Abstract image of a woman sitting on books and studying on a laptop

Avoid Getting Hacked! Presentation on Joomla! Web Security

Download as PPT, PDF
Dorothy Firsching (Ursa Major Consulting), profile picture
Dorothy Firsching (Ursa Major Consulting)

The document discusses how to avoid getting hacked when using Joomla for a website. It recommends securing the website by validating inputs, upgrading to the latest versions of Joomla and extensions regularly, using strong passwords, enabling access controls, performing regular backups, monitoring logs for suspicious activity, and referring to security checklist resources. The presentation also suggests choosing a reputable host, hiding the administrator login, and being aware of vulnerable extensions.

Technology
1 of 11
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com 1-19-2012 www.ursamajorconsulting.com 1
Agenda  Discuss Security Considerations and Approaches  Identify Resources and References  Additional Programs / Presenters? 1-19-2012 www.ursamajorconsulting.com 2
Joomla! Web Security Discussion  PHP-based / database driven sites are vulnerable  SQL Injections -- Commands where data input is expected  Validate Inputs and Enforce size  Current version of PHP with appropriate settings  Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html 1-19-2012 www.ursamajorconsulting.com 3
Pick a Good Host  Shared Host Vulnerabilities  http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup  Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps  Appropriate permissions  Directories = 755  Files = 644  .htaccess, configuration.php = 644  Webserver is set up to use user account as owner of PHP-created files 1-19-2012 www.ursamajorconsulting.com 4
Upgrade Regularly  Upgrade to Latest Version of Joomla  Akeeba Admin Tools  Use Safe Extensions  Upgrade Extensions  Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List  Subscribe to updates  Keep a spreadsheet of your sites  And the versions they use 1-19-2012 www.ursamajorconsulting.com 5
Joomla Setup  Password protect folders in control panel  Use a site-specific database username and password  Change jos_ table prefix  Hide Admin login  jSecure Authentication Plugin  add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc 1-19-2012 www.ursamajorconsulting.com 6
Access Control  http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu  Strong Passwords  Change Admin Username and Number  Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one. 1-19-2012 www.ursamajorconsulting.com 7
Backups / Upgrades  Akeeba Backup  Remove backups from site  Multi-backup scheme  Test restoration / upgrades  Test site is helpful  Hosting provider backups  Hosting provider virus scans or site backup using local download / scan  http://docs.joomla.org/Security_Checklist_6_-_S 1-19-2012 www.ursamajorconsulting.com 8
Vulnerabilties  Old Joomla! versions  Community Builder before 1.7.1  JCE before 2.0.19  Unchecked user input (SQL injection, buffer overflows)  eXtplorer left on site  http:// docs.joomla.org/Vulnerable_Extensions_L 1-19-2012 www.ursamajorconsulting.com 9
Check What’s Happening  Logs / AWSTATS / other packages  Google Analytics  File Modification Dates / Contents 1-19-2012 www.ursamajorconsulting.com 10
Resources  http://docs.joomla.org/Category:Security_Check  http://joomladaymidwest.org/news/slides-and-v  Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009  Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. 1-19-2012 www.ursamajorconsulting.com 11

More Related Content

PPT
Joomla/Mambo CMS
jgarifuna
 
PPT
http://www.slideshare.net/jgarifuna/elgg-presentation-ca-032109
jgarifuna
 
PPT
Joomla Content Management Systems, Part 3
jgarifuna
 
PPTX
Joomla Security v3.0
Ajay Lulia
 
PPT
Joomla/Mambo CMS
jgarifuna
 
PPT
Drupal security
Techday7
 
PDF
Drupal and Security: What You Need to Know
Acquia
 
PPTX
Joomla-Content Management System
silenceIT Inc.
 
Joomla/Mambo CMS
jgarifuna
 
http://www.slideshare.net/jgarifuna/elgg-presentation-ca-032109
jgarifuna
 
Joomla Content Management Systems, Part 3
jgarifuna
 
Joomla Security v3.0
Ajay Lulia
 
Joomla/Mambo CMS
jgarifuna
 
Drupal security
Techday7
 
Drupal and Security: What You Need to Know
Acquia
 
Joomla-Content Management System
silenceIT Inc.
 

