The Joomla! Community Magazine™

Joomla! Hosting Security

Written by | Monday, 01 November 2010 03:38 | Published in 2010 November
Joomla! security is one of the most frequent topic of conversation among Joomla! users. Joomla! has received a lot of unjustified and misinformed criticism concerning its security. A vast majority of providers are often concerned about the seeming high number of hacked Joomla! sites while assuming Joomla! itself is the problem.

Don't be vulnerable

The truth is that the vast majority of security issues with Joomla! sites have nothing to do with Joomla's core code, but with insecure or out dated third party extensions or pure secured hosts!

The owner of an antiques business in a run-down area of a large city had been burgled frequently. After each robbery he stepped up the security but the thieves also escalated their efforts. He finally believed his premises were impregnable . Every window was alarmed and shuttered, the door was as strong as a bank vault, the walls were unscaleable. What could possibly go wrong? He received his answer a few nights later, when the thieves broke into the shop next door and smashed their way through the cellar wall with sledge-hammer before carrying off yet another load of antiquities! The owner now has sensors and alarms buried in his walls and still lies awake worrying at nights.

A lot of Joomla! web sites are hosted on shared servers. One analogue situation that can arise through the shared model is if a “neighbor” website is compromised your site may be attacked as well. Hacker bots are continually sourcing the web trying to find server weaknesses and when they do, the troubles start. Think not only of Joomla! security, but of Web security.

Securing a web server is as important as securing the website or web application itself, and the network around it. If you have a secure web application like Joomla! and an insecure web server, it still puts your website at a huge risk. Below are some issues you should be aware of if your Joomla! site is hosted on shared server environment:

  • Use a secure, high-quality web host. Do not be tempted by offers of unlimited bandwidth, hard drive space, databases etc.

There are a lot of ways to crack into your site. Apache for example. Host your site on a server that runs PHP in CGI mode with su_php. That way you will not need to set insecure permissions like CHMOD 0777. If you run PHP under the global Apache user you are exposed to cross-account attacks from other users on the shared server. Running PHP in CGI mode you need to ensure all of your files are CHMOD 0664 and directories to 0755. NEVER CHMOD files or directories to 0777.

Although it seems obvious, be sure that your Web Hosting Provider is keeping PHP and other software updated. Check if they are running mod_security under Apache. Mod_security is a web application firewall that provides protection from a range of attacks against web applications, and allows for HTTP traffic monitoring, logging and real-time analysis. It can help to stop a lot of Cross-site scripting attacks against your Joomla! site.

See if they are running open_basedir under PHP. Open_basedir was designed to stop PHP scripts from accessing files outside the open_basedir restriction, and is a very powerful show stopper for "include" attacks. Open_basedir is your best bet as a security directive.

Make sure your host does not allow remote code inclusion in PHP by default. For this purpose, log in your Joomla! Administrator's panel and navigate to Help ->System info from the top panel. Then go to the PHP Information tab.

  • if you are using PHP 5.2, make sure that the directive 'allow_url_include' is set to off
  • if you are using PHP version below 5.2, make sure that the directive 'allow_url_fopen' is set to off.

PHP's deprecated Register Globals feature is a general security risk. Under certain server configurations it can give rise to a specific cross site scripting. When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. In PHP6, there will not even be a Register Globals setting. Most security conscious hosts turn PHP's Register Globals directive OFF by default. See if your host has set Register globals off or that allows you to turn it off in local .htaccess or php.ini files.

When enabled, expose_php reports in every request that PHP is being used to process the request, and what version of PHP is installed. Malicious users looking for potentially vulnerable targets can use this to identify a weakness. Turn expose_php off. It won't by itself fend off a determined attacker, but it will lower visibility to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets.

Another way to crack into your site is via FTP. Choose a host that requires SFTP for transferring files. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.

