New versions of Joomla! are released often with various security fixes and the developers are strongly recommending to upgrade to the latest version of Joomla!

Mistake #2. NOT TO check folders permissions after installing Joomla!

Folders that have permissions higher than 755 may compromise your Joomla!, leaving the “door” open for an attacker to read/write or even upload his own shell files, thus taking control over your site.

Mistake #3. NOT TO check files permissions

We advice you setting permissions to all Joomla! files to 644 or lower.

Leaving files with permissions higher than 644 can make life easier for hackers trying to access your website. Once they’re in, they can easily modify files with permissions higher than 644.

Mistake #4. ALLOW uncontrolled file uploads(forums, comments)

Hackers can and will use these applications to upload malware scripts and enter into your Joomla! website.

You must allow as few file extensions as possible, and NEVER let executable script files (.php, .php3, .php4, .php5, .phtml) to be uploaded.

To avoid this you can use RSFirewall! that automatically blocks unwanted file uploads. Also it can scan your system, look for mallware patterns and hacker scripts.

Mistake #5. Let IMPORTANT files and folders accessible by everyone

You must protect sensitive files and folders like:

1. configuration.php – main configuration file for the Joomla global configuration,
2. Joomla! temporary folder – every extension that you install is first uploaded to this folder,
3. Joomla! log folder: Joomla! related activity is recorded thus an attacker can find what vulnerabilities may reside within your site.

Mistake #6. Have PHP not configured properly

These are some php settings that you must setup in order to secure your server. (Note that these settings may be applied only by editing the php.ini file)

• check register_globals
  It is recommended to disable register_globals. Don’t trust Joomla! extensions that ask you to turn it on. Leaving register_globals=ON makes your website vulnerable to hack attempts. In PHP 4.2.0 register_globals was changed from ON to OFF, by default, and completely removed in PHP 6.0.0
• check safe_mode (leaving it ON could create some problems)
  We recommend to keep safe_mode OFF. In PHP 6.0.0 safe_mode was removed because it didn’t reached its purpose: it didn’t increase the website security causing some bugs and problems.
• check for allow_url_fopen
  allow_url_fopen enables a script to open remote files. You must make sure that script cannot open remote files.
• check allow_url_include
  allow_url_include allows inclusion and execution of a remote php script. Therefore this setting must be turned off.
• use disable_functions to disable some functions that could make your website vulnerable. Some of these are: system, shell_exec, exec, phpinfo, etc.
• use open_basedir to define the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it.

We recommed using the following PHP configuration:

• register_globals = OFF
• safe_mode =OFF
• allow_url_fopen =OFF
• allow_url_include = OFF
• disable_functions = system, shell_exec, exec, phpinfo(full list available in RSFirewall!)
• open_basedir=/your/joomla/path

Mistake #7. USE the “admin” user

When you install Joomla!, it comes with the predefined “admin” user. Joomla! had a bug allowing hackers to take over Joomla! websites exploited this “admin” user, but it has been fixed now. Anyhow, leaving the admin user as the Super Administrator in combination with a weak password can make your website vulnerable.

Mistake #8. USE weak passwords for admin users

Choose carefully passwords for admin users; don’t use common words.

It is best to advice your users, when registering to your website, to choose a good password , alpha-numeric, because hackers might take advantage and steal valuable information from them.

Do not use the same password to access the Joomla! backend and the hosting account.

Try not to include in your password personal information like your name, username, date of birth, common words and easy to guess like “admin”,”password”, “username”, “password123″ or English words.

Mistake #9. NOT to have an updated antivirus

If you have solved the above issues from 1 to 9 don’t think that your website will be secure if you don’t use any antivirus application to protect your computer. New viruses nowadays look for ftp connections and inject malicious scripts directly into your Joomla! files because your computer is virused. It’s best to keep your computer protected by getting the latest updates for your antivirus.

Mistake #10. Assuming your website is protected and secure if there are no visible signs of it being hacked

It’s always best to stay vigilent, carefully keep track of possible intrusion attempts, constantly backup your website, monitor it’s files and keep applications up to date.

via

Related Posts

• 2010/10/20 -- Significance Of Joomla In Web Designing (0)
• 2010/10/20 -- Joomla Module Evaluate – Search engines Translate For Joomla (0)
• 2010/10/20 -- Joomla For Development Of Custom Website (0)
• 2010/10/20 -- Using Joomla Content Management For Your Business (0)
• 2010/10/20 -- Optimization For Joomla Websites (0)
• 2010/10/20 -- How To Install Joomla On A Windows Server (0)
• 2010/10/20 -- Go Joomla with AcumenCS (0)
• 2010/10/20 -- Vector and Raster Technologies for Joomla (0)
• 2010/10/20 -- Joomla ? The Preffered Web Platform (0)
• 2010/10/20 -- how to apply adsense joomla? (0)