Security Resources Security Checklist: Getting Started http://docs.joomla.org/Security_ Checklist_1_-_Getting_Started Security Checklist: Hosting and Server Setup http://docs.joomla.org/
Trang 1issues that have been reported but remain unfixed Extensions listed on the Joomla! Extensions Directory include ratings and reviews — read them!
Tip
Joomla! maintains a Vulnerable Extensions List You should always check this before making a final decision on the adoption of a particular extension The list is maintained at
http://docs.joomla.org/Vulnerable_Extensions_List
Next, before you install a new extension on a live site, test it locally Check to make sure it installs cleanly and without error messages Test all the various functionalities, regardless of whether you intend to use them all It’s also a good idea to check and see if the extension comes with a
README file; if it does, read it!
Finally, before installing the new extension on your live site, back up the live site That way, if a problem occurs you can roll back and restore from the backup
If at some point in time you decide that the extension is no longer necessary and you uninstall it, make sure that the extension has uninstalled cleanly and has not left any files on your server Often, extensions leave directories and files behind on your server, despite being uninstalled
Keeping Up With Security Notices
Things change New vulnerabilities are discovered and new exploits are created to take advantage
of them Sometimes the rate of change is quite impressive, and it becomes a challenge to keep up and maintain all aspects of your site The Joomla! Security Strike Team was formed by the commu-nity as an attempt to address the dynamic nature of threats to the Joomla! system As new issues are discovered, the community reports them to the Strike Team The team formulates responses, works to learn more and, when needed, get patches out to the users
Keeping up with the announcements from the Joomla! Security Strike Team is one of the ways you can stay informed of important news that may impact your Joomla! site Important notices are always published on the home page of Joomla.org In addition, the default Joomla! 1.5.x system includes in the control panel an RSS feed from the Joomla! Security Strike Team, as shown in Figure 25.1 Of course, if you rely on these default notifications, you only discover new alerts when you visit Joomla.org or when you log into your Joomla! installation If you want more imme-diate notices, then you should consider either subscribing to the RSS feed with a separate news reader or joining the mailing list so that notifications are sent to you by e-mail The URLs for both services are included in the Table 25.1
Trang 2FIGURE 25.1
The admin system’s control panel includes by default the Joomla! Security Newsfeed
The channel you prefer to use for alerts is entirely up to you, but the simple fact is that the only way to keep your site secure is to keep it — and its extensions — up to date When new versions are released, do not delay in upgrading New releases require immediate action If you fail to upgrade your site after a security release is announced and your site is subsequently hacked, you really have no one to blame but yourself
The Joomla! team and community have created and maintain a number of useful security
resources Table 25.1 lists the resources
Trang 3TABLE 25.1
Joomla! Security Resources
Security Checklist: Getting Started http://docs.joomla.org/Security_
Checklist_1_-_Getting_Started
Security Checklist: Hosting and Server Setup http://docs.joomla.org/Security_
Checklist_2_-_Hosting_and_Server_Setup
Security Checklist: Testing and
Development
http://docs.joomla.org/Security_
Checklist_3_-_Testing_and_Development
Security Checklist: Joomla Setup http://docs.joomla.org/Security_
Checklist_4_-_Joomla_Setup
Security Checklist: Site Administration http://docs.joomla.org/Security_
Checklist_5_-_Site_Administration
Security Checklist: Site Recovery http://docs.joomla.org/Security_
Checklist_6_-_Site_Recovery
Joomla Security Strike Team Contact Form http://developer.joomla.org/security/
contact-the-team.html
Security and Performance FAQs http://docs.joomla.org/Security_and_
Performance_FAQs
Automatic Email Notification System http://feedburner.google.com/fb/a/mail
verify?uri=JoomlaSecurityNews
Security RSS Feed http://feeds.joomla.org/JoomlaSecurityNews
Joomla! 1.5 Security Forum http://forum.joomla.org/viewforum.php?f=432
Vulnerable Extensions List http://docs.joomla.org/Vulnerable_
Extensions_List
Security Announcements for Joomla!
