Choose a (better) FTP password for accessing your Homepage which is not trivial! using rules in annexe A Requirements: having a valid login and password to your plesk account How: http://yoursite.com:8443/
Go to main page, If your hosting company allow you to create many subdomains, click on the right one, here on
On Plesk main page, click on domain, here waltercedric.com on the next page, on Setup Then enter New FTP password, and save Choose a DIFFERENT Joomla/Mambo administration password using rules in annexe A Requirements: having a valid login and password to your Joomla administrator account How:
Go to Your administrator panel For ex http://yourhost/administrator/ click on your login name, here on admin Enter a new password Choose a DIFFERENT Plesk password for the administration of Your site using rules in annexe A Requirements: having a valid login and password to your Plesk administrator panel
which is the default URL for Plesk, attention it may vary depending on your hosting company http://yoursite.com:8443/
On the main page, click on edit And enter new password Choose a DIFFERENT using the rules in annexe A mySQL password for the Joomla/Mambo table How Use the plesk administration panel
On Plesk main page, click on domain, here waltercedric.com on the next page, click on Databases Then on your Joomla database (here for me mos ) then click on the right user: here mosuser , Note that I have a special user for backup purpose with only select rights! and change password Open the file /configuration.php and change the key mosConfig_password Adapt user rights of the mySQL Joomla user
a mySQL user may have following privileges:
This user, for example
joomlaUser should ONLY have insert (new comment, guestbook) and deleteand updaterights on Joomla/Mambo database
SHOW GRANTS FOR 'mosdev'@'%';
GRANT ALTER,CREATE,CREATE TEMPORARY TABLES,CREATE VIEW,DROP,EXECUTE,LOCK TABLES,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'mosdev'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;
Do not allow drop or create table, normal operation of Joomla do not require it! Of course as soon as You want to install a new component, You will have to temporarly allow
joomlaUserto create new table (if the component require it) Adapt files right on your server
Heritage of UNIX, file rights are organized in 3 groups, user, group, all. Each group may be able to read (r) write (w) or execute (x) file individually. the combinaison rwx is read in octal rwx = 7 for each group, so 777 is the worse settings: anybody may be able to delete or change your file on server...
This is how look my file structure
Recommended Set to CHMOD equivalent files rights: r_ _r_ _r_ _ 444 directory rights r _ x r _ x r _ x 555 Exception for /cache directory rwxrwxrwx 777 Howuse an tool like FTP , on selected resources, use right click menu , and check the bit: CuteFTP
Example in cuteFTP , note the command is not recursive! Side effects You wont be able to use the upload function of HTMLArea: impossible to upload images or file using the administrator articles editor. Each time You wan to publish a new articles with pictures inside, You'll have to copy them with FTP before editing in order to be able to insert them into the text. In order to write a file into the directoy C in the path A/B/C, You will have to set temporary directory A and B and C to rwxr-xr-x rights (CHMOD 755)! Protect some part of Joomla using additionnal password like .htaccess Requirements: Your provider must support .HTACCESS per directory How:
Read my tutorial
HERE Side effects Some component or code trying to read file form the admin area (if protected by a htaccess file), may bring a popup login windows to your users, but it is possible to find these problems and solve them quickly. My plugin securityimages in its first version was also having this error (coding) Run a part or your site in HTTPS mode
For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.
Ideally only the administration part (all URL beginning with http://yousite/administrator/), or your whole site.
