| Article Index |
|---|
| Security guide for Joomla CMS |
| Page 2 |
| All Pages |
This small guide will help you making your Joomla installation alot safer.
As you may know safety can not be guarenteed but the risk of getting a victim can be minimized. Just follow these steps and feel better.
First of all let us take a look at what the main security issues are. Joomla itself is -assuming you are doing the security updates- quite safe.
In my opinion there are 3 main possible security risks:
1. badly written 3rd party components, modules and mambots
Check all your 3rd party php files for this line right at the start
defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );
If this line is missing ADD IT!
Additionally:
To stop external access directly to components or modules you could also add this to your htaccess - it makes every access condtional on someone actually being on your site.
Note: I use this to stop content in wrappers being directly accessed from outside of the site itself, and have not tried it on components, but it should work just the same.
Code:
# Blocking direct access
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{REQUEST_URI} ^.*index\\.php$
RewriteRule .* - [F]
Replacing domain.com with your domain, of course!
And keep checking for updated extension files!!
2. more or less silly settings in the php.ini of your host
register_globals Off
allow_url_fopen Off
php_safe_mode On
Of course, Joomla and its 3rd party add-ons are/is not that compatible with safe mode on, but disabling the first two variables (maybe has to be done by your host) is not that bad.
If you have components that require register_globals, you can use the Joomla globals.php emulation. This emulates register_globals on while protecting from vulnerabilities if it is enabled through your server space.
If you are running your site under CGI then the .htaccess directive given above may not work for you. You will need to ask your host for assistance with turning register_globals OFF.
{mos_sb_discuss:49}
3. chmod'ed files and directories with too much rights
NEVER chmod 777! Usually as least rights as possible!
Folders 755
Files 644
config.php and index.php 444
Without writing rights no defacement, where your index files get replaced. Protect your administrator folder with htaccess, using a generator like this one 
.
To prevent many code injection technices:
Put a .htaccess file with this content or append it to your current one:
## Can be commented out if causes errors
Options FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
# RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
See these threads discussing this issue:
Thread 1
Thread 2
{mos_sb_discuss:49}