Developers
http://developer.joomla.org/security/news html
Joomla! Developers Security Articles and
Tutorials
http://developer.joomla.org/security/ articles-tutorials.html
Managing Site Maintenance
Whenever a new patch or update is released, you need to get it installed on your site without delay Sometimes, particularly in the case of extensions, the patch can be a small matter; in other cases, particularly in the case of a new version release, installation of the new files can entail a sig-nificant amount of work In either event, having an established process for dealing with the upgrades is useful as it helps avoid the possibility that you will miss something during the upgrade, only to discover problems later on
Trang 4Before you begin any significant maintenance process, you should make sure that you have a cur-rent backup of your site If something goes wrong, you need to be able to roll the site back to the previous version While it may be time consuming to follow this advice, it is worth it Trust me, you aren’t doing this for the 99 times out of 100 that you don’t have a problem; you are doing it for the one time that you do! If you are dealing with your personal site this may be simply a matter
of inconvenience, but if you are handling a client or an employer’s site, it is unprofessional not to take the appropriate precautions to protect their site and their data
Taking a site offline
Prior to undertaking any major upgrade on a live site you should take the site offline, that is, hide
it from public view Joomla! makes it possible to take a site offline with one click, while still retain-ing access to the admin system After the site is offline, you can perform whatever maintenance you need and check your work prior to putting the site back live
To take your site offline, follow these steps:
1 Log in to the admin system of your site.
2 Access the Global Configuration Manager either by clicking on the Global
Configuration icon on the control panel or by clicking on the Global Configuration link under the Site Menu The Global Configuration Manager loads in your browser, as
shown in Figure 25.2
3 Click the Yes option next to the label Site Offline.
4 Adjust the Offline Message text, if you so desire.
5 Click the Save icon The system takes the front end of the site offline and displays the
Offline Message to site visitors
To put the site back online, follow these steps:
1 Log in to the admin system of your site.
2 Access the Global Configuration Manager by either clicking on the Global
Configuration icon on the control panel or by clicking on the Global Configuration link under the Site Menu The Global Configuration Manager loads in your browser
(Refer to in Figure 25.2)
3 Click the No option next to the label Site Offline.
4 Click the Save icon The system puts the front end of the site back online.
Trang 5FIGURE 25.2
The Site Settings of the Global Configuration Manager
Backing up your site
Backing up a Joomla! site involves making copies of the files on the server and the data in your database A complete backup encompasses both elements
Tip
In terms of best practices, it is a good idea to maintain at all times the two most recent full backups of your site This provides you with protection in the event the most recent backup is corrupted or incomplete If your site is large, maintaining multiple full backups can take up a lot of space If space is an issue, then maintain an incremental back-up regimen that backs up only your changed files.
The question of how frequently you need to back up your site is best answered with reference to the frequency with which your site changes If your site changes daily, then perhaps daily backups are in order If you site changes only sporadically, then weekly backups will probably do the job Make sure that you don’t keep all your backups in one location If there is a fire or other problem that results in the loss of one backup, you want to increase your chances that the second copy is
Trang 6protected If your web hosting contract provides for back-up services, make sure you periodically download the files to keep a copy locally as your failsafe
To make a complete backup of your site, you will need to access the files on the server and make a copy of them Typically this is done by FTP or through your web hosting control panel’s file man-ager You also need to use a tool such as phpMyAdmin to make a copy of the database for the site As
an alternative to using multiple tools and doing this manually, you can install additional extensions to your Joomla! site to enable this from within the admin interface As discussed in Chapter 22, several tools can help you create and manage your backups
Restoring from a backup
Manually restoring the files on your server is a simple process; you only need to copy your
back-up files onto the server, replacing the files that are there If you have used full backback-ups this is a one-step process If you are using incremental backups you, first you need to copy the full backup and then copy the incremental back-up files
Manually restoring your database is slightly more complicated, because you need to use
phpMyAdmin to import the back-up files to overwrite the existing database tables
Just like creating back ups, restoring from a back up can be undertaken manually, but the process can be made much simpler through the use of any of several third-party extensions
Tip
If you have never tried to restore a site from a backup, I highly recommend that you try the process once before you deploy your site The process is not difficult, but you don’t want to be doing it for the first time on a live site that you need to get working again!
