Joomla! Security – Ever been hacked? Sorting fact from fiction. Useful security tips for Joomla! users.

Firstly, welcome to the Rochen Blog and our inaugural post. I am not sure where this blog is going to take us or what topics we will cover, but pretty much everything is on the table. With this first blog I thought it would be a good idea to cover a topic on the minds of many people – Joomla! security.

I think it is fair to say that Joomla! has received a lot of unjustified and misinformed criticism from many in the web hosting community. In my opinion the main reason for this is that when a Joomla! powered website is hacked on a host’s server then the vast majority of providers automatically assume the problem lies with Joomla! itself (because that’s what the site is running) and immediately tag it as a script with a lot of security problems without any proper research. Some hosts have even gone as far as banning Joomla! from their servers.

From our own experiences here at Rochen we have found that the vast majority of security issues that come up with Joomla! sites are nothing to do with the core code released by Joomla! themselves but due to poorly coded, insecure or out of date third-party extensions that are installed under Joomla. Even if your Joomla install is kept fully updated but you have a single insecure extension installed then this will allow your entire site to be compromised. Vulnerable extensions are lethal to your site security.

As you might be aware Rochen know a thing or two about Joomla hosting. We host thousands of Joomla! powered websites but we also host all of the Joomla! official sites at www.joomla.org as well. We hosted the very first install of Joomla before any other provider. So I have put together a few recommendations based on things we have seen at Rochen that will hopefully help you keep your Joomla site more secure. Hosting with Rochen never hurts, but these tips are not specific to us.

1. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777. Not having PHP configured in this way opens you up to cross-account attacks from other users on the shared server since you will need to CHMOD to 777 any directories Joomla! need to be able to write to. It also makes installing and managing extensions a real nightmare for the webmaster. A shameless plug, but in case you were wondering, yes, Rochen meets this requirement and we also performance tune all of our PHP installs as well for good measure.

2. Providing you are hosted on a server that runs PHP as directed above then you should ensure all of your files are CHMOD to 644 and directories to 755. One exception is to ensure your Joomla configuration.php file is CHMOD to 640. You should never CHMOD any files or directories to 777, especially your configuration.php file.

3. The Joomla! FTP Layer was developed as a work around solution in case a user was hosting a site on a server that did not run PHP under the account user. It allows for extensions to be installed under Joomla without running into file ownership issues. Unfortunately, it also opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. If you are hosting in a secured and tuned environment, like we have here at Rochen, then you don’t actually need the FTP layer to be enabled as extensions will install out of the box without any hassle and you can manage them without running into file ownership issues. You should disable the Joomla FTP Layer and ensure it has not stored your login details.

4. There was a security issue with Joomla reported around a month ago that allowed an attacker to reset the Joomla administrator password for a site. Although it is not a complete solution a really simple thing you can do to help protect yourself if an issue like this comes up again is to change your Joomla! administrator username. Change it from the default “admin” to something else like “chris.admin”. Make it that bit harder for an attacker to compromise your site.

5. Although it might be tempting to install every extension under the sun (there are a lot of wonderful ones out there and some not so great!) only install the ones you need. The more you install under Joomla! then the more likely your site is to be compromised. You should also ensure you remove any components (including the files themselves via FTP) for any extensions you are not using.

6. It might seem like an obvious one but ensure your web hosting provider is keeping up with their responsibilities. Ensure they are keeping PHP and other software on the server updated (nobody should be running PHP4 anymore as it is now “End of Life” and potentially open to security issues), ensure they are running their operations in a secure way (PHP in CGI mode with su_php as noted above) and ensure they are taking steps to help ward off attackers by running modules like mod_security under Apache and open_basedir under PHP. Having mod_security on your server can help to stop a lot of XSS attacks against your Joomla! install getting through, but it can’t stop them all so you still need to ensure you keep up with your Joomla! security updates.

7. Ensure you are setting secure passwords for both your Joomla! administrator user but also your web hosting account control panel and FTP logins. It would be a real shame to have spent lots of time securing your Joomla! install to then let an attacker in through a weak password. I recommend a password that is at least 8 characters in length and containers letters (both upper and lower case), numbers and at least one symbol. Also ensure your passwords do not contain dictionary words. Using a password generator is a good idea.

8. Another useful tip I can share with you is to password protect your Joomla! /administrator directory. You can do this under an Apache web server using a .htaccess file and if you are a Rochen customer this can be easily configured using the “Password Protection” option within your control panel. By password protecting the /administror directory you will have to enter a username and password prior to reaching the Joomla! administrator login page. It means that even if your Joomla! admin password is stolen then your site is still largely protected since the attacker will not be able to reach your administrator login page. Remember, it is important to use a diffrent password on the /administrator directory than you do for your Joomla! admin password or it defeats the purpose of doing this.

9. Last but not least, and probably most important, you need to ensure you keep your Joomla install itself fully updated with the latest security patches from Joomla. You also need to ensure you keep all of your extension installs updated too. Remember, even if your Joomla install is updated having even one insecure extension can allow your site to be compromised. You should subscribe to the Joomla Security Mailing List as well as the mailing lists maintained by the developers of third-party extensions you have installed. If you are using an extension from a developer that doesn’t maintain a security mailing list, then question them why. It is something all developers should be doing.

So, if you have read this far down the blog post, then you might be happy you did because I am pleased to provide you with a Rochen promotional code: joomlasecurity. Simply enter this during the Rochen ordering process and you will receive 15% off your first month’s hosting for any of our plans. This coupon is good through to the end of October 2008. We don’t issue many coupons, but when we do they will be in sneaky places like this. Who ever said reading blogs while you should be working wasted money?

