Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013
-
Upload
nicholas-dionysopoulos -
Category
Technology
-
view
623 -
download
3
description
Transcript of Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013
Joomla! Security 101
version 6.0
Mission: ImpossibleTalking in-depth about Joomla! security in 30 minutes or less... but I’ll try!
Put your pens awaySit back and enjoy
Updated server softwarePHP, MySQL, Apache, FTP Server...
Permissions & ownershipWho can do what and where
Sane ownership & permissions
All files and folders owned by the FTP user
Use Joomla!’s FTP mode on shared hosts
Folders 0755 permissions • Files 0644 permissions
If you “must” use 0777 (don’t!), protect with .htaccessorder deny, allowdeny from allallow from none
Better yet, use suPHP or FastCGI
Too much to remember?
Akeeba Backup User’s Guide, Security Informationhttps://www.akeebabackup.com/documentation/akeeba-backup-documentation/security-info.html
777: The number of the beasthttp://www.dionysopoulos.me/blog/777-the-number-of-the-beast
Update, yesterdayJoomla! & extensions
Think before installingDon’t be the mouse in the trap!
Length matters
Your Password’s length matters
A terrifying thoughtPassword hacking super-computer: 2,700 USD(back in 2010; much cheaper now)
How safe is your password?
Password Bits Iterations Time to crack15082005
admin
ortrtaortftaaidbt
0rtrTA0rtfTa&idbT
horse correct battery stapler
13,6 12416 0.00038 msec
15,9 61147 0.00185 msec
67,7 2,39e+20 228.95 years
88,2 3,55e+26 340 million years
107,2 1,86e+32 178179 billion years
Derive from a sentence
Derive from a sentence
thequickbrownfoxjumpedoverthelazydog
Derive from a sentence
thequickbrownfoxjumpedoverthelazydog
tqbfjotld
Derive from a sentence
thequickbrownfoxjumpedoverthelazydog
tqbfjotld
tqbFjotlD
Derive from a sentence
thequickbrownfoxjumpedoverthelazydog
tqbfjotld
tqbFjotlD
+qbFjo+lD
Derive from a sentence
thequickbrownfoxjumpedoverthelazydog
tqbfjotld
tqbFjotlD
+qbFjo+lD
+qbFj0+1D
Derive from a sentence
+qbFj0+1D
Still unsure? Write it downAnd keep it ON YOUR PERSON!
+qbFj0+1D
Use a password managerAnd keep it on your person (mobile device)
Lock it downNothing on my site runs unless I say so
.htaccess Rules
My Master .htaccess - FREEhttp://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txt
Admin Tools Professionalhttps://www.akeebabackup.com/products/46-software/855-admintools.html
Armor upProtect your site
BackupsFrequent, automated, off-site backups
Use myJoomla.comDead easy site auditing – and fixing!
In spite of it all…
Dammit!You got hacked, now what?
DON’TPANIC
We’ve got instructions
Unhacking your sitehttps://www.akeebabackup.com/documentation/walkthroughs/item/1124-unhacking-your-site.html
You do have backups, right?
You did use myJoomla.com, right?
Make sure you read the instructions before getting hacked.
Questions?
Download this presentationhttp://akeeba.info/asjd13bih
Thank you for listening!Image credits for copyrighted images: sxc.hu; istockphoto.comCoprights of the logos and screenshots of software displayed in this presentaiton is owned by their respective companies