Welcome Guest! Login
0 items Join Now

Best way to secure Joomla!, phpBB, WordPress and Drupal

    • Kozley's Avatar
    • Kozley
    • Sr. Rocketeer
    • Posts: 102
    • Thanks: 1

    Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 9 years 5 months ago
    • This image is hidden for guests.
      Please log in or register to see it.

      The following steps are ways to help prevent hackers from getting into your Joomla website . They are not foolproof, so it is very important to continuously monitor your site and to do regular maintenance to prevent a hack attack.

      New security guides for Joomla 2.5 and latest!

      1. Update your Joomla instance.
      Subscribe to Joomla Security updates via email or RSS Feed. Update your site whenever a new release comes out. This should be done as soon as possible. We have seen sites hacked within 24 hours of a security release. We believe this is become a new release for Joomla also comes with an explanation of all the security holes that were fixed, thus giving hackers a roadmap for getting in. If you do nothing else, update your Joomla ASAP!

      2. Check the vulnerable Joomla extension list before installing extensions.
      Extensions are built by 3rd-party developers and they aren't always 100% secure. It's wise to check this list before installing an extension, and browse it each time you update your extensions. You can subscribe to the Vulnerable Extensions List RSS feed to get announcements when vulnerable extensions are discovered.

      3. Review the Joomla Security checklist .
      This checklist is provided as an easy way to review your Joomla install and server setup. It helps you assess where you might have security holes.

      4. Create a backup plan for your site.
      This is so crucial. You never expect to be hacked, but when you are, a backup of your site could get you up and running within an hour. Check to see if your hosting company does daily or weekly backups. Even if they do, it's better insurance to take your own backup of the site. You can do this manually by copying down the files and exporting a copy of the mySQL database. It's easier to use a 3rd party backup extension like Akeeba backup .

      5. Delete the admin username that comes with the initial install.
      Hackers know the user ID for this admin user, and of course the default username (admin) that is assigned to. It gives them half of the login puzzle if you leave it there. Create a super admin user with a different username.

      6. Install the JSecure commercial plugin or the JLSecure My Site non-commercial plugin to hide administrator login page.
      This simple plugin allows you to create a customized URL for your Joomla login page, which makes it difficult for a hacker to log into the admin panel.

      7. Disable the FTP function within Global Configuration.
      If a hacker gains access to your Joomla admin and the FTP function is enabled, this gives them free access to your server.

      8. Change your passwords regularly.
      Change the Joomla administrative passwords as well as your cpanel and ftp passwords. This is particularly important if you login from different computers that other people have access to. When creating a password, don't use your kid's or pet's names. Make it cryptic and hard to figure out. Combine upper/lower case and numbers and symbols too.

      9. Turn off or uninstall Extensions that you don't use.
      The core install of Joomla comes with several components and plugins. If you are not using them, simply turn them off. To do this go to Extension Manager > Install/Uninstall and go to the appropriate list using the blue tabs at the top. If you have installed a 3rd party extension that you are no longer using, uninstall it.

      10. Do no run your site in legacy mode.
      If you have a component that requires legacy mode, spend the time to configure a more current component that is Joomla 1.5 native.

      Issue Jan 2012: The legacy mode from Joomla! 1.5 is no longer necessary. Legacy mode allowed the execution of components originally developed for Joomla 1.0, which have 'only' been adapted to Joomla! 1.5. The procedure of adapting old components is offset by the development of 'native' Joomla! 1.5 and 2.5 components, which use the Joomla! Framework.

      11. Consider installing commercial security extensions.
      The following extensions are worth the investment since they provide a long list of features that will keep your Joomla site secure:

      RS Firewall

      12. Report hacking attempts to your hosting company.
      They need to know that somebody is hacking the server so they can do what they do to secure all the sites on the server.

      13. Install an SEF (search engine friendly) component.
      Hackers search for specific URLs within your Joomla configuration in order to get to a security vulnerability. By installing an SEF component, your Joomla URLs will be re-written in search engine friendly words, and then hackers cannot find the URLs they are seeking. This is also good for your SEO efforts.

      14. Change the table prefix in your mySQL database.
      This is for advanced users, so for beginners you're better off finding a developer to help with this. The default table prefix is jos_, so hackers will be expecting this. Changing the prefix helps prevent a hack known as a SQL injection (where they inject something right into one of your database tables).

      This image is hidden for guests.
      Please log in or register to see it.

      1. Secure Your Administration Control Panel
      phpBB's Administration Control Panel (or ACP for short) is the most vital part of managing your forum, so it is very important to keep it as secure as possible. In phpBB 2, any administrator level account can use the ACP to make sweeping changes in a forum. Many of the most exploited security issues found in the software allow outside attackers to create new administrator accounts and use them to delete users, forums, posts, and other content. phpBB 3 is not as vulnerable in this area, but the same potential exists if any new security issues should be discovered.

