Difference between revisions of "Security Checklist/Site Administration"
From Joomla! Documentation
< Security Checklist
m (Hutchy68 moved page Security Checklist 5 - Site Administration to Security Checklist/Site Administration: Since a series of articles, moving to subpages with navigation) |
(added 2 factor auth) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{:Security Checklist/TOC}} |
− | |||
== Site Administration == | == Site Administration == | ||
Line 6: | Line 5: | ||
: Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have [http://strongpasswordgenerator.com strong password generators]. | : Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have [http://strongpasswordgenerator.com strong password generators]. | ||
− | === | + | ===Consider using 2 factor authentication=== |
− | : | + | : For superusers (and perhaps other powerful users) consider using 2 factor authentication. {{JVer/multi|3.2}} |
===Maintain a strong site backup process=== | ===Maintain a strong site backup process=== | ||
Line 51: | Line 50: | ||
===Don't reinvent every wheel=== | ===Don't reinvent every wheel=== | ||
: Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, ''"Anyone who acts as their own lawyer has a fool for a client."?'' The same goes for Web development. Don't expect to catch all of your own security mistakes. | : Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, ''"Anyone who acts as their own lawyer has a fool for a client."?'' The same goes for Web development. Don't expect to catch all of your own security mistakes. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<!-- KEEP THIS AT THE END OF THE PAGE --> | <!-- KEEP THIS AT THE END OF THE PAGE --> | ||
[[Category:Security Checklist]] | [[Category:Security Checklist]] |
Revision as of 04:16, 17 March 2014
|
Site Administration[edit]
Use well-formed passwords[edit]
- Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have strong password generators.
Consider using 2 factor authentication[edit]
Maintain a strong site backup process[edit]
- Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you cannot rely solely on their backups.
Monitor crack attempts[edit]
- VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers cannot use this technique.)
Perform automated intrusion detection[edit]
- Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.
Perform manual intrusion detection[edit]
- Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs.
Stay current with security patches and upgrades[edit]
- Apply vendor-released security patches ASAP.
- Review the vulnerable extensions
Proactively seek site vulnerabilities[edit]
- Perform frequent web scanning.
Proactively seek SQL injections vulnerabilities[edit]
- Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
Use shell scripts to automate security tasks[edit]
- Search the forums for these popular scripts:
- Joomla! Version Checking
- Joomla! Component/Module Version Checking
- Exploit Checking
Learn about security software[edit]
- There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.
Don't reinvent every wheel[edit]
- Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool for a client."? The same goes for Web development. Don't expect to catch all of your own security mistakes.