}{{JVer|3.x}} In the Back-End Global Configuration, change the log path. Some extensions use the built in JLog class. This will, by default write logs to http://yousite/logs. Change this to a place that a casual browser cannot find (and don't pick /tmp/), or lock it down with http authentication. Because we are dealing with Open Source software, attackers can read the code of third-party extensions and may be able to guess log file names.
  
: [[Image:Compat_15.png]] In the Back-End Global Configuration, change the temp folder path.
+
: {{JVer|1.5}}{{JVer|2.5}}{{JVer|3.x}} In the Back-End Global Configuration, change the temp folder path.
  
 
: If the log and temp paths are changed and PHP ''open_basedir'' configuration directive is set, make sure that the new paths fall within the scope of ''open_basedir''.
 
: If the log and temp paths are changed and PHP ''open_basedir'' configuration directive is set, make sure that the new paths fall within the scope of ''open_basedir''.
Line 36: Line 37:
 
: Remove all design templates not needed by your site. Never put security logic into template files.
 
: Remove all design templates not needed by your site. Never put security logic into template files.
  
: [[Image:Compat_15.png]] Disable the XML-RPC server if you don't need it.
+
: {{JVer|1.5}} Disable the XML-RPC server if you don't need it.
  
 
: Clean up after installs. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file. Check the /temp/ directory as temporary files may remain there after a failed installation attempt.
 
: Clean up after installs. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file. Check the /temp/ directory as temporary files may remain there after a failed installation attempt.
Line 44: Line 45:
 
===Turn Register Globals Emulation OFF===
 
===Turn Register Globals Emulation OFF===
  
: [[Image:Compat_10.png]] Turn Joomla's Register Globals Emulation OFF. Although this setting is somewhat safer than PHP register_globals, you are much better off avoiding such settings all together (as well as any applications that require them). On pre-1.0.13 versions of Joomla, this setting is found in the globals.php file. As of version 1.0.13, it can be turned off in the Back-end, under Global Settings.  
+
: {{JVer|1.0}} Turn Joomla's Register Globals Emulation OFF. Although this setting is somewhat safer than PHP register_globals, you are much better off avoiding such settings all together (as well as any applications that require them). On pre-1.0.13 versions of Joomla, this setting is found in the globals.php file. As of version 1.0.13, it can be turned off in the Back-end, under Global Settings.  
  
: [[Image:Compat_15.png]] Joomla 1.5 and greater, does not use register globals, and in fact has smart code to defeat this setting even if it's turned on at the PHP level. Note that although this makes Joomla itself safer, any server with register globals turned on is potentially vulnerable. Any shared server with register globals turned on is more than likely a sitting duck. Any hosting provider that insists register globals should be turned on is ignorant, incompetent, or worse. Was that blunt enough?
+
: {{JVer|1.5}}{{JVer|2.5}}{{JVer|3.x}} Joomla 1.5 and greater, does not use register globals, and in fact has smart code to defeat this setting even if it's turned on at the PHP level. Note that although this makes Joomla itself safer, any server with register globals turned on is potentially vulnerable. Any shared server with register globals turned on is more than likely a sitting duck. Any hosting provider that insists register globals should be turned on is ignorant, incompetent, or worse. Was that blunt enough?
  
 
: For more information on register_globals, please see [[Security_Checklist_2_-_Hosting_and_Server_Setup#Don.27t_use_PHP_register_globals|Security Checklist: PHP: register_globals]].
 
: For more information on register_globals, please see [[Security_Checklist_2_-_Hosting_and_Server_Setup#Don.27t_use_PHP_register_globals|Security Checklist: PHP: register_globals]].
Line 75: Line 76:
  
 
===Avoid encrypted code===
 
===Avoid encrypted code===
: Joomla is (and dispite disinformation campaigns, always has been) a GNU GPL project. This means that all extensions to Joomla must also be free (as in freedom) and open (as in readable code). Encrypted code may be safe, but you can't determine this for yourself, and so you must trust the developers. Using others' encrypted code puts you back in the world of proprietary software where you must wait for security patches from the developer, hoping that attackers don't find your site first before a fix is released.
+
: Joomla is (and despite disinformation campaigns, always has been) a GNU GPL project. This means that all extensions to Joomla must also be free (as in freedom) and open (as in readable code). Encrypted code may be safe, but you can't determine this for yourself, and so you must trust the developers. Using others' encrypted code puts you back in the world of proprietary software where you must wait for security patches from the developer, hoping that attackers don't find your site first before a fix is released.
  