      One of the best way to protect against such attacks is to add an extra layer of password protection to the ACP. This can easily be done with .htaccess and .htpasswd files on Apache servers. Using this method creates a secondary password that is stored outside of phpBB's normal architecture, protecting it from most exploits that may allow access to user accounts or passwords.

      2. Find the Absolute Path
      Before adding the new password files, you must first determine the absolute path of the location where the files will be stored. If you are using phpBB 3, enter the ACP. On either the General or System tabs, click the "PHP Information" link in the menu to see details about your server. When using a phpBB 2 forum, you will need to add a new file to your forum's admin/ folder to view these details. Create a new file called phpinfo.php containing the following code, upload it, and visit it in your browser by typing the file's URL into the browser. When you are finished with this tutorial, you can delete phpinfo.php, if you wish.
      <?php phpinfo(INFO_VARIABLES); ?>
      Once you've accessed the list of PHP information, you will see a lot of miscellaneous details about your server. Search for a line labeled
      . The value on this line shows the absolute path of the phpinfo.php file, which will look something like
      . Your exact path will differ. In this example, the highlighted portion is the absolute path to the ACP. You'll need this path, without the phpinfo.php on the end, in a moment, so make a note of it.

      3. Create the Password Files
      Now, you need to choose a username and password for the additional log in. You should not use a username or password that you have used for anything else, including your forum account. Make the password at least seven character long and a mix of letters and numbers to make it more difficult for attackers to guess.

      Visit the Generate .htaccess Passwords utility to create the .htaccess and .htpasswd files that will store the information for the extra password layer. Fill in each field. Use the absolute path you noted earlier for the "Path to password file" option. Click Generate and follow the instructions regarding uploading the generated files on the next page.

      Once these files are uploaded, the extra password layer will be in place. Access to your ACP will be restricted to people who know the new username and password.

      4. Don't Forget to Upgrade
      The most important aspect of security when running any website is to always keep your software up to date. Security fixes and updates to the phpBB software are occasionally announced at major phpBB related websites. This extra password protection can prevent some exploits from being used to damage your forum, but others exist that target areas not covered by this protection. Remember to always apply the vital security fixes as soon as possible, to protect your site against dangerous intrusions.

      This image is hidden for guests.
      Please log in or register to see it.

      Not only creating a WordPress blog is important, but to keep it secure is more important. There are many possible ways to hack your WordPress blog and also many equivalent ways are available to secure wordpress blog. In this article i will let you know the possible ways by which you can secure WordPress blog from hackers.

      Ways to Secure WordPress Blog

      1. Update, Update!!!

      The best possible way to protect your blog is by updating your wordpress to latest version. Also keep updating your plugins and themes to latest version.

      2. Hide Plugins Folder

      You can see a list of plugins by going to this url yousite.com/wp-content/plugins/ . If you see a blank page then its well and good. It means that your plugins folder is hidden.

      But if the list of plugins appears then you need to add an index.php or index.html file to your plugins folder. This may be an empty file.

      3. Hide wp-admin Folder

      wp-admin folder should be hidden and made accessible just for required users. You can use this AskApache Password Protect to password protect the directory and give access only to authorized users.

      On his blog Google CEO matt cutts has mentioned a tip to protect wp-admin folder.

      4. Remove WordPress Version Generator

      Goto your themes directory and open header.php files. Locate this line and delete.
      <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please –>

      This helps you not to display wordpress version. If you are using an older version of WordPress then anyone can choose the ways to attack your blog by looking at the source.

      5. Use Strong Passwords

      Use stronger passwords which includes the combination of uppercase, lowercase, numbers, symbols etc., You can also use random password generator but you need to make a note of the passwords.

      6. Encrypt Login

      Passwords will be sent unencrypted to the server whenever you login to your site. The best way to send passwords to the server is by encrypting them. This can be achieved by using Chap Secure Login WordPress plugin.

      7. Stop Brute Force Attacks

      Brute force attacks and dictionary attacks are common way to crack the password. To secure WordPress blog from these type of attacks we make use Login LockDown WordPress plugin. Login LockDown records the IP address and timestamp of every failed login attempt. It will lockdown the login function if more than a certain number of attempts are detected within a short period of time from the same IP range and prevent any person to login from that IP range.

      8. Change Table Prefix

      By default the wordpress database table prefix will be “wp_”. Change this table prefix to unpredictable names like “my_” or something else. This can be done by editing wp-config file or can be changed at the time of installation.

      9. Take regular backups

      The best way to maintain your blog without any worries is by taking regular backups. There are many WordPress backup plugins, but i recommend WordPress Time Machine backup plugin which helps you automatically take the backup of your wordpress blog to dropbox account.

      Related article: 5 must use WordPress plugin for new blogs .

