-
AuthorPosts
-
mfcphil Friend
mfcphil
- Join date:
- September 2007
- Posts:
- 2866
- Downloads:
- 3
- Uploads:
- 218
- Thanks:
- 211
- Thanked:
- 388 times in 133 posts
swemmel Friendswemmel
- Join date:
- February 2006
- Posts:
- 794
- Downloads:
- 34
- Uploads:
- 53
- Thanks:
- 36
- Thanked:
- 64 times in 1 posts
October 17, 2008 at 8:14 pm #275930Ok, some tips I already put in another thread.
- Keep your Joomla-installation up-to-date with the latest version
- Keep your 3d party components up-to-date with the latest version
- http://docs.joomla.org/Category:Security
- Check the vulnerable extensions list regularly: http://docs.joomla.org/Vulnerable_Extensions_List
- Do a search on the forums of Joomla.org regarding your question about security
Kind regards,
PeterMenalto FriendMenalto
- Join date:
- May 2007
- Posts:
- 4736
- Downloads:
- 0
- Uploads:
- 43
- Thanks:
- 2
- Thanked:
- 531 times in 361 posts
October 17, 2008 at 8:15 pm #2759321: Make sure you use the latest version of Joomla, check joomla.org regulary for updates. Make sure you allways do a backup of your site before you upgrade.
2: Check all file and folders that they have the right permission.
3 Check all php files regading Joomla that they start with this:
<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
4: Change super administrator password regulary and allways use a strong password.
5: Change admin log in name to something unique.
6: Uninstall all unused templates/modules/components/plug ins.
7: Use a htaccess file to password protect administrator area of your site.
8: Move configuration.php file to a folder with a unique name.
9: Use a strong database password.
10: Change password at your ftp account regulary.bennitos Friendbennitos
- Join date:
- May 2008
- Posts:
- 1717
- Downloads:
- 0
- Uploads:
- 39
- Thanks:
- 39
- Thanked:
- 474 times in 407 posts
October 17, 2008 at 8:30 pm #275935number 7 on menalto’s list above.
Secure you administrator access, i recommend doing it like this:
Make a ..htaccess file and place it in the administrator folder in that file put:
<Limit GET>
Order Deny,Allow
Deny from all
Allow from YOURIPADRESSHERE
</Limit>This will only give access to the administrator part to ipadresses you give up.
bennitos Friendbennitos
- Join date:
- May 2008
- Posts:
- 1717
- Downloads:
- 0
- Uploads:
- 39
- Thanks:
- 39
- Thanked:
- 474 times in 407 posts
October 17, 2008 at 8:33 pm #275936for point 4,9 and 10 i use this tool to create strong password really easy:
1 user says Thank You to bennitos for this useful post
mfcphil Friendmfcphil
- Join date:
- September 2007
- Posts:
- 2866
- Downloads:
- 3
- Uploads:
- 218
- Thanks:
- 211
- Thanked:
- 388 times in 133 posts
October 17, 2008 at 9:41 pm #275937I am hopeless at this type of thing so here are some of the pages I will be reading :confused:
Joomla Administrators Security Chacklist
7 tips to optimize Joomla! security
Joomla cloaner Video Tutorials
A personal thanks to Swemmel who updated my site to the latest version of 1.015…Thanks Peter
shertmann Friendshertmann
- Join date:
- September 2008
- Posts:
- 339
- Downloads:
- 0
- Uploads:
- 1
- Thanks:
- 22
- Thanked:
- 42 times in 26 posts
October 18, 2008 at 11:24 pm #276053wao it appears that the security issues have help the comunnity to take good measures
always a good measure for password is a md5 encrypted password
too check your cpanel of your host in order to check your host password is really secure too.
check that all your folders have and index.html file that has no content in ther in order to avoid praying eyes trying to see you web folder content.
scotty Friendscotty
- Join date:
- March 2008
- Posts:
- 2339
- Downloads:
- 0
- Uploads:
- 13
- Thanks:
- 76
- Thanked:
- 827 times in 595 posts
October 18, 2008 at 11:36 pm #276055<em>@bennitos 86670 wrote:</em><blockquote>number 7 on menalto’s list above.
Secure you administrator access, i recommend doing it like this:
Make a ..htaccess file and place it in the administrator folder in that file put:
<Limit GET>
Order Deny,Allow
Deny from all
Allow from YOURIPADRESSHERE
</Limit>This will only give access to the administrator part to ipadresses you give up.</blockquote>
OK this might be a silly question but….
When I do the above doesn’t that make my site 100% secure and eliminate the need for other security measures? or would there still be vulnerabilities?
<em>@shertmann 86821 wrote:</em><blockquote>check that all your folders have and index.html file that has no content in ther in order to avoid praying eyes trying to see you web folder content.</blockquote>
I always wondered why these existed. Could you explain a bit more why these empty index files exist?
instantinlaw Friendinstantinlaw
- Join date:
- February 2007
- Posts:
- 1646
- Downloads:
- 6
- Uploads:
- 28
- Thanks:
- 68
- Thanked:
- 210 times in 62 posts
October 18, 2008 at 11:48 pm #276056scotty;86823OK this might be a silly question but….
When I do the above doesn’t that make my site 100% secure and eliminate the need for other security measures? or would there still be vulnerabilities?
