Securing Joomla

Last time I blogged about penetration testing and how this can help to protect your online platform. Since one can’t neglect the effort of pen testing everyone has to decide herself if that is worth on a smaller site. But what you absolutely need to do is secure your Joomla installation, which is also called hardening.

Joomla is next to WordPress the second largest Content Management System (CMS) with about 68 million installations. This is a reason enough to harden your Joomla installation. There are a lot of bad guys, which want your website either to deface it, use it as spam deliverance platform or attack other systems with your CMS. All this experience unnecessary, just believe me.

Update your CMS with security patches

 update4

Updating every software with the latest security patches is one of the main concerns of computer security. So it is with Joomla, too. Have a regular visit at the admin page. I would suggest a weekly visit to /administrator/.

If Joomla notice you that an update is available, install it.

joomla asks for update

If you log in at the administrator page you will see on the left side this message:

joomla asks for update

If you click on the entry, you will get a new page with a detailed description.

joomla update process

Use a strong password

That’s nothing new and I guess you already have heard this. You just have to do it. But what is a strong password?

  • Use passwords with at least 14 digits
  • Use characters, lower and upper case, numbers and special characters
  • Use a password which can’t be found in *any* dictionary
  • Don’t recycle your password, for every login in any application or system use another password
  • If you can’t remember them, use KeePassX as password manager

Take regular backups

If something went wrong your backup is your insurance. Take this one seriously. Test the recovery process. Believe me, this is done in minutes, you just have to start the process and can have a cup of coffee. After a major change do a backup.

Keep several versions of backup, you never know. The last version may have a bug or already been hacked. This is just several megabytes of data, so really nothing to worry about.

Protect your administrative page

Usually Bots (hacked computer combined in a network) are trying to brute force Joomla logins. The attacking computers can change their IP address after 3 logins, so there is no use of blocking trials. There is a possibility to protect your admin page with an extra layer of security. It’ called htaccess. Just google for htaccess and you will get a lots of very useful information on that.

Delete extensions not needed

Unneeded extensions sprawling around may be a gateway for hackers. Just install those you need. If you are testing some new extensions, don’t forget do delete them if you don’t use them anymore.

Test your Joomla installation for security

There is a Scanner to test your Joomla installation for security: joomscan. But be aware: if the scanner says everything is fine, It could be, that you are not really safe. Because it checks only the known vulnerabilities which are saved in the vendor’s database. If something new comes up, or if there might be a misconception in the hosting server this will not be covered. But nevertheless this is a valuable tool to be informed if your installation contains any howlers.

In the next blog I will show how to use joomscan.

There is many good stuff on the joomla site concering security. Just take a look on it. https://docs.joomla.org/Security_Checklist

../web-seiten/www.themekat.com/

Why Penetration Testing helps security

In my last post I wrote about how to install Joomla. Now you can read, how you can secure your web site very professionally.

Securing your web site is very important. One very good way to do is to test the security via penetration testing via e.g. www.itexperst.at.

But what are penetration testing and what is it really for?

Penetration testing has many advantages for companies

In today’s world, IT security and business success are very closely linked. Even if entrepreneurs very often have various reasons to think themselves to be secure, unfortunately the reality is different! IT systems are exposed to many dangers every day in all sectors, and very often it is easy for cybercriminals to get what they want. To minimize these dangers as much as possible, companies can carry out so-called penetration tests. Penetration testing is the verification of IT systems, complete networks, onlineshops, websites, etc., with regard to their security against external attacks. The tests carried out by qualified and certified experts are, in principle, very realistic attacks, which are executed in a controlled way on IT systems. The goal is to uncover vulnerabilities and to log them in order to later eliminate them.

The advantages at a glance

Tailor-made tests

Since penetration tests can always be adapted very precisely to the given conditions, they always bring different procedures with them individually. This is an important factor and therefore a decisive advantage for the effective implementation and the maintenance of a comprehensive result. Tailor-made on-site and external testing for any organization will ensure the highest level of security.

Protection against system failure

Even a single targeted internal or external attack can lead to a complete system failure. Penetration tests can have different attack scenarios, which are very realistic and thus reveal possible weak points as well as provide solutions.

Protection against external attacks

Security vulnerabilities in applications, systems, or networks can cause external attackers to breach them. A major challenge for most IT security teams today are attacks on application levels. Simulated test procedures show how and how quickly these attacks can be detected and eliminated. With the knowledge gained, existing measures can be used in a real emergency case, thus minimizing the consequences of the attack.

Protection from Insider threats

Often the danger is overlooked from the inside and completely underestimated. A malicious software is infected via a data carrier or a file and spreads within the own system. Employees that have no limited rights, etc. Penetration tests can also point out weaknesses and protect IT systems from such dangers.

Data and business/trade secrets are protected

Through a successful hacking attack there is immediately the eminent danger that important data is stolen and abused or even destroyed. Cyberspionage nowadays is a lucrative business for criminals. A penetration test finds open back doors and brings the weaknesses of the existing data security to light.

Security requirement is established

The attack methods of the hackers are constantly adapting. It is important to determine the status quo of your company with regard to IT activities by means of a penetration test in order to identify the actual security requirements.

