/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsSufyan bin Uzayr, Freelance Writer, Graphic Artist and Photographer www.sufyan.co.nr
In this article let's discuss some of the common security issues encountered by Joomla users, and the steps that can be taken to rectify or, even better, avoid them. So without further ado, let us plunge into it.
|
Joomla, just like any other CMS, is only as secure as the environment that exists around it. This means that your Joomla powered website may crash or be hacked due to the installed extensions or even because of the admin's faults.
What Joomla comes packed with
Joomla by default comes with several handy security measures too, such as Apache being configured to disallow browsing or indexing. In addition to that, passwords are MD5 encrypted and SALTED and the MySQL database itself is password protected.
What your host should do
This is one area where you really can't do much except checking. Needless to say, the server should run the latest software (no more PHP 4). Apart from that, a good web host should run modules like mod_security under Apache and open_basedir under PHP. This comes in very handy in minimizing the chances of XSS or SQL injections and other similar scenarios.
What you should do
Permissions: At times, users tend to perform a clean install of Joomla and then set file and folder read or write permissions to 777 (r/w/x). This proves lethal from security's point of view. Also, there are a few hosts that provide automatic script installers which setup websites this way by default. The safest mechanism is to check after installing and ensure that the permissions are not set to 777.
Barring a few exceptions, file read or write permissions should generally by set to 644 for files and 755 for folders, especially the configuration.php file.
Hosting: While choosing a host for your website, ensure that the server lets you run PHP in CGI mode with su_php. Even though majority of the servers nowadays offer this provision, it's always a safer bet to mention it. Running PHP in CGI mode with su_php means that it runs under your own user account rather than the Global Apache user account. This in turn rules out the desirability of insecure file access permission levels such as 777. If PHP in CGI mode does not run with su_php, you'll inadverently need to set at least some of the file type permissions to 777, thereby exposing your website to security issues.
Joomla FTP layer: If, however, you insist on not employing your own user account (or your server configuration does not allow you to do so), you can use the Joomla FTP Layer (http://help.joomla.org/content/view/ 1941/302/1/2/) as a work around method to install extensions and perform other operations on your Joomla site without triggering any file ownership or access related issues. This however, is not the most popular method as it stores your FTP login credentials in plain text (configuration file).
Tools to aid you
With the security triggers done, let us take a look at some of the tools that can make your life easier (at least from the security point of view):
NMAP: NMAP is a diagnostic and administrative tool that is available under a GPL Licence. It lets you have a comprehensive look of your server and scan ports for any security issues. With NMAP, you can close holes, locate Malware or Trojans and even combat hacking attempts. For more info, you should visit www.insecure.org With that said, NMAP can be a dangerous tool in the wrong hands, and thus it goes without saying that you should use it only to protect yourself. Neither PC Quest nor myself recommend unwarranted scanning of servers.
Wireshark: If you are running a dedicated server, you probably cannot come across a tool more helpful than Wireshark. Available under GPL via www.wireshark.org, Wireshark can tell you details to the extent of showing passwords in clear text! If you run it behind a firewall on a server, it can inform you almost about every single packet! Even though such level of information will be required mainly for heavy traffic websites (or for the highly paranoid web admins), this clearly tells you about the abilities of Wireshark.
Netcat: Netcat is another GPL licenced tool that can be had from http://netcat.sourceforge.net It can perform port scans, conduct file transfers and open back door shells. Obviously, very useful for a web admin but equally dangerous in the hands of a hacker. Just remember, use it for securing your website, not devouring others'!
Nessus: Nessus is another important tool that comes in both commercial and non-commercial versions and either can be had from www.nessus.org. Nessus has been employed by organizations and enterprises to perform security checks as it can locate and single out outdated versions of Apache or even insecure elements in the code. The commercial version of Nessus offers platform specific plugins (Windows servers, etc.) and thus if you run your website on a non-Linux server, you should consider going for the commercial licence.
Acunetix: Acunetix is not licenced under GPL and is a paid tool. While www.acunetix.com also has a free version, it is severely limited to suit the requirements of enterprise usage. Acunetix is a popular tool to combat SQL injections and other similar attacks.
Conclusion
It goes without saying that your admin account must have a strong password. Further more, you may also tweak your .htaccess file to password protect your administrator directory. In this case, a separate password will be required to reach the website.com/administrator page, and so even if your admin password is compromised, the hacker may not be able to reach the login page easily.
With that said, on a concluding note, it must be added that any software is only as secure as its updates. As a result, you should keep your Joomla installation and any extensions that you've installed updated with the latest patches and releases. To be on the safer side, you may as well consider subscribing to the security mailing list at http://feeds.joomla.org/JoomlaSecurityNews.