 
: You are often not free to modify, improve, or share encrypted code. These restrictions make encrypted code less valuable to the community as a whole, and reduce the overall viability of the Joomla project which depends on open sharing among all participants.
 
: You are often not free to modify, improve, or share encrypted code. These restrictions make encrypted code less valuable to the community as a whole, and reduce the overall viability of the Joomla project which depends on open sharing among all participants.
  
: Of course, code that is not distributed to others is exempt from GNU GPL distribution requirements. Thus you can encrypt Joomla-related code your own servers providing you do not share it with others.
+
: Of course, code that is not distributed to others is exempt from GNU GPL distribution requirements. Thus you can encrypt Joomla-related code on your own servers, providing you do not share it with others.
  
 
==Additional Joomla! Hardening Tips and Tricks ==
 
==Additional Joomla! Hardening Tips and Tricks ==
Line 87: Line 88:
  
 
===Use an SSL server===
 
===Use an SSL server===
''This more to do with secure payments and administration, and is not joomla core or server security, but have been included here for advice
+
''This has more to do with secure payments and administration, and is not Joomla! core or server security, but has been included here for advisory purposes.
 
''
 
''
 
: SSL servers are currently the only way to securely process confidential transactions and secure user authentication. SSL works by encrypting all HTTP communications between the Web server and Web clients. Thus, even if a transmission is intercepted, it cannot be read.  
 
: SSL servers are currently the only way to securely process confidential transactions and secure user authentication. SSL works by encrypting all HTTP communications between the Web server and Web clients. Thus, even if a transmission is intercepted, it cannot be read.  
Line 96: Line 97:
 
: For an additional layer of password protection, you can use .htaccess to password protect critical  directories. This is usually adequate for blocking the typical script kiddie, but be aware that .htaccess password protection alone is not a highly secure method. It MUST be combined with an SSL server for maximum protection. An SSL server is required for protecting your site from more sophisticated attacks, such as packet sniffing.
 
: For an additional layer of password protection, you can use .htaccess to password protect critical  directories. This is usually adequate for blocking the typical script kiddie, but be aware that .htaccess password protection alone is not a highly secure method. It MUST be combined with an SSL server for maximum protection. An SSL server is required for protecting your site from more sophisticated attacks, such as packet sniffing.
  
===Switch to Joomla! 1.5===
+
===Switch to Joomla! 1.5 or newer===
: [[Image:Compat_10.png]] The most significant upgrade in Joomla!'s history includes powerful security and performance enhancements.
+
{{JVer|1.0}} The most significant upgrade in Joomla!'s history includes powerful security and performance enhancements.
 
* [http://www.joomla.org/content/view/4483/118/ Joomla 1.5 Overview]
 
* [http://www.joomla.org/content/view/4483/118/ Joomla 1.5 Overview]
* [http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=3587 Joomla Downloads]
+
* [http://joomlacode.org/gf/project/joomla/frs/?action=index Joomla Downloads]
  
 
=== Add Joomla! Security Announcements to your site ===
 
=== Add Joomla! Security Announcements to your site ===
Line 105: Line 106:
  
 
* [http://docs.joomla.org/Security_and_Performance_FAQs#How_can_I_add_the_Joomla.21_Security_Announcements_Feed_to_the_Admin_Control_Panel.3F How can I add the Joomla! Security Announcements Feed to the Admin Control Panel?]
 
