Joomla Security Primer

As a security guy, I get asked frequently about Joomla, and if it's secure. I start to answer, and am always interrupted with something along the lines of:

"..I know it's not, I just want to know how insecure it is.."

As if security is measured on a 1 to 10 scale..Security is not a scale, but a total philosophy, a set of tools and actions. Yes, it can be measured, but taking Joomla and singling it out is foolish. Looking at Joomla as part of your total site security makeup IS the right answer. You must measure security holistically. Any part of your security that is weak,weakens the entire infrastructure.

So how do you answer it? To begin with, Joomla is only as secure as the platform it is on, the extensions installed on it and the proper safeguards that are put in place. In fact, many times if a Joomla site is hacked, it could be any number of things. But here's the part that is hard for some to swallow...It's not typically Joomla's fault. it's many times the administrators fault for failing in some basic areas. Now to be fair to the admin, security is an entire practice itself, and in this article I will lay out some basic concepts both Joomla and non-joomla to help you understand how to secure your site.

Permissions:

Many times, a new Joomla user will install the product, and occasionally run into trouble. They set permissions to 777 (r/w/x) for everyone. This is a big no no. And a big red flag. An improperly configured server, and some extensions, are the culprit here. Don't use a host that makes you setup your site this way, and avoid extensions that will ONLY run with 777. While there are exceptions to this statement, overall it holds true.

Tip: Always set folders to 755 and Files to 644

Server Ownership / Permissions

This is usually a hosting related problem, or a hacker has been here. But sometimes ownership of files (as seen from the Operating Systems Point of View), can cause weird problems, or in some cases expose the system. Sometimes in shared hosting, you will see this problem. The net is, if a bad guy gets in from this level, one you're hosed...two it wasn't Joomla.. :)

TIP: Get a new host if they have trouble with basic server configuration. (I recommend our hosting-- Potentia Hosting )

XSS/SQL Injections:

Ah yes..This one does show up kind of frequently in the Joomla space, but also in every other web property. However it's one of the most prevalent attacks on the Internet. This is a direct result of the code, typically an extension, not checking its inputs for trouble. In code speak it's known as "Not sanitizing your inputs". That's a very simple explanation, but suffice to say, it happens a lot.Typically, the core Joomla code is scoured and tested with a commercial tool to check for XSS and SQL injections before it's released and does not suffer from these. Yet, when an extension has one, it Joomla! that gets the wrap.

Tip: Check the extensions by Googling for extension name and vulnerabilities. And check Joomla.org for up to date information.

Passwords:

Alright, guess what. P@ssw0rd does not make a good password. Neither do any of the words on DefaultPassword.com's list.. The bad guys have terrific tools, called Brute Force Tools and password crackers. They contain dictionaries of common passwords, combination's and so forth.Using your dogs name, such as Lassie1 is not acceptable.

Tip: Craft a password that is VERY hard by creating it numbers, letters, and symbols. Using upper and lower case. And change them every 30 days..

Patching:

One HUGE industry problem is patching. This is partly due to lack of a good plan to patch, and partly due to the volume of patches that are released. Patching is where older code is updated with new or fixed code. Many times an upgrade will be just that, an upgrade. However it's up to you to read thechangelog to see what the developer changed. If you see it contains a security fix, apply, test and release it. One area that often gets missed is your server. There are several easy methods to determine your current levels. It's solely your responsibility to keep up with the site, but the host has the responsibility to patch the servers. You would be surprised how hosts do not keep servers patched.

Tip: Stay with a reputable host that offers 24x7 technical support and that will address issues you find wrong.

Basic Protection Layers of Joomla:

The basic protections that are built into Joomla are fairly good. As long as the server they are on is PROPERLY configured. Joomla uses the following means to keep its self secure:
  • Permissions are set to 755 for folders, 644 for files
  • Apache has been configured to not allow browsing/indexing,etc
  • Passwords are MD5 Encrypted + SALTED
  • Database access is password protected at the MySQL level.

