List of top things to do to secure your Joomla website

Top things to do to secure your Joomla website

Updated: 3/2/2011 (you can now download and view this as a checklist document for your reference and guidance)

Here’s my list of the top things to do to make sure that your not leaving security vulnerabilities in your Joomla website and that it runs smoothly each and every day…

  • FIRSTLY MAKE SURE YOU ARE RUNNING THE LATEST RELEASED VERSION OF JOOMLA. Login to your Joomla site and look at the version number. If you are not running the latest version, download it and update your site straight away! At the time of writing this (Feb 2011) there are two major versions of Joomla. 1.6 is the latest brand new release and version 1.5.xx. If your site is using a 1.5.xx version make sure you upgrade to the latest version in that range e.g. 1.5.xx to 1.5.xx – do not jump to version 1.6 without a lot of testing and looking at the implications of doing so!
  • If your database tables in MQSQL for Joomla have ‘jos_’ as the prefix, read this first tip:
    Download EasySQL (http://extensions.joomla.org/extensions/hosting-a-servers/database-management/2867) and rename the database prefix of our databases within MySQL from the jos_ prefix (if everyone wants more feedback on how to do this leave me a comment and I’ll create a blog entry :) )
  • Create a spreadsheet grid showing all your Joomla websites against modules / version installed in each site with dates and links to latest versions (this should be reviewed and signed off every month)
  • Delete the Administrator account and create an account within each site with Super Administrator rights – use a different user account for each site in case one site gets hacked. Create the Super Administrator account before you logout (having deleted the original Administrator account) – for obvious reasons – you don’t want to lock yourself out!
  • Verify that your DATABASE password is not the same as your ADMINISTRATOR password. The database password is the password you chose when you first installed Joomla and went through the wizard to install the MYSQL database. It’s important that the Joomla Administrator password is not the same. Use an FTP client to login to your website, navigate to your ROOT directory on your site, and view the CONFIGURATION.PHP file. Look for the line that says “var $password = ‘. Check this password is NOT the same as the password you have just used to login as administrator. If it is the same CHANGE YOUR ADMINISTRATOR PASSWORD NOW!You can also check your “var $dbprefix = ” line  is NOT SET TO ‘jos_’ (see my first tip here about renaming this prefix with the EASYSQL product.
  • Change the default editor to NONE and manually add the Tiny Editor to all those named users you want to use the full editor. This way the default users will not be able to use the full editor.
  • Enable SEF from the control panel. This will create nice URL’s that are search engine friendly AND it will stop hackers from searching GOOGLE for index.php?com_<modulename> and getting a list of all websites that use a certain module that has a security issue. After you switch on the SEF under the control panel, make sure you check the links on your site and they are now using proper SEO friendly links rather than then older links.
  • Disable ALL Non used Joomla core modules/components and extensions in each site that are not being used
  • Uninstall all 3rd party modules that are not being used on each site
  • Use an exploit and vulnerability site like inj3ct0r (http://inj3ct0r.com) to  check to see if there have been any security issues with all your third party modules. Go to that website and type in the name of the component to see if there are any issues. Then check the version number returned and that your site is above that version. Also check with the third party component site to check if there are updates that fix the reported issues.
  • Make sure that the admin database MySQL account password is not the same as the Joomla site login
  • Use Akeeba Backup (http://www.akeebabackup.com/software/akeeba-backup.html) in order to completely automate the backup and download of all Joomla websites on a daily basis. Keep a monthly backup that stays static and is not overwritten.
  • Download the full web logs monthly from each Joomla site and use the weblog expert software (http://www.weblogexpert.com/lite.htm) and review the reports for potential attacks and phishing attempts.
  • Install free web monitoring software to alert non availability for each Joomla website and ensure the alerts are SMS’d to make them immediate.
  • Subscribe to the Joomla Security forum (http://feeds.joomla.org/JoomlaSecurityNews) on joomla.org to receive regular updates of critical level fixes and updates.
  • Check the version of PHP your site is currently running. You need to have version 5.x installed. Login to your site and select HELP -> SYSTEM INFO. Look for PHP Version.. it should say something like 5.2.xx. If you are still using PHP version 4.x on your site you need to upgrade the PHP for your site. This can usually be done via CPANEL or by contacting your ISP via their support system.
  • Make sure that each sites configuration.php is set to READ ONLY once we have it set
  • Ensure that the Joomla installation folder is deleted for each site
  • Make sure that every third party modules and components have the correct  php coding structure at the top of the file:// no direct access
    defined(‘_JEXEC’) or die(‘Restricted access’); 

    This will check and use the built in Joomla security which is the official method for security with Joomla websites. To do this you will have to login to your site using an FTP client and look at each third party component.

  • Make sure the .htaccess file in the root of each site is set correctly – this means renaming ‘htaccess.txt’ to ‘.htaccess’ on Apache servers and uncommenting code within the file that stops XML access issues. Please note that .htaccess is usually marked as a hidden file, so you may need to set an option in your FTP to view hidden files on your site.You should also add ‘IndexIgnore *‘ (without the speechmarks and capitalised as this) to the bottom of the .htaccess file.
  • Put the following into each sites php.ini to stop SQL Injections:
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
  • Finally make sure you delete all accounts that are not required, and you regularly review all users allowed into the system for security permissions.