I always wondered why these existed. Could you explain a bit more why these empty index files exist?
The first will only block access to the admin for any ip address but your own.
The empty index file is there so that anyone who finds that particular folder will not find a directory of the files in that folder.scotty Friendscotty
- Join date:
- March 2008
- Posts:
- 2339
- Downloads:
- 0
- Uploads:
- 13
- Thanks:
- 76
- Thanked:
- 827 times in 595 posts
October 18, 2008 at 11:53 pm #276058<em>@instantinlaw 86825 wrote:</em><blockquote>The first will only block access to the admin for any ip address but your own.</blockquote>
Yes I understand that. But my question still stands. Is this single security measure not enough?<em>@instantinlaw 86825 wrote:</em><blockquote>The empty index file is there so that anyone who finds that particular folder will not find a directory of the files in that folder.</blockquote>
aha! I’m with you now Ted. Never knew that. Tyinstantinlaw Friendinstantinlaw
- Join date:
- February 2007
- Posts:
- 1646
- Downloads:
- 6
- Uploads:
- 28
- Thanks:
- 68
- Thanked:
- 210 times in 62 posts
October 19, 2008 at 12:05 am #276059scotty;86827Yes I understand that. But my question still stands. Is this single security measure not enough?
Absolutely not. It’s just one more level of security and if I’m reading it correctly it only prevents someone from logging into the admin area.
instantinlaw Friendinstantinlaw
- Join date:
- February 2007
- Posts:
- 1646
- Downloads:
- 6
- Uploads:
- 28
- Thanks:
- 68
- Thanked:
- 210 times in 62 posts
October 19, 2008 at 12:13 am #276060To take it a bit further, if you are being visited by a lot of spammers or see hacking attempts in your logs, you can add the following to your root .htsccess file;
<Limit GET>
order allow,deny
deny from 128.23.45.
deny from 207.158.255.213
allow from all
</Limit>
The first ip line will block all sub addresses coming from that ip range and must end in a period, the second will block the specific ip address.
Please Note * The above ip is only an example.
You must also use the numeric address. www addresses won’t work.1 user says Thank You to instantinlaw for this useful post
instantinlaw Friendinstantinlaw
- Join date:
- February 2007
- Posts:
- 1646
- Downloads:
- 6
- Uploads:
- 28
- Thanks:
- 68
- Thanked:
- 210 times in 62 posts
October 19, 2008 at 12:28 am #276061Here is some more info to get you started.
A good article: http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess
Or, do a search on google or yahoo for “bad bots” to find lists.
Or visit: http://www.webmasterworld.com/ and search for the same as above.1 user says Thank You to instantinlaw for this useful post
shertmann Friendshertmann
- Join date:
- September 2008
- Posts:
- 339
- Downloads:
- 0
- Uploads:
- 1
- Thanks:
- 22
- Thanked:
- 42 times in 26 posts
October 19, 2008 at 1:44 am #276068thanks for that tip law i will implement in all my joomla sites from now on.
scotty there is and never will be a site cyber cryminal bullet proof, because all the systems are vulnerable in any grade, but if you let yours exposed you make the work easy for them, so when you implement a lot of security measures you can sleep a little better knowing your site is not the target of some this criminals, because they are looking for easy targets.
the web seccurity is not and easy target because always exist the security treats but always people find a way to fix it.
bennitos Friendbennitos
- Join date:
- May 2008
- Posts:
- 1717
- Downloads:
- 0
- Uploads:
- 39
- Thanks:
- 39
- Thanked:
- 474 times in 407 posts
October 20, 2008 at 1:35 pm #276277For point 8 on menalto’s list above i did this.
The best thing is that the configuration.php file will be placed on a location wich is not accessible from the internet, wich is the reason thats its better than to just move it in a subfolder.
This tip explains how to move your configuration.php file outside of your webroot as well as making it unwritable by the server. That makes it nearly impossible for someone to corrupt or gain access to the information in the file.
The first step is to move the file. Your webroot is /home/USERNAME/public_html, where USERNAME is your cPanel username. Joomla and Mambo can access files located at /home/USERNAME, but those files cannot be directly accessed from the internet. Login to your favorite FTP program and download your configuration.php from /home/USERNAME/public_html/configuration.php . Rename it to “site.conf” then upload it to /home/USERNAME/site.conf.
Now that we’ve uploaded it to the new location we need to edit the original configuration.php file. Open it in your favorite text editor and replace the contents of the file with the following:
require( ‘/home/USERNAME/site.conf’ );
?>Make sure to replace USERNAME with your cPanel username. Then upload the new file to /home/USERNAME/public_html/configuration.php. At this point your site should still function normally.
Next, we need to make the file unwritable by the server. Most FTP programs allow you to do this. Right-click on the /home/USERNAME/site.conf file and select the option to edit permissions (normally “Permissions” or “Info”) and change the permissions to 444. This lets the server read the file without any problems, but it will not be able to edit the file.
If you ever need to edit the file you will need to change the permissions back to 644 before making your changes.
nb. Please ignore whoohanetworks post above, its not bringing anything in this discussion.
1 user says Thank You to bennitos for this useful post
-
AuthorPosts
This topic contains 23 replies, has 8 voices, and was last updated by tonyg 16 years, 1 month ago.
We moved to new unified forum. Please post all new support queries in our New Forum