10 security mistakes to avoid in Joomla! - Part One

Whenever you install Joomla! on a server, you must take some measures in order to secure the installation.

Users often tend to leave the installation as is, thus making the server vulnerable to hackers. That's why, when you install Joomla! on your server you need to change some configuration settings to avoid some major mistakes that will affect the overall site security.

 

Let's see the most common mistakes and why they are critical for your system:

 

Mistake #1. NOT TO download or upgrade to the latest Joomla! Version

New versions of Joomla! are released often with various security fixes and the developers are strongly recommending to upgrade to the latest version of Joomla!

It is important to download Joomla! packages from trusted sources or directly from joomla.org, otherwise you may compromise your system (you may download a modified package that could harm your website ). Periodical backups of the whole site are essential, providing a safety net in case something goes wrong caused by the update or some other unforeseen event. Already there are some specialized components that can create backups (files+database) very easily.

 

Mistake #2. NOT TO check folders permissions after installing Joomla!

Folders that have permissions higher than 755 may compromise your Joomla!, leaving the "door" open for an attacker to read/write or even upload his own shell files, thus taking control over your site.

On the server, usually, folder permissions inherit the root configuration, but it's always a good practice to check the folder permissions.

Folders with permissions higher than 755 are possible paths that could be exploited by:

  • creating and uploading files that could make your website vulnerable
  • modifying the existent files

Why take the risk when you could make a quick scan of your Joomla! and instantly find the "weak" folders?

 

Mistake #3. NOT TO check files permissions

We advice you setting permissions to all Joomla! files to 644 or lower.

Leaving files with permissions higher than 644 can make life easier for hackers trying to access your website. Once they're in, they can easily modify files with permissions higher than 644.

 

Mistake #4. ALLOW uncontrolled file uploads(forums, comments)

Hackers can and will use these applications to upload malware scripts and enter into your Joomla! website.

You must allow as few file extensions as possible, and NEVER let executable script files (.php, .php3, .php4, .php5, .phtml) to be uploaded.

To avoid this you can use RSFirewall! that automatically blocks unwanted file uploads. Also it can scan your system, look for mallware patterns and hacker scripts.

 

Mistake #5. Let IMPORTANT files and folders accessible by everyone

You must protect sensitive files and folders like:

  • configuration.php - main configuration file for the Joomla global configuration,
  • Joomla! temporary folder - every extension that you install is first uploaded to this folder,
  • Joomla! log folder: Joomla! related activity is recorded thus an attacker can find what vulnerabilities may reside within your site.

The best way to protect your site against such attacks is to move them away from public access, to a non-public folder.

To better understand how to move these files without compromising the Joomla! functionality, read the following articles:

 


These are just a few advices on how to keep your business website secure. However, securing your website is not always easy and may require some expert skills.

This is where RSFirewall! comes into place, providing a complete suite of tools specially created for Joomla!. You can access the product demo here: http://demo.rsjoomla.com/. If you have any questions, don't hesitate to ask us a question.

This is the first part of the article "10 security mistakes to avoid in Joomla! ".

Read the next security mistakes in the second part, when we will talk about insecure php cofiguration like allow_url_fopen,  register_globals and admin passwords.

 

Have you applied these basic rules for your website?
Are you sure your Joomla! website is secure?

 

 

Related articles:

RSS RSS


Gravatar
Rita Lewis (16.03.2010 (06:36:15))
Yes No Great points. I recently came upon a new Joomla! site with Administrator and the CB Pending module set to Public and posted. I emailed the guys and pointed it out. They should read your article.Quote
http://wordstoweb.net/
Gravatar
Raphael (16.03.2010 (06:37:44))
Yes No Great post. What is the reason for 5.2 (Joomla! temporary folder)? Do you have a further explanation? Thank you. Quote
http://www.artd.ch/
Gravatar
Alex P. (16.03.2010 (06:39:08))
Yes No @Raphael: When you install an extension, it can leave unwanted files in the tmp folder. These files are left there because the installer xml file is not formatted properly. If one of these files is a php script that maybe in the original format accepted file uploads, the attacker could use that piece of code to upload unwanted files to your Joomla! website. I know it's less probable to happen, but it better to prevent than to cure :)Quote
http://www.rsjoomla.com
Gravatar
Robbert (16.03.2010 (06:40:19))
Yes No Hi - great article, already looking forward to part 2. I think you should include there the directions of Brian Teeman at his blog aboutQuote
http://www.joomblocks.com/
Gravatar
Robbert (16.03.2010 (06:40:52))
Yes No Sorry tried to include a link to that article. Didn't work ;) After 'about' I was supposed to add 'about replacing the default admin user'. See http://bit.ly/1p0Bi Quote
http://www.joomblocks.com/
Gravatar
joomla webdesign (16.03.2010 (06:41:59))
Yes No @alex thank you for explanation for or 5.2 (Joomla! temporary folder). Quote
http://www.artd.ch/
Gravatar
Mihaela (16.03.2010 (06:43:34))
Yes No @Robert thanks for your suggestion. The default admin password is on our list and we will talk about it in the part 2 of the post.Quote
http://www.rsjoomla.com
Gravatar
Robbert (16.03.2010 (06:45:08))
Yes No @Alex - yes for sure - but in here we are also talking about the admin username and id. Which is 62 by default for every joomla installation. Try to read Brians article if you have some time. Best regards, Robbert Quote
http://www.joomblocks.com/
Gravatar
albruna (16.03.2010 (06:48:09))
Yes No I was suprised that you didn't mention the most basic defense strategy. Protect the admin section with .htaccess / .htpasswd files.Quote
http://www.albruna.nl/
Gravatar
Alex P. (16.03.2010 (06:48:48))
Yes No Hello Martin, this is the first part of the article. In the second part, we will talk also about the .htaccess admin protection. Great thing is that with RSFirewall! you can set an additional .htaccess protection for the /administrator on the run, directly from the control panel.Quote
http://www.rsjoomla.com

Page 1 of 2

:confused::cool::cry::laugh::lol::normal::blush::rolleyes::sad::shocked::sick::sleeping::smile::surprised::tongue::unsure::whistle::wink:

999 Characters left

Antispam Refresh image Case sensitive