The basic authentication of Joomla is pretty good in terms that it's easy to use, fairly hard to crack the passwords - in fact - it's not very likely given the SALT. However for added level of protection, you may wish to look at a stronger authentication/encryption system. There are a few that exist but are beyond the scope of this article.

Database Security:

The database itself is typically MySql, so Joomla simply relies on the underlying security of the database. While typically the database itself is not encrypted, the proper security around the db/web server should prevent access. Providing a strong password is many times sufficient - however - remember - a single SQL injection could result in the loss of your data. What I like about MySqlthough is the various levels of inherent protection if offers. Typically its configured straight out of the box properly and not too much needs to be done. Again, the areas of concern are the server its on.

Tip: Make sure your Database port isn't open to the world - a good tool for this is NMAP.

Scenarios where security of Joomla installations can break down

First of all ANY site that is not patched, improperly setup, has vulnerable code, dedicated attackers are gunning for the site, then will get broken into. Joomla is not any different. Microsoft, Oracle, HP-UXhave published vulnerabilities on a regular basis. And all at one time or another have had their share of troubles.

Here are some common scenarios that may help you be safer.

Scenario 1: Database exposed:

Let's say that the 3306 port allows me to get in to the DB. I access it, dump the tables, and I find the admin user name, replace the password with my own salted + md5 password - upload and I'm in as the admin. Note -this is a VERY unlikely scenario, but possible. - Check your ports.

Scenario 2: Cross Site Scripting and Sql Injections

As we discussed, this is not reserved solely for Joomla, but in fact, is one of the most prevalent problems in websites - This is one of the MORE likely thing's you might see.

The solution here is to

  1. do a detailed code review on ANY extension put in - and
  2. run a test suite, (several good ones available) to determine where the holes are.
  3. Fix or patch the code.
  4. Consider installing Securelive.net's product for Joomla to protect against SQL Injections - you can learn more at their website.

Scenario 3: Malware

This is closely related to number 2. Joomla sites, when properly configured are pretty resilient to this type of attack. I suggest Kapersky virus scanning for your workstations to be sure you don't receive or transmit Malware.

Scenario 4: Improper configuration of servers

This is one of the most common things I see in the Joomla world. The server is not patched or has open ports, or shared hosting that is weak. This by far is the biggest issues I see.

Remedies for these scenarios :

  • Get the book - Joomla! Web Security book and ensure you have proper .htaccess, serverconfig, php.ini settings, you are at PHP 5.2.x or GREATER and the latest Apache. There are many other items in the book to help you stay secure.
  • DO a code review of extensions - ensure they have proper safeguards in place
  • Add SecureLive Hacker Protection Software to your Joomla Installation - this will blockmalware, sql injections, xss and other hacks. It also protects forums, blogs, shopping carts and more.
  • Monitor your logs - By learning to read the logs, you will be better prepared to see trouble before it harms you.
  • If you are SUPER paranoid - then look into replacing the Joomla login with :https://www.griddatasecurity.com/Products.htm -- While I have seen it integrated into a Joomla site (cwfi.org) I am unsure how they accomplished it. In essence it creates what is called a ONE-TIME pad to enter your password with. The pad or digits that correspond to your password, changes each time the user logs in. A Man In The Middle attack, key logger, etc.. would only pick up the numbers that the user types in and not the password. With the "pad" different every time a user log's in - it's nearly foolproof. Downside is , it's not very friendly to the average user that wants to put their User name / Password in. (Update: I have spoken to GridDataSecurity and will be learning more about Joomla Integration in the near future.)
  • You may wish to add SSL to the site - and force Joomla into SSL mode for all logins. This will encrypt the traffic between the user login and the site. Of course any malware on the server or desktop could still see it.

Overall Joomla properly configured on a properly configured server is about as safe as any other off the shelf product. But - it's only as safe as the weakest point, and while that sound cliche' it's often overlooked.

As you can see the admin has the heavy responsibility to ensure his or her site is properly, patched, secured and maintained. Taking care of these things will help to keep you safe when others are getting hacked.