Resource: http://blog.rsjoomla.com/bid/20490/10-security-mistakes-to-avoid-in-Joomla-Part-One
Whenever you install Joomla! on a server, you must take some measures in order to secure the installation.
Users often tend to leave the installation as is, thus making the server vulnerable to hackers. That's why, when you install Joomla! on your server you need to change some configuration settings to avoid some major mistakes that will affect the overall site security.
Let's see the most common mistakes and why they are critical for your system:
Mistake #1. NOT TO download or upgrade to the latest Joomla! Version
New versions of Joomla! are released often with various security fixes and the developers are strongly recommending to upgrade to the latest version of Joomla!
It is important to download Joomla! packages from trusted sources or directly from joomla.org, otherwise you may compromise your system (you may download a modified package that could harm your website ). Periodical backups of the whole site are essential, providing a safety net in case something goes wrong caused by the update or some other unforeseen event. Already there are some specialized components that can create backups (files+database) very easily.
Mistake #2. NOT TO check folders permissions after installing Joomla!
Folders that have permissions higher than 755 may compromise your Joomla!, leaving the "door" open for an attacker to read/write or even upload his own shell files, thus taking control over your site.
On the server, usually, folder permissions inherit the root configuration, but it's always a good practice to check the folder permissions.
Folders with permissions higher than 755 are possible paths that could be exploited by:
* creating and uploading files that could make your website vulnerable
* modifying the existent files
Why take the risk when you could make a quick scan of your Joomla! and instantly find the "weak" folders?
Mistake #3. NOT TO check files permissions
We advice you setting permissions to all Joomla! files to 644 or lower.
Leaving files with permissions higher than 644 can make life easier for hackers trying to access your website. Once they're in, they can easily modify files with permissions higher than 644.
Mistake #4. ALLOW uncontrolled file uploads(forums, comments)
Hackers can and will use these applications to upload malware scripts and enter into your Joomla! website.
You must allow as few file extensions as possible, and NEVER let executable script files (.php, .php3, .php4, .php5, .phtml) to be uploaded.
To avoid this you can use RSFirewall! that automatically blocks unwanted file uploads. Also it can scan your system, look for mallware patterns and hacker scripts.
Mistake #5. Let IMPORTANT files and folders accessible by everyone
You must protect sensitive files and folders like:
1. configuration.php - main configuration file for the Joomla global configuration,
2. Joomla! temporary folder - every extension that you install is first uploaded to this folder,
3. Joomla! log folder: Joomla! related activity is recorded thus an attacker can find what vulnerabilities may reside within your site.
The best way to protect your site against such attacks is to move them away from public access, to a non-public folder. You can read these articles that explains how to move the files without compromising the Joomla! functionality.
These are just a few advices on how to keep your business website secure. However, securing your website is not always easy and may require some expert skills.
This is where RSFirewall! comes into place, providing a complete suite of tools specially created for Joomla!. You can access the product demo here: http://demo.rsjoomla.com/. If you have any questions, don't hesitate to ask us a question.
Thursday, August 13, 2009
Subscribe to:
Post Comments (Atom)
RSS Feed (xml)
No comments:
Post a Comment