Part VSite Maintenance and Management IN THIS PART Chapter 25: Keeping Your Site Secure and Up to Date Chapter 26: Managing Performance and Accessibility Chapter 27: Making a Site Searc
Trang 1Part V
Site Maintenance and
Management
IN THIS PART
Chapter 25:
Keeping Your Site Secure and Up to Date
Chapter 26:
Managing Performance and Accessibility
Chapter 27:
Making a Site Search Engine Friendly
Trang 3C H A P T E R
Keeping Your Site
Secure and Up to Date
IN THIS CHAPTER
Security best practices Keeping up with security notices
Managing site maintenance Upgrading a Joomla!
installation
Site security and change managements are two critical issues for site
owners and administrators This chapter looks at security best
prac-tices for Joomla! and provides advice and tips on how to set up your
Joomla! site in a secure manner and thereafter keep it secure
Keeping your site patched and up to date is one of the keys to maintaining
your site’s integrity and protecting it against hackers Accordingly, this
chap-ter also discusses basic back up and upgrade processes Management of
upgrades and patches can be time consuming, particularly for complex sites
with numerous extensions Accordingly, adoption of a formalized process for
handling these recurrent issues is your best bet for decreasing your site
man-agement overhead
Security Best Practices
Creating and maintaining a secure web site requires attention to a variety of
issues The process starts at server setup and continues throughout the life of
the site There is no such thing as a site you can create and forget; no such
thing as a site that takes care of itself To keep your site safe you must take
affirmative steps and you must develop an awareness of the issues Although
you cannot protect yourself from every conceivable threat, you can reduce
the vulnerability of your site to a manageable level with a reasonable amount
of effort
Caution
The single most important factor in maintaining the integrity of your site over
time is the creation and maintenance of a backup and recovery process.
Trang 4Part V: Site Maintenance and Management
Securing the Joomla! core
Security is not one single thing; it is a process, a set of steps that need to be taken to achieve a result The process begins with your server settings and the Joomla! core files If you fail to make this base level of the system secure, then additional steps are at the very least of limited effective-ness, at the very worst pointless
Tip
The first step toward assuring your site’s integrity is also one of the easiest: Only install the most recent version of the Joomla! core file packages found at the official download site, JoomlaCode.org Do not download and install core file archives from other sites, because you cannot be certain of their origins, completeness, or integrity.
Protecting directories and files
You can take several steps to enhance the security of the directories and files on your server The first step is adjusting the permissions to be as strict as possible without impairing use of the site Write-protect your critical directories As a general rule, set the directory permissions to 755 and the file permissions to 644 using either FTP or the options in the Global Configuration Manager Note that this is best done after you have fully completed your installation of the core and all extensions It is possible that you may have to make these setting more permissive if you need to install extensions in the future
Cross-Reference
The file permissions controls in the Global Configuration Manager are discussed in Chapter 4.
Tip
There’s a good discussion of how to set file permissions and what they all mean on the Joomla! docs site at
http://docs.joomla.org/Security_and_Performance_FAQs#How_do_UNIX_file_ permissions_work.3F
There are a number of other steps you may want to consider taking; however, you should note that each of these has a trade-off, either in terms of increased admin overhead or other limitations:
l Move the configuration.php file outside of the public HTML directory on your server and rename it: Place a new configuration.php file in the public HTML directory pointing to the new file Make sure your new file is not writable in order to avoid it being overwritten by the Global Configuration Manager Note that making this change forces you to modify the new configuration file manually, rather than by using the Global Configuration Manager For more information on how to set this up, see http://docs joomla.org/Security_and_Performance_FAQs
l Use htaccess to block direct access to critical files: Note this is only applicable to
serv-ers using the Apache web server and web hosts that allow you to modify htaccess Make sure you back up your old htaccess file before you try this in case you experience prob-lems and need to restore the old file
Trang 5Chapter 25: Keeping Your Site Secure and Up to Date
687
l Change the default log path: Hackers sometimes look to the log files as a way to identify
what extensions you have installed, in hopes of finding an extension that has a known vulnerability they can exploit To help deter this bit of information-fishing, alter the log path settings in the Global Configuration Manager
l Change the default temp directory: The contents of the temp directory can also provide
information you may not want to disclose about your site You can alter the temp direc-tory settings in the Global Configuration Manager
l Use SEF URL rewriting: Joomla!’s default URLs often carry with them information that
indicates the extensions used on the site The default URLs provide another source of information for those who might be looking for vulnerable URLs Implement an SEF URLs extension to avoid this problem In addition to providing search engine benefits, the SEF URL writing will obscure your original URLs and mask this information
Cross-Reference
Working with the Global Configuration Manager is discussed in detail in Chapter 4.
