SmashD

  • Increase font size
  • Default font size
  • Decrease font size
Home

Security guide for Joomla CMS

Monday, 17 July 2006 18:33 SmashD
(0 votes, average 0 out of 5)
Article Index
Security guide for Joomla CMS
Page 2
All Pages
Page 1 of 2

This small guide will help you making your Joomla installation alot safer.


As you may know safety can not be guarenteed but the risk of getting a victim can be minimized. Just follow these steps and feel better.

First of all let us take a look at what the main security issues are. Joomla itself is -assuming you are doing the security updates- quite safe.

In my opinion there are 3 main possible security risks:


1. badly written 3rd party components, modules and mambots

Check all your 3rd party php files for this line right at the start

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );
If this line is missing ADD IT!

Additionally:
To stop external access directly to components or modules you could also add this to your htaccess - it makes every access condtional on someone actually being on your site.

Note: I use this to stop content in wrappers being directly accessed from outside of the site itself, and have not tried it on components, but it should work just the same.

Code:

# Blocking direct access
 RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
 RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
 RewriteCond %{REQUEST_URI} ^.*index\\.php$
 RewriteRule .* - [F]


Replacing domain.com with your domain, of course!

And keep checking for updated extension files!!


2. more or less silly settings in the php.ini of your host

register_globals Off
allow_url_fopen Off
php_safe_mode On

Of course, Joomla and its 3rd party add-ons are/is not that compatible with safe mode on, but disabling the first two variables (maybe has to be done by your host) is not that bad.

If you have components that require register_globals, you can use the Joomla globals.php emulation. This emulates register_globals on while protecting from vulnerabilities if it is enabled through your server space.
If you are running your site under CGI then the .htaccess directive given above may not work for you. You will need to ask your host for assistance with turning register_globals OFF.

{mos_sb_discuss:49} 


Prev - Next >>

Last Updated on Monday, 17 July 2006 19:20  
More Articles (automatically generated results matching the current one, more or less) :
» Firefox performance drop with CookieSafer FIX
» Joost - the better way to watch TV

Main Menu


Donate using PayPal
Amount:

Reason or appointment:
Your name that will show up:
  • List containing 5 donations for all time.
    • DateAmountCurrencyName
    12:56:07 Oct 15, 2009 PDT5.00EUR
    11:17:21 Oct 15, 2009 PDT30.00EUR
    02:09:44 Aug 09, 2009 PDT5.00EURanonymous
    03:30:18 Jul 12, 2009 PDT10.00EURF089
    17.06.200920.00EURF089

    This website is worth

    What is your website worth?

    Google Pagerank, SEO tools


    English French German Italian Portuguese Russian Spanish

    Nehmen Sie an meiner Speedwelle teil: http://t.co/AVESydZO Download/Upload Test bei http://t.co/LyTKMOdD
    Saturday, 14 January 2012 from Tweet Button
    You can get COD: MW3 freely on Game Getter. Just spread the good news to your friends. http://t.co/Vqx1P5Td
    Thursday, 29 December 2011 from Tweet Button
    11-11-11 should be correct all over the world, no? At least where it's Nov 11th... Right?
    Friday, 11 November 2011 from Tweetings for iPhone
    powered by TweetXT!
     

    pushme.to_01

    Click the image above to send an instant message right to my iPhone, including images if you wish to.
    Real time conversation is available now, too!

    Now Online

    • [Google]
    Now online:
    • 1 guest
    • one robot