HIDDEN SECRETS FOR A HACK-PROOF JOOMLA!

Daniel Kanchev @dvkanchev

BEFORE WE BEGIN …

✓ 7+ Years Of Joomla! Experience

✓ 6 Years With SiteGround

✓ Love Travelling The World

✓ Addicted To Extreme Sports

✓ Application/Extension Developers

✓ Hosting Providers/System Administrators

✓ YOU (End Joomla! Users)

WHO SHOULD CARE ABOUT SECURITY ?

✓Application/Extension Developers

✓Hosting Providers/System Administrators

✓YOU (End Joomla! Users)

WHO SHOULD CARE ABOUT SECURITY ?

EVERYONE

WHY SHOULD YOU CARE ?

✓ Be Trustworthy By Protecting Your Clients’ Data

✓ Have A Healthy Site - Avoid Substantial Data

Loss/Downtime

HOW HACKERS WORK?

EVERYONE’S RESPONSIBLE!

!!

KEEP

CALM IT’S NOT

ROCKET

SCIENCE

SECURITY IS A PROCESS!

IS YOUR SERVER SETUP RIGHT?

SERVER CONFIG & TIPS✓ Always Update Your Server Software

✓ Harden The Linux Kernel - grsecurity

✓ Chroot Processes

✓ Provide Only Restricted Shell Access

✓ Disable/Remove Unused Services

SOLUTIONS: 1H Hive, Better Linux, CloudLinux

PROTECT YOUR WEB SERVER

✓ OWASP Rules - http://goo.gl/rC7Uz

✓ Atomic Rules - http://goo.gl/Fv3Vn

✓ Trustwave Paid Rules - http://goo.gl/9IAaB

PROTECT JOOMLA!

#1: UPDATE EVERYTHING!

SITEGROUND AUTO UPDATES

#2: DO THE BASICS

✓ Change The Default “admin” username

✓ Change The Default “jos_” DB Prefix

✓ Password Protect Your Administrator Folder

#3: RESTRICT THE ADMIN AREA BY IP

✓ Step 1: Check Your IP: whatismyip.com

✓ Add This Rule To Your .htaccess File

deny from all allow from YOUR_IP_ADDRESS

#4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS

<Files *.php> deny from all </Files>

✓ Avoid password generators

✓ Don’t use common words

✓ Avoid personal info, names

and significant dates:

daniel123

#5: USE BULLET-PROOF PASSWORDS

THE PERFECT PASSWORD✓ Choose A Favourite (Not Famous) Movie

Quote/Phrase From A Book:

✓ Add Punctuation Symbols (?!.,:) And Capital Letters,

Remove Whitespaces:

We all go a little mad sometimes

We.all?go!AlittleMad2sometimes

#6: CHECK YOUR EXTENSIONS

✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/

✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search

#7: STAY ON TOP OF SECURITY UPDATES

✓http://feeds.joomla.org/JoomlaSecurityNews

✓http://feeds.joomla.org/

JoomlaSecurityVulnerableExtensions

BUILD A JOOMLA! SECURITY RSS FEED

HOW TO DO IT: http://is.gd/Vze1Zo

#8: FIX YOUR PERMISSIONS AND OWNERSHIP

✓Folders: 0755

✓Files: 0644

✓All files/folders should be owned by your

main FTP user

✓NEVER EVER USE 777 permissions

#9: ADDITIONAL PROTECTION THROUGH .htaccess FILE

✓ Remove PHP Sensitive Information

✓ Avoid Visual FingerPrinting

✓ Block Some Popular Tools Used By Hackers

How To Do It: http://is.gd/pGfVXQ

#10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS

✓ jHackGuard

✓ Akeeba Admin Tools

✓ jomDefender

✓ jSecure

SQL INJECTIONSELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

jHackGuard SETUP

✓ SQL Injections

✓ Remote URL/File Inclusions

✓ Remote Code Execution

✓ XSS Based Attacks

#11: BACKUP! BACKUP! BACKUP!

NOW WHAT?

DON’T PANIC!

DISASTER RECOVERY PLAN1. Create A Copy Of The Hacked Site + All Logs

2. Restore From A Clean Backup

3. Quarantine Your Site - Maintenance Mode

4. Check The Logs For The Malicious Code

5. Resolve The Security Issues/Clean Malicious Code

6. Unquarantine Your Site

FEW THINGS TO TAKE AWAY

✓ Security Is About Making It Harder To

Infiltrate - Not Making It Impossible

✓ Security Is An Ongoing Process

✓ Everyone Is Involved

QUESTIONS ?

THANK YOU!Daniel Kanchev @dvkanchev