Protecting from unauthorized access
Humans are your most common point of security policy failure Admin passwords should be changed often The default username that is produced for the administrator during the installation process should also be changed immediately after the system is set up Leaving the default user-name as “admin” gives a hacker one half of the answer to the puzzle he needs to solve to gain access to your site Passwords should always be as secure as practicable
When the Joomla! creates your first user account, it always gives it the same ID number, 62 As a result, this means that hackers have a place to start trying to gain access to your site; they know the userID of your super administrator account In order to shut down this avenue of attack, create a new super administrator user and delete the default account
Cross-Reference
Creating and deleting users is covered in Chapter 10.
In addition to controlling the access to your admin system, you need to be sensitive to the access issues that relate to your database If you have control over the access privileges to the user accounts on your MySQL database, make sure that all accounts are set with limited access
If you want to go further, you may want to vary from the default database prefix used by the Joomla! installer During the installation process you are given the choice of whether to use the default prefix, jos_, or to set your own If you want to increase the security of your site, select the option to designate your own prefix By varying from the default setting, you make it more difficult for a hacker to compromise your database
Cross-Reference
Setting the database table prefix is covered in the discussion of Joomla! installation in Chapter 2.
Trang 6Part V: Site Maintenance and Management
Caution
A good administrator password should be at least seven characters in length and employ a combination of upper- and lowercase letters, numbers, and nonalphanumeric characters Never, under any circumstances, use words that can be found in the dictionary! This is common sense: “4tG~9fU#ss3” is a lot harder to crack than
“tinytoons.”
Removing unnecessary files
If you don’t need it now and you don’t intend to use it, get rid of it Logical targets for deletion include:
l Unused templates
l Extensions you have installed then decided not to use
l Unused applications you have installed on your server
l Archive files copied to your server during the course of installation
l The installation directory
Tip
As mentioned in Chapter 3, don’t simply rename the installation directory, delete it.
l Another candidate for deletion in Joomla! 1.5.x is the system’s XML-RPC server If you are not using this functionality, delete it It is located in the Joomla! root in the directory named xmlrpc/
Another good idea is to disable all unused core components that cannot be uninstalled Disabling unneeded core components shuts down one more avenue of attack and has the added advantage of cleaning up the administration interface
To disable a core component in Joomla! 1.5.x, follow these steps:
1 Access the admin system of your site.
2 Click on the InstallUnistall option under the Extensions menu The Extensions
Installer dialogue opens in your browser
3 Click on the Components link The Components dialogue opens in your browser.
4 Indentify the components you want to disable and then click on the green arrow in
the Enabled column The Enabled column indicator changes to show a red X, and the
component is now disabled
Maintaining a sensible server setup
In an ideal world, we would all have our own dedicated servers where we could control every aspect of the system In the real world, shared hosting is the reality for many users Shared hosting, although certainly more cost effective than a dedicated host, involves trade-offs in terms of security and access privileges
Trang 7Chapter 25: Keeping Your Site Secure and Up to Date
689
Your goal should be to make the host setup as secure as possible, regardless of whether it is dedi-cated or shared Exactly what you are permitted to do with your server varies, but you should con-sider the following:
l Use Secure FTP, if available: Doing this helps avoid the possibility that someone can
determine your username and password while you are in the process of a file transfer
l If possible, use PHP 5: While both PHP 4 and 5 are supported by Joomla!, PHP 5 is the
superior solution, and PHP 4 is being phased out
l Make sure your server does not have Register Globals enabled: Joomla! does not need
it and it is a security risk
l If the mod_security module is installed on your Apache web server, use it: It acts as
an embedded web application firewall and provides significant protection against many common attacks Learn more about how to use it at www.modsecurity.org/
l Turn safe mode off: Safe mode is not necessary for Joomla! and may cause problems
with some extensions
l Set Magic Quotes GPC to On: Set this option to On.
