Joomla has
established itself as one of the best Content Management Services in the
industry. When sites around the globe start using a specific technology,
naturally the security threats pivoting that technology also arises. 
To tackle
the increasing security hassles Joomla developers keep tweaking the site and
the service in different ways to ensure the optimal configuration is obtained
which can withstand any level of threats to the security. The following are
some tips to the users and other Joomla developers for ensuring that the site
they are developing or using is secure.
Proper Hosting Environment
For all site
the platform in which the site is built is the basic foundation and it is
always important to check if it is properly configured. There are numerous
kinds of attacks that happen to sites hosted in a platform which has no tweaked
its security and the arrangements are not done efficiently. Host your site on a server that runs
PHP in CGI mode with su_php. This means that PHP runs under your own account user
instead of the global Apache user and you don’t need to set insecure global
permissions like CHMOD of 777.
a. Set
register_globals OFF
b. Disable
allow_url_fopen
c. Adjust
the magic_quotes_gpc directive as needed for your site. The recommended setting
for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla!
1.5 ignores this setting and works fine either way.
d. Don’t use
PHP safe_mode
Change
the Default Database Prefix (jos_)
Every database is named in a
default way and the names and extensions they are given are rather common. Due
to this bots and other automated entities find it simple to attack the database
by random ruling. To avoid this the during installation the default database
prefix could be altered to something random rather than using the same default
name of jos_users table which will prevent most of the SQL
injection attacks as hackers try to retrieve superadmin details. 
Disable FTP Layer
FTP details
are stored in the form of plain text under a Joomla configuration file. This
becomes a potential security hole. To avoid this glitch it is recommended to
all users, Joomla developers and Joomla programmers to disable the FTP layer.
Change Superadministrator Username
Bots and
other hazards which try to attack a site are programmed in such a way that if
the superadministrator’s username assigned by the Joomla developers has not
been changed and remains to be “Admin”, it will easily get access to the site.
To avoid this it is always wise to change the username and password of the
superadministrator to something inconspicuous like “ted_123” etc. 
Setup
a backup and recovery process
Joomla developers are notified to rely on a strong backup and recovery protocol for your live website. It’s not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues. You can use JoomlaPack, a non-commercial component native for both Joomla 1.0 and 1.5 for backup.
Use Strong Password
For
administrator accounts it is advisable to use a strong password which cannot be
deciphered by automated bots. Characteristics of a strong password that Joomladeveloper have to keep in mind are as follows:
·        
has
at least 15 characters;
·        
has
uppercase letters;
·        
has
lowercase letters;
·        
has
numbers;
·        
has
symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # |
\ < , > . ? /
·        
is
not like your previous passwords;
·        
is
not your name;
·        
is
not your login;
·        
is
not your friend’s name;
·        
is
not your family member’s name;
·        
is
not a dictionary word;
·        
is
not a common name.
A good
addition is to password protect the administrator folder. In apache web server,
you can do this htaccess file or in cpanel, you can use Password Protected
Directory option to setup a password. This will add another layer of
username/password before someone reaches your Joomla admin details. Needless to
say, have this password different from Joomla admin password.



 








0 comments:
Post a Comment