Difference between revisions of "Security Checklist/Site Administration"

From Joomla! Documentation

< Security Checklist
(→‎Consider using 2 factor authentication: added link re secret key issue)
Line 8: Line 8:
 
: For superusers (and perhaps other powerful users) consider using 2 factor authentication. {{JVer/multi|3.2}}
 
: For superusers (and perhaps other powerful users) consider using 2 factor authentication. {{JVer/multi|3.2}}
  
If you set all superusers on your live site to use 2FA then currently (written Aug 2014) you will need to read
+
If you set all superusers on your live site to use 2FA then currently (written Aug 2014) if you are locked out of your site after recovery you can rename the folder plugins/twofactorauth to twofactorauth.BAK and log in to your site's back-end. Then disable all plugins under the "twofactorauth" group. Finally, rename the plugins/twofactorauth.BAK folder of your site back to twofactorauth.
http://github.com/joomla/joomla-cms/issues/4126#issuecomment-52558665
 
when doing your disaster recovery test.
 
  
 
===Maintain a strong site backup process===
 
===Maintain a strong site backup process===

Revision as of 07:20, 26 August 2014

Site Administration[edit]

Use well-formed passwords[edit]

Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have strong password generators.

Consider using 2 factor authentication[edit]

For superusers (and perhaps other powerful users) consider using 2 factor authentication.  Joomla 3.2

If you set all superusers on your live site to use 2FA then currently (written Aug 2014) if you are locked out of your site after recovery you can rename the folder plugins/twofactorauth to twofactorauth.BAK and log in to your site's back-end. Then disable all plugins under the "twofactorauth" group. Finally, rename the plugins/twofactorauth.BAK folder of your site back to twofactorauth.

Maintain a strong site backup process[edit]

Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you cannot rely solely on their backups.

Monitor crack attempts[edit]

VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers cannot use this technique.)

Perform automated intrusion detection[edit]

Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.

Perform manual intrusion detection[edit]

Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs.

Stay current with security patches and upgrades[edit]

Apply vendor-released security patches ASAP.

Proactively seek site vulnerabilities[edit]

Perform frequent web scanning.

Proactively seek SQL injections vulnerabilities[edit]

Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.

Use shell scripts to automate security tasks[edit]

Search the forums for these popular scripts:
  • Joomla! Version Checking
  • Joomla! Component/Module Version Checking
  • Exploit Checking

Learn about security software[edit]

There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.

Don't reinvent every wheel[edit]

Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool for a client."? The same goes for Web development. Don't expect to catch all of your own security mistakes.