naipunyanew

You are here: Home Welcome to Naipunya Blog My blog Jooomla Security

Jooomla Security

 

  • Change database tables prefix from "jos_" to anything else.
  • Change username "admin" to anything else in Joomla, PhpBB, and anywhere else it used.
  • Instead of renaming, you can also create a second super administrator account and remove the first. This way, the user id will be different.
  • Change username or add password to username "root" in PhpMyAdmin. Default is NO password! This is not usually an issue on remote servers however if you have a local server it may be.
  • Remove unused templates, extensions and unneeded files from your site. This includes compressed archives.
  • Check joomla.org Vulnerable Extensions List (VEL)
  • Check regularly for updates for Joomla, PHP, SQL and EVERY extension you use.
  • Avoid encrypted code in extensions.
  • Use some form of intrusion detection either through a cron job or an extension (like Eyesite).
  • Check your log files OFTEN for unusual activity.
  • Use .htaccess to add extra protection to your administrator directory or use an extension (like kSecure)
  • Change the paths (directories) where your log, temp (tmp) files are stored. Don't just move them, you have to change the setting in Global Config as well. You also have to ensure your new paths fall under the scope of open_basedir.

on the sever where the site is hosted, configure the following:

 

  • Ask your server if they offer PHPsuExec, php_suexec or suPHP
  • Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous
  • Register_Globals = 0 (off) Many servers deafult this to ON.
  • allow_url_fopen = 0 (off)
  • expose_php = 0 (off)
  • safe_mode = 0 (off)
  • Use open_basedir , it limits which files/folders can be opened.

Files

  • Move configuration.php outside of your public directory.
  • On file permissions, in general never use 777 if you don't know what you are doing (755 for directories and 644 for files is sensible for most). 
  • Don't save FTP user and password in your FTP tool of choice on your workstation (especially if you are on Windows).
  • If you don't need them, don't enter the FTP user/password or remove them.
Read 354 times
Tagged under
Social sharing
More in this category: Effective use of PHP classes »
back to top

PHP Outsoucring

Cloud ERP Solution

Website Design