What's hot (7)

PPT
Joomla overview via catchy snaps
BUDNET
 
PDF
Using advanced features in joomla
krishnapriya Tadepalli
 
PDF
System prereq
kb_exchange_hk
 
DOCX
Rahul Resume.doc
Rahul Choudhary
 
PPT
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
PDF
Library Management Software
Ranganath Shivaram
 
PDF
Aem authentication vs idp
Saroj Mishra
 
Joomla overview via catchy snaps
BUDNET
 
Using advanced features in joomla
krishnapriya Tadepalli
 
System prereq
kb_exchange_hk
 
Rahul Resume.doc
Rahul Choudhary
 
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Library Management Software
Ranganath Shivaram
 
Aem authentication vs idp
Saroj Mishra
 

Viewers also liked (8)

PPTX
Confoo 2012 - Web security keynote
Antonio Fontes
 
PPT
Web Services Security - Presentation
Muhammad Jawaid Shamshad
 
ODP
Web Application Firewall
Chandrapal Badshah
 
PPT
Web security presentation
John Staveley
 
PPT
Firewall
Amuthavalli Nachiyar
 
PPTX
Firewall presentation
Amandeep Kaur
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPT
Web Security
Bharath Manoharan
 
Confoo 2012 - Web security keynote
Antonio Fontes
 
Web Services Security - Presentation
Muhammad Jawaid Shamshad
 
Web Application Firewall
Chandrapal Badshah
 
Web security presentation
John Staveley
 
Firewall
Amuthavalli Nachiyar
 
Firewall presentation
Amandeep Kaur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Security
Bharath Manoharan
 

Similar to Avoid Getting Hacked! Presentation on Joomla! Web Security (20)

PPTX
Brendon Hatcher Joomla Security
Joomla Day South Africa
 
PDF
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
PPTX
Joomla! security jday2015
Shaiffulnizam Mohamad
 
PDF
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
PPT
Joomla Security
Ruth Cheesley
 
PPT
Joomla Security
ViryaTechnologies
 
PDF
Joomla! security jday2015
kriptonium
 
PDF
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
PDF
Java EE Services
Abdalla Mahmoud
 
PPTX
Security Function
Samuel Soon
 
PPTX
Locking down word press
Zachary Russell
 
PPT
WordPress Security Hardening
Timothy Wood
 
ODP
Sh404sef, Urls, Seo And More
Yannick Gaultier
 
ODP
Joomladay Netherlands - Security
Wilco Jansen
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
PPTX
Simple module Development in Joomla! 2.5
Vishwash Gaur
 
PDF
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
WordCamp Sydney
 
PDF
Securing Your WordPress Website - WordCamp Sydney 2012
Vlad Lasky
 
PDF
ImplementationGuide-220920-101456.pdf
spikecloudcloud
 
PDF
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Brendon Hatcher Joomla Security
Joomla Day South Africa
 
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Joomla Security
Ruth Cheesley
 
Joomla Security
ViryaTechnologies
 
Joomla! security jday2015
kriptonium
 
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
Java EE Services
Abdalla Mahmoud
 
Security Function
Samuel Soon
 
Locking down word press
Zachary Russell
 
WordPress Security Hardening
Timothy Wood
 
Sh404sef, Urls, Seo And More
Yannick Gaultier
 
Joomladay Netherlands - Security
Wilco Jansen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Simple module Development in Joomla! 2.5
Vishwash Gaur
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Vlad Lasky
 
ImplementationGuide-220920-101456.pdf
spikecloudcloud
 
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 

Recently uploaded (20)

PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
PDF
Ebook - The Future of AI A Comprehensive Guide.pdf
baljeethmata
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PPTX
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PDF
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
PDF
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
PDF
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
PDF
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
PPTX
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
PPTX
Blending method and technology for hydrogen.pptx
PradipChanda5
 
PDF
State of AI in Business 2025 - MIT NANDA
Razin Mustafiz
 
PDF
Technical Debt in the AI Coding Era - By Antonio Bianco
davanacorona
 
PDF
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
PDF
Internet of Things (IoT) – Definition, Types, and Uses
GrapesTech Solutions
 