* [http://docs.joomla.org/Security_and_Performance_FAQs#How_can_I_add_the_Joomla.21_Security_Announcements_Feed_to_the_Admin_Control_Panel.3F How can I add the Joomla! Security Announcements Feed to the Admin Control Panel?]
 
== Choose A Checklist==
 
# [[Security Checklist 1 - Getting Started|Getting Started]]
 
# [[Security Checklist 2 - Hosting and Server Setup|Hosting and Server Setup]]
 
# [[Security Checklist 3 - Testing and Development|Testing and Development]]
 
# [[Security Checklist 4 - Joomla Setup|Joomla Setup]]
 
# [[Security Checklist 5 - Site Administration|Site Administration]]
 
# [[Security Checklist 6 - Site Recovery|Site Recovery]]
 
 
== Edited by==
 
[http://forum.joomla.org/memberlist.php?mode=viewprofile&u=39784 rliskey]
 
  
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
[[Category:Security Checklist]]
 
[[Category:Security Checklist]]

Revision as of 17:18, 29 April 2013

Configuring Joomla![edit]

Install official versions of Joomla![edit]

To avoid breaking your site, search the forums for reports of incompatible extensions before upgrading to a new version of Joomla.
Upgrade to the latest stable version of Joomla! as soon as possible.
Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash.
Use Joomla Diagnostics to ensure that all files were installed correctly. (Note: the version of Joomla Diagnostics made for the initial release of 1.5 does not work for 1.5.3.)

Note to editors: This extension has been unpublished for the following reason: UR8-Copyright Violations

Change the default administrator username[edit]

Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. The password is the other variable. Change it early and often. (FAQ)

Protect directories and files[edit]

Increase the security of the critical configuration.php file by moving it outside of the public_html directory. For more information visit (FAQ)
Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories.
Joomla 1.5Joomla 2.5Joomla 3.x In the Back-End Global Configuration, change the log path. Some extensions use the built in JLog class. This will, by default write logs to http://yousite/logs. Change this to a place that a casual browser cannot find (and don't pick /tmp/), or lock it down with http authentication. Because we are dealing with Open Source software, attackers can read the code of third-party extensions and may be able to guess log file names.
Joomla 1.5Joomla 2.5Joomla 3.x In the Back-End Global Configuration, change the temp folder path.
If the log and temp paths are changed and PHP open_basedir configuration directive is set, make sure that the new paths fall within the scope of open_basedir.
There is currently no easy way to move the Joomla! /image and /media directories. This is because thousands of third party extensions expect to find these important directories at the current location. The best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.

Adjust file and directory permissions[edit]

This option no longer appears in Joomla. On Older versions of Joomla : Once your site is configured and stable, write-protect critical directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site --> Global Configuration --> Server to set all folder and file permissions at once. Test third party extensions afterwards, and carefully review the code of any extension that has trouble with such settings. Note: Depending on your server's permissions, you may need to temporarily reset to more open permissions when installing more extensions with the Joomla! installer. This option no longer appears in Joomla. but is included for historical purposes.

Remove unneeded files[edit]

Remove all design templates not needed by your site. Never put security logic into template files.
Joomla 1.5 Disable the XML-RPC server if you don't need it.
Clean up after installs. The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file. Check the /temp/ directory as temporary files may remain there after a failed installation attempt.
In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.

Turn Register Globals Emulation OFF[edit]

Joomla 1.0 Turn Joomla's Register Globals Emulation OFF. Although this setting is somewhat safer than PHP register_globals, you are much better off avoiding such settings all together (as well as any applications that require them). On pre-1.0.13 versions of Joomla, this setting is found in the globals.php file. As of version 1.0.13, it can be turned off in the Back-end, under Global Settings.
Joomla 1.5Joomla 2.5Joomla 3.x Joomla 1.5 and greater, does not use register globals, and in fact has smart code to defeat this setting even if it's turned on at the PHP level. Note that although this makes Joomla itself safer, any server with register globals turned on is potentially vulnerable. Any shared server with register globals turned on is more than likely a sitting duck. Any hosting provider that insists register globals should be turned on is ignorant, incompetent, or worse. Was that blunt enough?
For more information on register_globals, please see Security Checklist: PHP: register_globals.