(Note: Joomla! FTP Layer was developed in case a user is hosted on a server that doesn't run PHP under the account user. It allows us to install extensions under Joomla! without running in to file ownership issues but also presents a potential security hole. If your server is running su_php you don't actually need the FTP Layer and you should disable it.)

Security vulnerabilities will always exist, and therefore the server setup has to be hardened against attacks. A cracker must have two things: opportunity and ability. A lot of crackers have the abilities, so let's not give them the opportunity.

And because you never know when you ... might get lucky, one last piece of advice. Backup, backup, backup!

Read 54470 times
Tagged under Administrators
Hate to bring up the obvious here, but what exactly which hosting companies do you recommend? :)

Otherwise, awesome article, thank you!
Another nice thing to look for in a good host, is one that is also making use of "Suhosin" from the Hardened-PHP Project.

Asking the host if they aslo run mod_evasive or mod_qos can be useful.
Although, Apaches' mod_evasive and mod_qos are useful, they are not the "End-All" or "B-All" in server security, many DDoS attacks are targeted at the Network Entry at the router, so adequate fire-wall'ing (inside & outside the DC) and even load-balancing and proxy'ing may need to be deployed in severe or regular attacks.
Theophanis Mastakas Thursday, 11 November 2010
Zs, there are a lot of good and secured web hosting providers.You can have a look at The Joomla! Resource Directory. It lists Joomla! hosts that meet the security requirements of a typical Joomla! site.( )
I run a hosting company in Australia.

If running a cPanel server I harden it as much as possible.

I use the guys at because they are cheap but REALLY good. Their scripts for cPanel are AWESOME!

I own (almost finished) for retail and resellers within Australia only.

I am happy to give a little advice on these things - I learnt them the hard way.

As a devoted Joomla lover though I would love nothing more then the chance to help others keep things tight.
Interactive Online Thursday, 11 November 2010
Though I agree that most Joomla hacking is down through a vulnerable third party extension, there have still been many security releases with the Joomla core throughout the last few years. Blaming third party extensions for most hacks can cause site owners to feel they don't need to keep up with Joomla core upgrades. Joomla core files should always be updated. In fact it is mandatory on our our servers. The last 2 Joomla core releases fixed XSS Vulnerabilities and SQL Injection (Information Disclosure) vulnerabilities.

Also unlimited hosts aren't necessarily bad. Most of the successful hosting companies offer an unlimited package now. Just like with any host, there are always going to be restrictions on unlimited hosting (type of sites hosted, file types, # of files hosted, etc). I'd be more concerned if the host is secure, not whether they are "unlimited" or not. Find a host that is using suPHP and Suhosin. Also, a host that uses the cPanel control panel and 1-click install of Joomla will make site development & maintenance tasks much easier.

We have found that 99% of customers who are using Joomla on our servers never upgrade to the newest version, even after sending them multiple notices about it. The typical site owner is sometimes not aware of the upgrade or not even sure how to do it. I've seen many instances in which the customer was not even aware they were using a vulnerable version of Joomla (or third party extensions) until after their site was hacked. This usually caused them to devote more time and money to fix the problems caused by the hacker.

We have found that automatically upgrading Joomla for customers has decreased the number of hacked sites. When there is a new version of Joomla available, we send out a notice to all customers to inform them of the upgrade. We then check about a week later and perform a global upgrade of Joomla server-wide. We've only had 2 complaints so far in regards to the auto-update. Most customers are delighted that we take care of this for them free of charge.

For you cPanel hosting providers out there... checkout Installatron if you are interested in doing server-wide upgrades of Joomla (and other open source scripts). We previously spent weeks (if not months) on upgrading Joomla installs for customers manually. With Installatron we can upgrade all installs on a server in less than a day.
Don't use Rackspace Mosso cloud hosting. They are horrible for security on their shared servers. Ive had all my sites become .infected because of their poor firewalls. Steer clear of them bigtime.
It is really sad though, because we spend so many hours trying to get a website up and running, it's hard work, and then it just gets hacked into.