All the above information has been gleaned from various videos and websites and considered ESSENTIAL within the Joomla community as the MINIMUM required to keep Joomla websites protected.

View this article here

Joomla 1.5 – How to create templates

Creating a basic Joomla! template – Joomla! Documentation

Tutorial on how to create a basic Joomla template. This WIKI article goes through all aspects of creating a standard template for Joomla including how to format your directory structure and the index.php file. The final template is simple but covers all aspects of creating the template – as start for your new template or website creation using Joomla.

Joomla Templates

joomla – gallery – screwturn – wiki

MorfeoShow

Cliccami Welcome to MorfeoShow – Easy Photo Gallery System for Joomla! 1.5
Based on an original work by Matthew Thomson (ignitejoomlaextensions.com)You can create Four types of galleries:

* Classic (Standard Interface)
* Flash (Flash Interface)
* Maps (Google Maps Interface)
* External sources (Picasa or Flickr)

* Several visual display parameters to choose from including ‘Classic’ and ‘Flash’.
* Short and full descriptions can be added to each gallery and set to display or not.
* Additional images can be inserted in the full description.
* Galleries can be edited after being created.
* Folders’ write permissions are displayed in the backend when gallery folders are created or edited.

ScrewTurn Wiki

ScrewTurn Wiki is a fast, powerful and simple ASP.NET wiki engine, installs in minutes and it’s available in different packages and languages, fitting every need. It’s even free and opensource.Files (wiki entries) are stored as files on the hard disk and not in a database making the maintenance and backup very easy. Easily skinned via straightforward CSS and can be enhanced with the API.

Google reader shortcuts

Really just for my own use! Google RSS reader shortcuts – just because I use it and can never remember them! One interesting way of organising the feeds is to add ‘tags’ to the entries. This way you can quickly find them again just using your tags – a bit like delicious and other social media systems online.

j/k item down/up selects the next/previous item in the list
space/shift-space page down/up moves the page down/up
n/p scan down/up in list view, selects the next item without opening it
o open/close item in list view, expands or collapses the selected item
enter open/close item in list view, expands or collapses the selected item
s toggle star stars the selected item
shift-s toggle share shares the selected item
m mark as read/unread switches the read state of the selected item
t tag an item opens the tagging field for the selected item
v view original opens the original source for this article in a new window
shift-a mark all as read marks all items in the current view as read
1 expanded view displays the subscription as expanded items
2 list view displays the subscription as a list of headlines
r refresh refreshes the unread counts in the navigation
shift-n/p navigation down/up selects the next/previous subscription or folder in the navigation
shift-x navigation expand/collapse expand or collapse a folder selected in the navigation
shift-o navigation open subscription opens the item currently selected in the navigation
gh go to home goes to the Google Reader homepage
ga go to all items goes to the “All items” view
gs go to starred items goes to the “Starred items” view
gt go to tag allows you to navigate to a tag by entering the tag name
gu go to subscription allows you to navigate to a subscription by entering the subscription name
u toggle full screen mode hides and shows the list of subscriptions
? keyboard shortcuts help displays a quick guide to all of Reader’s shortcuts

Convert WordPress to a full CMS system

There’s an interesting article on the ONLamp.Com web site describing how John McCreesh used the wordpress blogging software to create and maintain a CMS based site. The site was originally using phpWebSite; which is an opensource community-driven CMS system based around php.

It seems to me that this should be very simple as there are loads of plugins for wordpress and the basic CMS system straight out of the box is more than adequate with its customised page templates and multiple ‘page’ capabilities. Really all it needs is some styling and layout changes to make the system into a very useable day to day web based CMS system – all for free!

Many people are now concentrating on the ‘content’ of a web site rather than the look and feel. The layout is of course important, especially if you are looking for brand image, but underneath all the show, there has to be good content. A content management system (CMS) is the ideal way to breach the gap between the two. By using the power of wordpress and the plethora of add-ons and support in the community plus an adequate content management system to bring it all together you have the best of both worlds.

A friend of mine (Les Edgecumbe) runs a wordpress site for the community highlighting the outrageous monstrosity that is the CLS Laundry based in Newton Abbot. Originally Les used a web based commercial CMS system, some things were not easy and he relied on my help. I converted him to wordpress and now he maintains the site without my assistance and gets a good number of hits. He can concentrate on the content and not worry about the underlying technology that runs his site; it’s maintained by 1000′s of developers out there all the time!

I suggest you use wordpress and once your up and running, pop over to the wordpress ThemeViewer to choose a suitable style for your web, create a few pages and articles and your running. If your interested in CMS systems themselves, go to opensourcecms. This web site does a really good job of comparing CMS systems, and lets you ‘try’ different cms based systems online to help you decide which one is best. It has the usual popular systems such as joomla, drupal, typo3, php-nuke and mambo plus some other systems that you may not of heard about.