      10. Make use of secret keys

      You can see the secret keys in wp-config.php file. The secret keys comes in handy when your blog gets hacked and still the cookies remain in the hackers browser, from which he tries to login. Changing the secret keys by going to wp-config.php file will reset the cookies so that hacker cannot login any further.

      Other tips:

      11. Know file permissions of your files and folders.

      12. Keep your htaccess file in check.

      13. Make use of robots.txt files.

      14. Dont use pirated stuff (themes, plugins etc.,).

      This image is hidden for guests.
      Please log in or register to see it.

      While the Drupal core is known for being highly security, many of the contributed modules lack the same high level of security. As a result, it’s important to consider a variety of factors in securing your local Drupal installation. The language, coding and accessibility standards in Drupal implementations all impact your ability to secure your backend installation as well as user data.

      How to Secure Drupal

      Rather than opting for the easiest solution with custom code or modules, make sure you use translation, secure https protocols as well as a variety of factors to properly secure the installation. While the core of Drupal may be highly secure, most webmasters run into potential challenges when writing modules, functions and add on code. In this context, there are potential scripting issues with database access.

      For developers security issues are important for both development, financial and legal reasons – whether you’re working on an internal project or for a client, you need to perform due diligence to secure your Drupal installation. Taking steps to ensure the install is properly secured and backed up can become especially important when working with sensitive users data or permissions. Building a successful web app on Drupal means keeping your installation patched and up to date, as well as taking extra steps to secure any custom modules you might have.

      One particular area to focus on is making sure to use the additional database abstraction layer rather than queuing the database directly. Delivering direct queries can open up potential problems from SQL injections where you make the structure of your tables clear to all users. Creating substitute database arguments makes it much easier to more securely connect to the database. In particular rather than writing a simple query along the lines of:
      Db_query(‘SELECT FROM {db} table where table.name = ‘. $_GET[‘var’]);
      You should use a structure more akin to
      where table.name = ‘%table’
      Using abstraction layers in Drupal is an important way to prevent XSS (cross scripting), brute force attacks and mySQL injections. You’ll also want to use secure admin and root server passwords, as well as ensuring your Apache, mySQL and PHP installations are up to date. Working with your host you should install a firewall that limits access to the root server based upon certain parameters such as IP (or VPN) or a MAC address. While no server setup is completely immune from these challenges, you can properly secure your site by taking careful steps to protect your server.

      Another important step to take is in the context of https secure pages. Make sure you utilize a complete 128-bit secure certificate such as those from Verisign which also require PCI compliance. When getting certified for compliance you’ll be able to more fully identify best practices in terms of securing your server and application. Drupal is regularly updated to reflect advances in computer security, so you should plan on regular updates of the software and incremental patches as they are released. By carefully following best practices with respect to your server you can maximize the security of your installation.
    • Last Edit: 5 years 2 months ago by Kat05.
    • The following users have thanked you: midgard.li

    • Is your site unsecure? Check out my Best way to secure Joomla!, phpBB, WordPress and Drupal thread!
    • DanG's Avatar
    • DanG
    • Preeminent Rocketeer
    • Posts: 36749
    • Thanks: 3227
    • Custom work done

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 9 years 5 months ago
    • Hi Kozley
      AWESOME post :arrowu:
    • Kat05's Avatar
    • Kat05
    • Preeminent Rocketeer
    • Posts: 25898
    • Thanks: 334

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 9 years 5 months ago
    • very helpful post, thanks a ton for sharing! :D
    • Kat05 / QA Lead & Support / Germany
    • JEM's Avatar
    • JEM
    • Preeminent Rocketeer
    • Posts: 17916
    • Thanks: 4

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 9 years 2 months ago
    • :arrowu:

      Very nice, bookmarked...

      I will ask Ben to Sticky this.
    • Thanks,
  • Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 9 years 2 months ago
    • thank you :)
    • hunky dory!
  • Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 8 years 10 months ago
    • This is by far the best Joomla securing guide on the Internet. Period. Thank you!
    • KO's Avatar
    • KO
    • Elite Rocketeer
    • Posts: 681
    • Thanks: 3

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 8 years 1 month ago
    • This is nice! However, is there a way to prevent user access to the robots.txt file while allowing only search bots to access the robots.txt file ?

      Quite curious because the folder structure of the core files of joomla is easily seen by typing site.com/robots.txt. I sure as hell don't want to share those core folders that could be vulnerable to script attacks.
    • Kozley's Avatar
    • Kozley
    • Sr. Rocketeer
    • Posts: 102
    • Thanks: 1

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 7 years 10 months ago
    • Joomlaes's Avatar
    • Joomlaes
    • Jr. Rocketeer
    • Posts: 35
    • Thanks: 0

    Re: Best way to secure Joomla!, phpBB, WordPress and Drupal

    Posted 6 years 4 months ago

Time to create page: 0.159 seconds