Quick File Permissions Security Question
-
-
- JustMcKee
- Jr. Rocketeer
- Posts: 28
- Thanks: 0
-
Each template has a number of folders listed under Directory Permissions under Help > System Info. Is it recommended that all these folders be made and kept "writable" for normal everyday operation of the template? I am concerned about file and folder hacking as there are many instances in this forum and other forums of joomla installations getting "hacked" in part because of sloppy security settings on folders and files. But I don't want to set security settings so tight that a client who is given front end permission to publish articles and upload images within the articles can't complete these tasks without getting an error notice. Could you give me some direction on the recommended security settings for the folders listed for the templates under the Directory Permissions page? I'd like to know the tightest recommended security settings (which still allow the client to publish articles).
For example:
Owners - read, write, and execute permissions (always checked)
Group - read, write, and execute permissions (write always or sometimes checked?)
Others - read and execute permissions only (no write)? , no boxes checked, or read and execute only ?
I'm a little unclear on what has worked best for most to avoid getting hacked.
Thanks for any clarification.
-
-
-
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
-
Check this post for this type of information in detail:
Joomla Version Info, Security Tips and Changed Upgrade Items
In general though, security starts with passwords and usernames and stuff. Make sure your username and password for your database are not the same and are alphanumeric and mixed case, also your Super Administrator username and password.
In general the file permissions are set up pretty standard with 755 for directories, 644 for files, and 444 for your configuration file. There will also be some template related files that are 555 and that's fine as well.
One other tip I've heard is that changing the user ID number of the Super Administrator to something other than Joomla's default (62), can help as well. If you have users already, this can be easy, just create a new user and give it Super Admin rights and then knock your initial standard Super Admin user rights down.
This is of course just a quick summary that doesn't include any other server stuff or fine details. The links in the other post should help a lot.
-
-
-
- JustMcKee
- Jr. Rocketeer
- Posts: 28
- Thanks: 0
-
Thanks, Ben, for your great reading list.
After having one of my joomla websites compromised two weeks ago (website front page was "defaced") through the web host's server, I've had to step back and revisit the issue of security once more (I had all the correct file permissions, complex passwords, etc.). It's an absolute must these days to be up to date on file security on any site with a database. I've ordered the two newest Joomla Security books for my library and have spent the last week reading all that I can. I need to develop a new strategy to insure that I have all potential security "holes" filled on my end. Unfortunately, the hackers seem to keep one step ahead. I've got some more work to do!
Best Regards, and once again, thanks for your list.
-
Time to create page: 0.049 seconds