Your IT security is always up-to-date

Once the security requirement is determined by the results of the penetration test, the IT security can regularly be updated and thus the defense mechanisms are always up-to-date.

Cost savings

Every entrepreneur can begin to guess what a complete system failure or data loss will cost him due to a successful attack. Not just his nerves! The incapacity to work, leads to a temporary loss of business and a not to be disregarded business loss. Penetration testing can therefore protect you against financial damage.

Thoroughly tested IT

IT systems, applications and software are installed in many companies once, rarely checked and updated only from time to time and as a rule never subjected to a thorough security check. An IT penetration test also checks this.

Protection of customers

Entrepreneurs have a responsibility towards their customers. Planted malicious software can spread very quickly. But also malicious software can hide in onlineshops and websites, which are visited by customers and prospective customers. How well your customers are protected when you contact them, the result of a penetration test will show.

Protection of the company

Penetration testing is essential to protect your own values and those of your employees, as well as those of your customers. These tests are an important part of your company’s success and reputation. Customer trust and good business are the basis for successful work today. The competitive advantage is obvious.
Regular penetration tests are an important tool for IT security in large and small enterprises with regard to the generally growing security need.

Howto install Joomla

In my last article I mentioned why one might choose Joomla for building a web site. In this description you will see, how you can manually install a fresh new Joomla CMS on your web server.

Downlaoding Joomla

First download the latest Joomla installation zip package. Go to joomla.org and download the latest release

Install Joomla, Step 1

Unzip the installation files. In my case the file is named Joomla_3.6.5-Stable-Full_Package.zip.
The are currently 5336 files in this release 5336 which cover 52 Megabyte. Of course, this will vary depending on the version.

Upload files to webserver

Upload unziped files to the server/hoster of your choice. In my case I uploaded all the files to /public_html.

Please check what is the name of the right directory. Different hoster may use different names.
Select all the files and upload them. With Filezilla you might use the right mouse button and choose upload.

Install Joomla, upload files

Depending on the speed of your internet, this may last a few minutes.

Creating a MySQL database for Joomla

Please refer to your hoster how this can be done. Possibly you can do that in your cpanel or Plesk tool. You need a new database and a user which has all the privileges. For security reason please choose a secure password.

What is a secure password?

  • More then 12 characters
  • Password should not be found in any dictionary. If it is, it can be used in a dictionary attack.
  • Use numbers, lower and upper case characters and special characters
  • Use the password for only one account or one purpose. Do not reuse passwords. If the password is used several times and is compromised, other accounts can easily taken over.
  • I suggest using a Password Safe like KeyPassX.

Installing Joomla

Now these prerequisites are done, you can open your browser and start the installation. Go to your domain and enter:

http://yourdomain.com/

Installing Joomla, configuration

If you have Joomla installed in a subdirectory (local install) you should adapt the URL.

You will see the Joomla installer, where you can enter some administrative input.

Site Name: Here you can define how your site should be named. A lot of templates use that as a heading. This can be changed afterwards.

Description: Add a brief description. Depending on your template this may appear at different places. This is a alternative meta description. Best is to use 20 to 25 words. This can also be changed afterwards.

Admin E-Mail: This email will be used in cases of system messages and password recovery. Should be valid, of course.

Admin Username: This is the user name of the admin account. Default is admin, which should be changed. As you recognized my admin name is not easily guessable: it is admin and 4 random characters. This helps preventing script kiddies from brute force the admin account.

Admin Password: A secure password, see above.

Configure the Database

Installing Joomla, database configuration

If you are done, you can choose NEXT. In the next tab you have to configure the database. You can enter the necessary information of your MySQL database.

Database Type: Should be MySQL

Host Name: mostly localhost, but contact the support of your hoster if you have troubles in deciding.

Username: Name of user who has the permissions. This is the one you have chosen earlier, when setting up the MySQL database

Password: The password from the database

Database Name: The name of the database

Table Prefix: There is a prefix, so you could install more Joomla sites in one database. You can leave this value.

After that, there is the possibility of backing up any existing data from an old Joomla installation. If there is one please do by clicking Backup, otherwise choose Remove.

Now you can press Next and you are almost done.

nstalling Joomla, finalisation

On the last page you can choose if you want some sample files which should be copied to your installation. For a beginner, this is very neat. You can plunge around in the files and see how things can be done. So Default English (GB) Sample Date is quite well.

Installing Joomla, final summary

Further more the is a summary about what you have chosen for the installation. Have a look at these and correct if some is wrong.

After that you will be shown a summary of the configuration. If all seems well you will get a green Yes at every line.

You can now hit the Install button and everything should be done in a few minutes.

Installing Joomla, finished

There is one last thing to do. Please remove the installation folder. This is required for security. If you do not, anyone could reinstall Joomla and destroy your site. If you do not remove the installation files, you can’t process any further. This is prevented by Joomla itself.

Installing Joomla, remove installation folder

Congrats, you have installed your first Joomla CMS System. Now you can start publishing.
You can now choose between viewing the installation on http://yourdomain.com

Installing Joomla, the site

or login with the admin account on http://yourdomain.com/administrator

Installing Joomla, Adminstrator login