l Don’t use PHP allow_url_fopen: Set this option to Off.
l Use PHP open_basedir: Set this option to On.
Tip
Contracting with a web host solely on the basis of price is a bad idea Moreover, as competition has increased
in the hosting space, it is becoming more of a commodity business and price points have narrowed Instead of simply taking the cheapest host, make your selection based on service levels, quality of hardware, access privi-leges, software installed, and backup policies.
Securing third-party extensions
From a security perspective, every extension you install on your Joomla! site increases the risk you face Each extension comes with its own set of files and potential vulnerabilities Moreover, the fact that extension quality varies wildly is a serious issue for site owners, and each extension you install brings with it a need for due diligence and ongoing maintenance Given these issues, the first point
of concern for site owners should be the issue of trust: Do you trust that the developer is capable of producing solid, secure code and do you trust this developer to keep it patched and keep users abreast of risks as they arise? Never forget that, just like the core files, extensions have to be main-tained, patched, and upgraded
The wide variety of Joomla! extensions means that you have choices Accordingly, before you decide to adopt a particular extension, you need to do your research Not only should you be con-cerned with whether it works and looks like you want it to, but also you need to be convinced that the extension is of good quality and comes from a reputable source There are no guarantees; it is
up to you to do your homework and make a judgment call Visit the developer’s site Is it profes-sional? Is it up to date? If this is a project-based extension, check for levels of project activity and
Trang 8Part V: Site Maintenance and Management
issues that have been reported but remain unfixed Extensions listed on the Joomla! Extensions Directory include ratings and reviews — read them!
Tip
Joomla! maintains a Vulnerable Extensions List You should always check this before making a final decision on the adoption of a particular extension The list is maintained at
http://docs.joomla.org/Vulnerable_Extensions_List
Next, before you install a new extension on a live site, test it locally Check to make sure it installs cleanly and without error messages Test all the various functionalities, regardless of whether you intend to use them all It’s also a good idea to check and see if the extension comes with a
README file; if it does, read it!
Finally, before installing the new extension on your live site, back up the live site That way, if a problem occurs you can roll back and restore from the backup
If at some point in time you decide that the extension is no longer necessary and you uninstall it, make sure that the extension has uninstalled cleanly and has not left any files on your server Often, extensions leave directories and files behind on your server, despite being uninstalled
Keeping Up With Security Notices
Things change New vulnerabilities are discovered and new exploits are created to take advantage
of them Sometimes the rate of change is quite impressive, and it becomes a challenge to keep up and maintain all aspects of your site The Joomla! Security Strike Team was formed by the commu-nity as an attempt to address the dynamic nature of threats to the Joomla! system As new issues are discovered, the community reports them to the Strike Team The team formulates responses, works to learn more and, when needed, get patches out to the users
Keeping up with the announcements from the Joomla! Security Strike Team is one of the ways you can stay informed of important news that may impact your Joomla! site Important notices are always published on the home page of Joomla.org In addition, the default Joomla! 1.5.x system includes in the control panel an RSS feed from the Joomla! Security Strike Team, as shown in Figure 25.1 Of course, if you rely on these default notifications, you only discover new alerts when you visit Joomla.org or when you log into your Joomla! installation If you want more imme-diate notices, then you should consider either subscribing to the RSS feed with a separate news reader or joining the mailing list so that notifications are sent to you by e-mail The URLs for both services are included in the Table 25.1