Why:if your site run in http mode, all password and fields submitted to the server are send in cleartext (can be read). an attacker may be able to intercept or fake user by rerouting the http request. In https mode, data are travelling encrypted on the network and a session key avoid replaying attacks. Moreover it is not realistic to have a commercial business on internet without running https Requirements: Your provider/hosting company should allow it How
Run FULL site in https Run PART of site in https In plesk, just copy your Joomla/Mambo file structure from /httpdocs to the directory /httpsdocs with a tool FTP Eventually put a file index.html in /httpdocs which redirect users to the protected https area to show to users that your site still exist (it will not bring an error 404: page nt found) This is certaimly not as easy as running Your full site with https, Side effects If You install a new site, no problem If You have an existing homepage and are heaviliy indexed by Google and Co and/or many users have Bookmark You, Users will be disturbed to say the least, and Google may think You are using some spammer techniques (moving and creating/dissimulating new content) Review OpenSEF/SEF 404 logs
/SEF component is installed, You may be able to look at unusual or incorrect url. This typically can reveal some SQL or parameter injection in existing code. SEO will in fact reject some URL and redirect user to your home root index.php, instead of displaying an error message or revealing informations about file structure, which is a positive side-effect SEO ex: .../banner.php?id=120&client="select 1 from dual" someone is trying to test SQL injection in the component Banner Review access logs
Search in log file about unusual behaviour, is someone accessing too often (in a small interval) to /index2.php (admin part of your site) -> this may be a brute force attack!
Requirements: have a plesk access How:
On Plesk main page, click on domain, here waltercedric.com on the next page, on Log Manager The server access log records all requests processed by the server. Access log for http:// and access ssl log for https:// The server error log, whose name and location is set by the error log directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it. The file contains logging information from the FTP server daemon, xferlog ftpd Make Backup! Joke: "Real men don't do backup but they often cry" mySQL : 4 ways to automate MAMBO database backup.. Ftpuse any FTP tool to sync or Plesk backup function Keep Your Joomla/mambo installation up to date.
Always use the latest version of Joomla:
Or the latest version of Mambo: www.joomla.org www.mamboserver.com
As soon as a new version of Joomla/mambo is available, install it in the same day!
Hacker will look at the patch and search for unpatched server! It has never been so easy to search for running version of a certain CMS version, thanks to search engine. For giving You an example, a hacker may search in Google (but any search engine will work) all site running Joomla/Mambo with allinurl: administrator/index2.php so install patches very fast! Make a backup (just in case), and install the new patch, you can also install the patch on your local running instance of Joomla For paranoid or How to push security even higher
All actions below require some knowledge or time...
Change regurly ALL password above!
just in case, someone get Your password or part of it. Ideally You must change your password before a brute force can find it. Or as soon as logs reveal a possible attack just in case the hacker has not start doing something bad with Your account..
With decreasing frequency:
Joomla Admin password mySQL user password Plesk admin password FTP user password Attack surface reduction (ASR) Definition: M$ has (idea is not coming from them, but they are trying to evangelize a lot of developers with good articles) a good article here
So bugs/security issues can not exist in a code if the code do not exist on the server.... :-)
Quite easy to understand but really difficult to achieve, here is a way to do it....
Define Your requirement, list all components/modules/mambots that you need to run. Unpublish all components/modules/mambots Test Your site, If everything run correctly, remove one components/modules/mambots at a time, and test Your site Take care when installing next CMS patch, that you do not copy uneeded files on your server. It may be surprising, but even if the component is not published but it's code is physically present on server dissk, it may cause a security vulnerabilities.
You know have a customized version of Joomla/Mambo with a lot less code running and possibly a lot less unknow vulnerabilities! It will be a pain to maintain.
Log are always telling the truth! (sometimes)
You may want to install of write a tool which parse automatically Apache, Tomcat, PHP, mySQL logs to monitor
Just for FUN....
Just to give you an overview of some crazy things that can be done....
Of course this latest example do not allow You to use the CMS normally, You have a bloody Read only site, but nobody will be able to tamper data... I've read some times ago, a person which have customized a linux version. In order to be sure that if someone ever get an access to the disk, it won't be able to execute any command, he rename all files and commands on disk...This is also possible for Joomla. Write a JAVA/C#/other parser which rename all files/directories and changes all include, include_once, require, require_once with UUID. It is possible but surely (a pain to) maintain. If you have a full webserver for You, You can create a special user which will start PHP and Apache and not be able to write or erase file. The last crazy thing I can imagine (but with time I can be more creative ;-) ) would be to create release of my homepage, burn it on a DVD (Read only) and publish it on the webserver.