Blogs - 10 Minute Joomla! Tips Video Podcast

Joomla Security Part 1

Written by Marco Conti Saturday, 24 July 2010 19:30

This episode on Joomla Security marks 10 Minute Joomla! Tips one year anniversary. Because of this milestone, I have decided to bring you a multi part Screencast about Joomla Security and what can be done to secure your Joomla website, your server, your computer and the way you work when building web sites.

NOTE: Please read the article below the video for more information, useful checklists, links and other resources discussed in the Screencast.

While focused on the Joomla CMS, this series of Screencasts on Joomla Security contain enough information to interest anyone concerned about PHP security for their own web site. One of the tools I'll demo in a future episode is the "OSE PHP Security Suite" a comprehensive security suite offered by Open Source Excellence. The suite is based on Joomla but it is installed as a stand alone, strip down, Joomla site. It can help protect many PHP scripts installed on the server.

I'll also demo other products I find useful, if not outright indispensable, such as Roboform (PC) and 1Password (MAC), two of the best "Password Managers" available. A class of software no serious computer user should be without and that help manage complex passwords and other sensitive data. Not only you can save hours (and your sanity) by not looking for passwords in some unsecured text file, but you can also use them to keep and transmit a variety of sensitive data via email, IM or any other unsecured method. All by memorizing a single master password.

Who am I to produce a Security Video?

I don't claim to be a security "Guru" (yet, hopefully), but I feel that I have learned a great deal of useful information I would like to share for everyone's benefit. I hope that these podcasts will inform those that are just starting out and inspire the "Security Experts" to contribute their knowledge and experience. I hope you'll enjoy this Screencast and that you'll help me celebrate 10 Minute Joomla! Tips first anniversary.

Another thing I wanted to stress is that Absolute Security does not exist. Every system can be hacked. The goal, in my opinion, is to make our websites and computers as difficult to hack as possible. Even hackers need to have a good ROI. A system to hard to crack is not an effective use of their time.
Just like "The Club" is not really a big deterrent for auto thieves, it will at least stop the joyrider.

Checklists and links

I try to script my podcasts as much as I can, short of making them a full Hollywood production. But as I went along describing the various steps and tools, even with notes in hand, I failed to mention a few useful tidbits of information or I forgot to define something important in key areas.

To obviate that, I created some on-screen callouts with checklists and useful links.
Since reading hyperlinks and checklists on a video screen, HD or not, is rather difficult, I am including those Callouts here. I hope that in time, through your input and suggestions, I'll be able to make them more useful and complete.

Basic Security Checklist

• Get a good Hosting Plan - Choose a reputable company. I have used Hostgator for many years and I am still impressed by their service and reliability, but I also use different hosts for my clients. Siteground is a good choice, as is Bluehost but I still prefer Hostgator because of the upgrade path they offer and their support.
  Your mileage may vary
• Don't skimp on hosting. Saving the amount of a Starbuck's "Grande Latte" per month is not worth your site going offline. Plan to spend at least $12 to $15 a month. VPS are getting cheaper (as low as $25) and offer almost the same features as a Dedicated Server ($100 and up). Naturally, the latter is the most secure hosting you can buy (you don't share a server with anyone) but it can be expensive
• Unless you are a command line king, use a "Cpanel" based host. They are easier to manage and make extemporaneous backups faster
• Backup religiously! And then backup some more. Akeeba Backup (formerly Joomlapack) is a free, excellent way to automate your backups and they offer a pro version with even more features and support.
• Use a database prefix other than "jos_" (when possible. In some cases it may not work very well as some components require "jos_")
• After installation, remove the extra files in the file system. In Joomla those are:
  • CHANGELOG.php
  • COPYRIGHT.php
  • configuration.php-dist
  • INSTALL.php
  • LICENSE.php
  • ,LICENSES.php
  • CREDITS.php)
    they are no longer needed and could be exploited. If you ar really attached to them for some reason, you can zip them and move them elsewhere on the server.
• Use SEF URLs to mask the distinctive Joomla hyperlink syntax. SH404SEF is an excellent choice and the subject of a future Screencast on SEO.
• Remove the "Generator" Metatag. Also remove everything that could help a hacker recognize that your site is made with Joomla. Such as the /images/joomla_logo_black.jpg graphic appearing when the site is offline. Change the picture and the name (and edit the templates/system/offline.php file reference to it). You can even try to insert some false information, comments, etc. to make it look like the site was built using a different CMS.
• Use your control panel to password the "administrator" folder and any other folders that may need it as long as you don't break the site.
• Move your "tmp" and "logs" folder above the web root (public_html, htdocs, www, etc.)
  NOTE: As you'll see in the video, this last tip doesn't work all the time or at least it requires a bit of sleuthing
• Keep up with the Joomla Security Releases. Include the security feed as an administrator module in your site and/or set it to be emailed to you
  http://feeds.joomla.org/JoomlaSecurityNews?format=xml
• Also keep up with your Extensions Security Releases and subscribe to the "Vulnerable Extension List" http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
• Uninstall any extensions you no longer use. Audit your sites if you are not sure
• Use .htaccess and/or php.ini to increase your security - We will discuss this in Part 2

