Don't be vulnerable
The truth is that the vast majority of security issues with Joomla! sites have nothing to do with Joomla's core code, but with insecure or out dated third party extensions or pure secured hosts!
The owner of an antiques business in a run-down area of a large city had been burgled frequently. After each robbery he stepped up the security but the thieves also escalated their efforts. He finally believed his premises were impregnable . Every window was alarmed and shuttered, the door was as strong as a bank vault, the walls were unscaleable. What could possibly go wrong? He received his answer a few nights later, when the thieves broke into the shop next door and smashed their way through the cellar wall with sledge-hammer before carrying off yet another load of antiquities! The owner now has sensors and alarms buried in his walls and still lies awake worrying at nights.
A lot of Joomla! web sites are hosted on shared servers. One analogue situation that can arise through the shared model is if a “neighbor” website is compromised your site may be attacked as well. Hacker bots are continually sourcing the web trying to find server weaknesses and when they do, the troubles start. Think not only of Joomla! security, but of Web security.
Securing a web server is as important as securing the website or web application itself, and the network around it. If you have a secure web application like Joomla! and an insecure web server, it still puts your website at a huge risk. Below are some issues you should be aware of if your Joomla! site is hosted on shared server environment:
- Use a secure, high-quality web host. Do not be tempted by offers of unlimited bandwidth, hard drive space, databases etc.
There are a lot of ways to crack into your site. Apache for example. Host your site on a server that runs PHP in CGI mode with su_php. That way you will not need to set insecure permissions like CHMOD 0777. If you run PHP under the global Apache user you are exposed to cross-account attacks from other users on the shared server. Running PHP in CGI mode you need to ensure all of your files are CHMOD 0664 and directories to 0755. NEVER CHMOD files or directories to 0777.
Although it seems obvious, be sure that your Web Hosting Provider is keeping PHP and other software updated. Check if they are running mod_security under Apache. Mod_security is a web application firewall that provides protection from a range of attacks against web applications, and allows for HTTP traffic monitoring, logging and real-time analysis. It can help to stop a lot of Cross-site scripting attacks against your Joomla! site.
See if they are running open_basedir under PHP. Open_basedir was designed to stop PHP scripts from accessing files outside the open_basedir restriction, and is a very powerful show stopper for "include" attacks. Open_basedir is your best bet as a security directive.
Make sure your host does not allow remote code inclusion in PHP by default. For this purpose, log in your Joomla! Administrator's panel and navigate to Help ->System info from the top panel. Then go to the PHP Information tab.
- if you are using PHP 5.2, make sure that the directive 'allow_url_include' is set to off
- if you are using PHP version below 5.2, make sure that the directive 'allow_url_fopen' is set to off.
PHP's deprecated Register Globals feature is a general security risk. Under certain server configurations it can give rise to a specific cross site scripting. When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. In PHP6, there will not even be a Register Globals setting. Most security conscious hosts turn PHP's Register Globals directive OFF by default. See if your host has set Register globals off or that allows you to turn it off in local .htaccess or php.ini files.
When enabled, expose_php reports in every request that PHP is being used to process the request, and what version of PHP is installed. Malicious users looking for potentially vulnerable targets can use this to identify a weakness. Turn expose_php off. It won't by itself fend off a determined attacker, but it will lower visibility to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets.
Another way to crack into your site is via FTP. Choose a host that requires SFTP for transferring files. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.
(Note: Joomla! FTP Layer was developed in case a user is hosted on a server that doesn't run PHP under the account user. It allows us to install extensions under Joomla! without running in to file ownership issues but also presents a potential security hole. If your server is running su_php you don't actually need the FTP Layer and you should disable it.)
Security vulnerabilities will always exist, and therefore the server setup has to be hardened against attacks. A cracker must have two things: opportunity and ability. A lot of crackers have the abilities, so let's not give them the opportunity.
And because you never know when you ... might get lucky, one last piece of advice. Backup, backup, backup!