PDF
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PPTX
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
PPTX
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
Ebook - The Future of AI A Comprehensive Guide.pdf
baljeethmata
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
Altius execution marketplace concept.pdf
Wandor
 
EGCB_Solar_Project_Presentation_and Finalcial Analysis.pdf
TaukirIslam
 
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
GDG Cloud Southlake #45: Patrick Debois: The Impact of GenAI on Development a...
James Anderson
 
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
From XAI to XEE through Influence and Provenance.Controlling model fairness o...
Paolo Missier
 
Blending method and technology for hydrogen.pptx
PradipChanda5
 
State of AI in Business 2025 - MIT NANDA
Razin Mustafiz
 
Technical Debt in the AI Coding Era - By Antonio Bianco
davanacorona
 
Slides World Game (s) Great Redesign Eco Economic Epochs.pdf
Steven McGee
 
Internet of Things (IoT) – Definition, Types, and Uses
GrapesTech Solutions
 
Domain-specific knowledge and context in large language models: challenges, c...
IAESIJAI
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 

Avoid Getting Hacked! Presentation on Joomla! Web Security

  • 1. Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC [email protected] 1-19-2012 www.ursamajorconsulting.com 1
  • 2. Agenda  Discuss Security Considerations and Approaches  Identify Resources and References  Additional Programs / Presenters? 1-19-2012 www.ursamajorconsulting.com 2
  • 3. Joomla! Web Security Discussion  PHP-based / database driven sites are vulnerable  SQL Injections -- Commands where data input is expected  Validate Inputs and Enforce size  Current version of PHP with appropriate settings  Secure coding practices -- http://joomladaymidwest.org/news/slides- and-video/2011/slides-jeff-channell- secure-php-coding-practices.html 1-19-2012 www.ursamajorconsulting.com 3
  • 4. Pick a Good Host  Shared Host Vulnerabilities  http://docs.joomla.org/Security_Checklist_2 _-_Hosting_and_Server_Setup  Choose a good hosting provider  – experienced in Joomla; responsiveness; forums / helps  Appropriate permissions  Directories = 755  Files = 644  .htaccess, configuration.php = 644  Webserver is set up to use user account as owner of PHP-created files 1-19-2012 www.ursamajorconsulting.com 4
  • 5. Upgrade Regularly  Upgrade to Latest Version of Joomla  Akeeba Admin Tools  Use Safe Extensions  Upgrade Extensions  Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List  Subscribe to updates  Keep a spreadsheet of your sites  And the versions they use 1-19-2012 www.ursamajorconsulting.com 5
  • 6. Joomla Setup  Password protect folders in control panel  Use a site-specific database username and password  Change jos_ table prefix  Hide Admin login  jSecure Authentication Plugin  add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc 1-19-2012 www.ursamajorconsulting.com 6
  • 7. Access Control  http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setu  Strong Passwords  Change Admin Username and Number  Default ID for admin user in Joomla is 62, and this may be used by a hacker  Create a new super-administrator with another user name and a strong password  Log out and in again as this new user  Change original admin user to a manager and save (you are not allowed to delete a super-administrator).  Delete original admin user (user ID 62) and rename from the default Admin to a new one. 1-19-2012 www.ursamajorconsulting.com 7
  • 8. Backups / Upgrades  Akeeba Backup  Remove backups from site  Multi-backup scheme  Test restoration / upgrades  Test site is helpful  Hosting provider backups  Hosting provider virus scans or site backup using local download / scan  http://docs.joomla.org/Security_Checklist_6_-_S 1-19-2012 www.ursamajorconsulting.com 8
  • 9. Vulnerabilties  Old Joomla! versions  Community Builder before 1.7.1  JCE before 2.0.19  Unchecked user input (SQL injection, buffer overflows)  eXtplorer left on site  http:// docs.joomla.org/Vulnerable_Extensions_L 1-19-2012 www.ursamajorconsulting.com 9
  • 10. Check What’s Happening  Logs / AWSTATS / other packages  Google Analytics  File Modification Dates / Contents 1-19-2012 www.ursamajorconsulting.com 10
  • 11. Resources  http://docs.joomla.org/Category:Security_Check  http://joomladaymidwest.org/news/slides-and-v  Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009  Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. 1-19-2012 www.ursamajorconsulting.com 11