Password Managers

In an era where each one of us has to remember at least 8 to 10 passwords (but on average 20 to 30) and were those passwords should be at least 10 caracters long, unique and made up of nonsense, I am amazed that these incredibly useful programs are not chart topping best sellers and they are not mentioned on CNN every day.
For an average of $30, or even for absolutely free, these programs represent the very foundation of modern computer security. Yet, many users, even experienced ones, either scorn them or choose not to use them because they don't want to learn "another program".

I'd rather give up Photoshop than my password manager. I can always use The Gimp for my graphics, but without my passwords my work would halt to a grind.

A password manager works similarly to the way your browser remembers passwords. Login to a site for the first time and it asks you if you'd like to save your login data to its memory. Go back to the same page and it offers you to fill out the login fields for you.
Problem is that most browsers are very basic when it comes to manage your passwords. Try inserting the wrong password and most likely it will haunt you for many moons.

Password managers instead are a cross between the browser "remember" function and your bookmarks, with a sprinkle of magic thrown in.
Even among the most popular, features vary, but if you think you want to buy one look for these basic features:

• Master Password
• Powerful and quick search
• Ability to recognize and connect registration forms with the corresponding login form
• Advanced Identity Manager. It should allow you to preset many common profile fields as well as custom ones and manage alternative IDs
• Ability to handle Encrypted Text Files the same way it handles login passcards
• Can be used as a Bookmark manager
• It's not too obtrusive or can be set at different levels of "helpfulness" (Incidentally, this is the number 1 complaint many new users have. They tend to be a bit too enthusiastic in wanting to save your data. I prefer that and hit "cancel" than spending an afternoon looking for a password )
• It uses powerful encryption
• Its "Cards" can be emailed using a common password between sender and recipient.

Based on these parameters, I have picked a few Password Managers, from great to passable, from free to commercial to Open Source (Not the same as free). I suggest that before making a decision, you test the most promising and that you give yourself a chance to get used to them.
I should also mention that Norton 360 (free for Comcast customers) this year ships with its own Password manager. I prefer Roboform or 1password by far, but it's better than nothing. If you use Norton and do not feel like downloading one of the ones below, activate it.

Some popular Password managers:

• Roboform (www.roboform.com) - PC - Commercial, free to try or for less than 10 passcards
• 1Password (agilewebsolutions.com) - Mac - Commercial
• LastPass (www.lastpass.com) - PC/Mac/Linux - Free with "pro" version ($1 a month)
• KeePass (www.keepass.info) - PC - Free
• KeePassX (www.keepassx.org) - PC/Mac/Linux - Free
• Sxipper (www.sxipper.com) - Firefox Plugin - Free
• Passpack (www.passpack.com) - Online Utility
• Wallet, wallet pro, KeyWallet, Keysafe are some of the other choices.

You can also Google "Password Managers" and spend the next couple of centuries trying out your finds

Thank you for watching 10 Minute Joomla! Tips *cc*

Advertising Info: Conticreative is an affiliate for some of the product we recommend in our blogs, but only a few of them.
In most cases we prefer to endorse Open Source software and we only endorse commercial software when the Open Source version (if one exists) is not on par with the commercial one. The presence of an affiliate relationship does not affect our recommendation of one product Vs. another in the least. But we are not above making a few bucks on a product we use and recommend to our viewers.

Set as favorite

Bookmark

Email this

Hits: 13149

Trackback(0)

TrackBack URI for this entry

Comments (3)

Subscribe to this comment's feed

Show/hide comments

...

I think this is amazing. Ive been running Joomla website for two years now and what I basically need a good security for my Joomla websites. Thank you for this post. WHEN WILL BE THE PART 2? Cant wait for it.

Joomlaexpert , March 24, 2011

• 
• +0
• 
• 

Great!

This is great!
When can we expect "part 2"?

Rene , September 22, 2010

• 
• +0
• 
• 

Thanks.

I've been systematically going through your site, and I absolutely love it. Thank you so much for taking the time to come up with the tutorials. They are a great help, even to those who are good at computers, in fact I would say its specially useful for them, as it helps them to learn stuff faster.

Thank you.

vj , August 10, 2010

• 
• +1
• 
• 

Write comment

Show/hide comment form

Name

Email

Title

Comment

smaller | bigger

Subscribe via email (registered users only)

I have read and agree to the Terms of Usage.

Add Comment Preview