Monday, February 15, 2010

All You Ever Wanted To Know About Joomla Security


All You Ever Wanted To Know About Joomla Security

Due to the time I spent rebuilding and cleaning up a recent Joomla hack and defacement of a web by an individual from the country of Turkey, I have become much more knowledgeable of Joomla security issues.

Looking through the monitoring statistics of the attacked site, it only took 4 minutes for the person hacking the site to compromise it; they found the site by searching for vulnerable Joomla 3rd party extensions which were installed in the site, which can get indexed on Google.

Joomla has become on of the hottest, easy to use, and simple to setup web site Content Managmet Systems  out there. With that, it has increasingly become the target of hackers. Just like Microsoft did with the popularity of the Windows Operating System, Joomla is reaping the success of developing software that helps people work and communicate more efficiently,  but at the cost of being on the radar for individuals who like to destroy and cause havoc on websites.

So for all of those looking for guidance on Joomla security I have provided a list of sources from various places that offer great Joomla security advance. The Majority of what you need to know about staying in the know and securing your Joomla site can be found here on my blog.

1)     Getting Started with your Joomla site
A.     Official Joomla Documentation

·   http://docs.joomla.org/

B.     How to Choose a Hosting Provider

·   http://docs.joomla.org/Security_and_Performance_FAQs

C.     Look at Ultra Secure Web Host Providers Like, FireHost.com a Secure Web Hosting Probider Who Defends against DDoS and Provides Top Notch, Corporate Enterprise Class Intrution Detection (IDS) & Intrusion Provention (IPS) Services.

2)      Install most up-to-date version of Joomla
·   http://www.joomla.org/download.html

3)      Test and Patch Joomla installation as Soon as a New Patch Update is Released
·   http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=4947

4)      Rename admin account

5)      Change default password “admin” to a strong password

6)      Redirect Joomla Management Console Default
http://www.yoursite.com/administrator to something else by using a secure plug-in or something else. plugins/system/404.html

A.     Consider Using JSecure Authentication for Console Access and Re-Direction

·   http://extensions.joomla.org/extensions/access-a-security/site-security/5809

7)     Joomla Permissions  Give Write and Execute permissions only to files and folders that need them. See #12 below: Joomla Hardening.

8)      Don’t Use High Risk Joomla Extensions that appear on Vulnerablity Extensions lists
A.     Vulnerable Extensions List

·   http://docs.joomla.org/Vulnerable_Extensions_List

B.     U.S. Vulnerabilities Database: Enter Joomla or Names of Joomla Extensions

·   http://web.nvd.nist.gov/view/vuln/search?cid=1.

9)      Scan your Joomla site often to check for vulnerabilities
A.     OWASP’s free JoomaScan Vulnerability Scanner- Usage : Note to run on Windows, you will first need to install a Perl Distribution; Such as ActivePerl.  Real easy to install, then begin your scanning!

·   http://sourceforge.net/projects/joomscan/

·   Mailing List

·   Subscribe: https://lists.owasp.org/mailman/listinfo/owasp-joomla-vulnerability-scanner

·    or Use: owasp-joomla-vulnerability-scanner@lists.owasp.org

B.     Hacker Targets’ free web based Joomla site scanner

·   http://hackertarget.com/joomla-security-scan

·   Web site protection http://yehg.net/lab/pr0js/papers/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf

10)   Disaster Recovery: Backup Your Site!

A.     JoomPack Site Back Up

·   http://extensions.joomla.org/extensions/1606/details

·   Restore JoomPack: http://joomlapack.net/download/itemlist/category/52-kickstart.html

11)   Create a Test Site on a Local Host/ Workstation Before Making Changes To Your Joomla Site
A.      Joomla Downloadable Local Host Instant Infrastructure!

·   http://demo.joomla.org- Jumpbox, TurnKey & Online Joomla Demo Site

B.      Manually Install/Setup a Windows Test/Development Joomla Environment

·   Part 1 -  http://docs.joomla.org/Setting_up_your_workstation_for_Joomla!_development

·   Part 2 -  http://docs.joomla.org/Setting_up_your_workstation_for_Joomla!_development_--_Part_2
C.      How To Copy From Host to Remote Host and Vice-Versa

·   http://docs.joomla.org/How_do_you_copy_a_site_from_localhost_to_a_remote_host%3F

12)   Joomla Website Hardening

A.      Joomla Security Guide

·   http://www.myjoomlasecurity.com/index.php/Main_PageCheck

13)   More Joomla Security Resources

A.      Joomla Administrators Security Checklist

·   http://developer.joomla.org/security/articles-tutorials/260-joomla-administrators-security-checklist.html

B.     Joomla Security Strike Team

·   http://developer.joomla.org/security.html

C.     Joomla Security FAQs

D. Top 10 Joomla Security Problems and How To Avoid Them

·  http://joomplaza.com/index.php/tutorials/82-top-ten-joomla-security-problems---and-how-to-avoid-them

E. Top 10 Joomla Security Extentions

. http://hostingword.com/web-hosting-reviews/10-most-popular-joomla-security-extensions/

 If any of the above links disappear or are not working properly, please let me know. Thanks in advance!

Enjoy your Joomla Content Management Experience Safely and with no Headaches!



 In addition, if you are new to the IT Security field, or have no experience and want to change your career consult with me at:


  1. Excellent information. Thank you very much.

  2. Superb content and resourceful information for all Info Sec professionals. Thank you for sharing!


Get Expert Advice!