Regaining access to your admin account
Sometimes a site administrator loses his password, or a hack attempt results in the loss of the administrator’s password If you have access to the Password Reset functionality on the Login Form, you can try to use it to get a new password If that does not work, then you need to go to the database to solve the problem Although you cannot recover a lost admin password, you can reset it in the database and thereby gain access to the account
Passwords are stored in the database along with the user data The passwords are not human-readable, because they are stored as MD5 hashed values, as shown in Figure 25.3
Trang 7FIGURE 25.3
The jos_users table, as viewed from phpMyAdmin Note the password field, showing the password as an MD5 hashed value
By way of example, follow these steps to reset a user’s password to the value “admin”:
1 Use phpMyAdmin to access the database on your server.
2 Select the database for your Joomla! site from the combo box on the left side of the
page The list of database tables in the database is displayed in the left column, below the
combo box
3 Click on the table named jos_users in the list of tables The users table screen shows
on the right side of the page
4 Click on the Browse button on the top toolbar The screen shows all of the users that
are set up for this site
5 Find the user whose password you want to change Click the Edit icon next to the
user’s name The Edit screen is displayed.
Trang 86 Copy this value exactly: 21232f297a57a5a743894a0e4a801fc3 — this is the MD5
hash value that equates to the string “admin.” Paste this value into the field names password.
7 Click the Go button phpMyAdmin saves the new value for the password and return
you to the users table
The value entered into the password field in the preceding example changes the user’s password to
“admin.” The user should now be able to log in to the site by typing their username along with the password “admin.” They should change their password immediately to their preferred value
Upgrading a Joomla! Installation
One thing is certain: At some point during the life of your Joomla! site you will find the need to go through the process of upgrading your site Indeed, odds are you will need to go through this pro-cess numerous times Accordingly, I recommend that you adopt a propro-cess for handling upgrades in order to avoid disruption to the site and downtime
The first step to any upgrade is identifying the version you are currently running, and then identi-fying the proper upgrade package for your installation To find the version of your current site, fol-low these steps:
1 Log in to the admin system of your site.
2 Access the System Info page by clicking on the System Info link under the Help
menu The System Info page loads in your browser, as shown in Figure 25.4.
3 Look at the line labeled Joomla! Version — this is the version of Joomla! installed
on your site.
After you know your current version, you can identify and download the proper upgrade package from JoomlaCode.org
Cross-Reference
Finding and obtaining the Joomla! core files from JoomlaCode.org is covered in Chapter 2.
Next, before you begin the actual upgrade, make a full backup of your existing site Set this aside
in the event that something goes wrong and you need to restore your site After the backup is done, you can proceed with the actual upgrade process
Trang 9FIGURE 25.4
The System Info page, in this example showing a site with a Joomla! Version 1.5.10 installed
Follow these steps:
1 Unpack the upgrade archive on your local machine.
2 Take your site offline, as discussed earlier in this chapter.
3 Move the files to your server using either FTP or your web hosting control panel’s
file manager; note the cautions outlined in the “Upgrade issues” sidebar.
4 If database changes are required, follow the instructions given with the upgrade and
make the changes.
5 Test the changes.
6 If all is well, put the site back online, as discussed earlier in this chapter.
Tip
Official Joomla! upgrade instructions can always be found at
http://docs.joomla.org/Upgrade_Instructions
Trang 10The official Joomla! forums include a section dedicated to Upgrades and Migration Visit
http://forum.joomla.org/viewforum.php?f=430
Summary
In this chapter, we have taken a look at Joomla! security and site maintenance issues You learned the following:
l How to help secure your Joomla! installation
l How to back up and restore your site files and database
l How to install patches and upgrades to your site
Due to the wide variance in systems, servers, and upgrades, you may cover all the various issues that may result in the process of an upgrade You should take note of the following key issues:
l A Joomla! upgrade package will only cover the core files; extensions will need to be
upgraded separately
l For complex sites, it is best to test the upgrade first on a local or development installation If all goes well, then you can roll out the upgrade to the live site
l Installing upgrade files on your server involves overwriting the old files If you have installed third-party templates and other extensions, take special care you do not erase them!
Moreover, if you have modified any of the core files, make certain you have identified the changes so that you can apply the changes to the new files
Upgrade Issues