Installing Joomla! Extensions[edit]

Backup before installing[edit]

Before installing extensions, always backup your site's files and database. This follows a very basic principle:
Thou shalt at all times be able to return your site to a previous working state.
Therefore, it's smart to set up a simple and fast backup script to automate this task. If you don't set up an easy process in advance, you'll be sorely tempted to do a quick upgrade without backing up first. This very understandable tendency is however one of the chief causes of premature hair loss, sudden career changes, and even death.

Check for extension vulnerabilities[edit]

Most security vulnerabilities are caused by third party extensions. Before installing extensions, check the Official List of Vulnerable 3rd Party/Non Joomla! Extensions. There's an entire forum dedicated to vulnerable third part extensions. Subscribe to it.

Download from trusted sites[edit]

The fully qualified and official definition of a "trusted site" is one that YOU trust.

User beware! Check the code quality[edit]

Third party extensions come in all flavors of quality and age. Although Joomla! coding standards exist, third party developers are not required to follow them. Extensions listed on the official Joomla! site are not reviewed for compliance, however if verified vulnerabilities are reported, they will be removed from the list until they are fixed.

Test, test, test...[edit]

Test all extensions on a development site before installing on a production site. Then test on the production site. Don't forget to check the logs for runtime errors and warnings.

Remove junk files[edit]

Remove all unused extensions and double check that related folders and files were actually removed by uninstall scripts. Note that during uninstall, many third party extensions will leave related files on your site, and related database tables complete with data. This is either a feature or a bug depending on your point of view. Any files left on your server remain accessible from the Web via direct URLs, such as http://yousite.com/modules/bad_module.

Avoid encrypted code[edit]

Joomla is (and despite disinformation campaigns, always has been) a GNU GPL project. This means that all extensions to Joomla must also be free (as in freedom) and open (as in readable code). Encrypted code may be safe, but you can't determine this for yourself, and so you must trust the developers. Using others' encrypted code puts you back in the world of proprietary software where you must wait for security patches from the developer, hoping that attackers don't find your site first before a fix is released.
You are often not free to modify, improve, or share encrypted code. These restrictions make encrypted code less valuable to the community as a whole, and reduce the overall viability of the Joomla project which depends on open sharing among all participants.
Of course, code that is not distributed to others is exempt from GNU GPL distribution requirements. Thus you can encrypt Joomla-related code on your own servers, providing you do not share it with others.

Additional Joomla! Hardening Tips and Tricks[edit]

Avoid shared servers if possible[edit]

For maximum security, avoid a shared server on which you don't know or can't trust all the other users or their code quality.

Use an SSL server[edit]

This has more to do with secure payments and administration, and is not Joomla! core or server security, but has been included here for advisory purposes.

SSL servers are currently the only way to securely process confidential transactions and secure user authentication. SSL works by encrypting all HTTP communications between the Web server and Web clients. Thus, even if a transmission is intercepted, it cannot be read.
Joomla! 1.0.x does not allow you to assign an SSL server to individual sub-directories. Search the forums for "Tommy Hack" for one way to deal with this. Joomla! 1.5 has greatly improved SSL options.

Use Apache's .htaccess[edit]

For an additional layer of password protection, you can use .htaccess to password protect critical directories. This is usually adequate for blocking the typical script kiddie, but be aware that .htaccess password protection alone is not a highly secure method. It MUST be combined with an SSL server for maximum protection. An SSL server is required for protecting your site from more sophisticated attacks, such as packet sniffing.

Switch to Joomla! 1.5 or newer[edit]

Joomla 1.0 The most significant upgrade in Joomla!'s history includes powerful security and performance enhancements.

Add Joomla! Security Announcements to your site[edit]

The Joomla! Security Team supports and RSS feed that provides the latest Joomla security information. The following FAQ explains how to add this feed to your site.