One other thing worth mentioning. If your Joomla! site hosted at Rochen is hacked then you can easily roll your account back within a few minutes to points in time over the past 30 days using our Rochen Vault recovery system. Simply login, select the files you want to restore and boom – your site is rolled back to an unhacked state. You do of course then need to secure the site otherwise it will simply be hacked again, but if you follow what I have outlined in this post then your Joomla! powered sites being hacked should be a thing of the past.

If you have any comments, questions or better yet security tips of your own then please leave a comment under this blog. Thanks for reading and I hope you have found some of the tips useful.

- Chris

Chris Adams is the Founder and CEO of Rochen, a web hosting provider specializing in providing a performance tuned hosting platform for dynamic database driven scripts like Joomla! Rochen has hosted all of the official Joomla! websites since the project began in August 2005.

Be Sociable, Share!

15 Responses to “Joomla! Security – Ever been hacked? Sorting fact from fiction. Useful security tips for Joomla! users.”

  1. Mike Lau

    Hi Chris,

    Thanks for the tip!

    >>2. Providing you are hosted on a server that runs PHP as directed above then you should ensure all of your files are CHMOD to 644 and directories to 755. You should never CHMOD any files or directories to 777, especially your configuration.php file.

    What happens if the scripts requires the “folders” to be 777. Alot of image scripts (Gallery2, Coppermine, WordPress) requires one or two folders to be chmod 777 to upload images. How do we get around it?

    Thanks,
    Mike

  2. Chris Adams

    Hi Mike,

    Thanks for your comment :-)

    Actually, we have found the documentation for some scripts (Gallery2 for example) automatically presume you are running PHP as an Apache module (insecure becuase it requires CHMOD of 777) and not as I have directed in my post above. The documentation is not correct for the type of setup we run as CHMOD of 777 is not required anywhere.

    If you are hosted on a server that runs PHP in CGI mode with su_php (like have have here at Rochen) you will not need to use CHMOD of 777 for any script (including Gallery and the others you listed). Simply set CHMOD of 755 if you are ever directed by documentation to use CHMOD of 777 and things like image uploads will work just fine. Due to the fact PHP runs under your own user and not the global Apache user using 755 is sufficient.

    Our own blog here at blog.rochen.com is powered by WordPress and we don’t use CHMOD of 777 anywhere. We also have many customers running Gallery2 and Coppermine without any issues.

    Chris

  3. Pepper101

    Good post. Would also be interesting to see specific security posts for WordPress and phpBB installations (obviously the PHP/Apache concepts will be similar).

  4. Chris Adams

    The basic points noted above will apply to any script and not just Joomla. We started off with a Joomla blog as that’s by far the most popular script we host, but we will certainly look into covering others in the future.

    Thanks for your comment! :-)

  5. Stephen

    Interesting post. As a beginner to open source web development it seems that security is the big question people ask. As someone looking to take a global business down the open source route, i’d be interested to know if a hosting provider / third party will look after these security issues for me? Do the custom template providers for instance offer security management as a service (and therefore take accountability for website attacks)?

  6. Arnaldo Gallo

    Instructive for newcomers to open source like me, and written in a rather honest way. Guidance on the requirements for a secure installation of Joomla and other issues, useful when selecting a hosting provider. I may be wrong, but I believe potential subscribers like me increasingly rate a secure hosting environment as their #1 requirement. Anyway, I am not a potential subscriber anymore. I ‘ve just subscribed to your Starter Plan.

  7. Kyle

    Quote from above:
    “…and you don’t need to set insecure global permissions like CHMOD of 777. Not having PHP configured in this way opens you up to cross-account attacks from other users on the shared server since you will need to CHMOD to 777 any directories Joomla! need to be able to write to…”

    I am a newcomer when it comes to security. I am extremely unfamiliar with some of the terms you talked about in your article above. What does CHMOD mean and numbers like 777…?

    Also, where can I find the FTP layer to find out whether or not it is disabled. Thanks for the help!

  8. Live Your Way

    Thanks for these pointers. I run my own blog and, while I am familiar with networking and a little php, these little codlets of destruction are good to know about. Thank you for the heads-up. Great article!

  9. Sam

    Hi Chris,
    Thanks of the advice re: security. Question…
    You wrote..”..If you are hosting in a secured and tuned environment, like we have here at Rochen, then you don’t actually need the FTP layer to be enabled as extensions will install out of the box without ….You should disable the Joomla FTP Layer and ensure it has not stored your login details.”

    I couldn’t install a Template without enabling the FTP layer. Based on what you said, any idea why I wasn’t able to install the Template if it Rochen doesn’t require it?
    Thanks,
    Sam

  10. Chris Adams

    Hi Sam,

    Yes, this is correct. The Joomla FTP Layer is not required for hosting with Rochen. I suspect there is something amiss with your configuration. Please drop a post into our Customer Forums: http://forums.rochen.com with further details or open up a support ticket referencing this comment.

    Kyle, I have just seen your comment now while responding to Sam’s one above. You can read more about CHMOD here: http://en.wikipedia.org/wiki/Chmod – a CHMOD of 777 means any user on the system can write to your files. In a shared environment it is very insecure but a lot of hosts require it. You don’t need to use CHMOD of 777 anywhere at Rochen.

    Thanks for your comments.

    Chris

  11. Jon Hibbitt

    Hi Chris,

    Thanks for this excellent information, a quick couple of checks to ensure all was done according to your instructions was a big relief. This has got to be the reason why so many sites host with Rochen – you guys are on it.

    Cheers,
    Jon

  12. I.Adam

    May be slightly off topic but I am worried about my admin login info when I use free wifi or other public networks. Is there a way in joomla to not send my username and password in clear text? i do not have SSL on my site.

  13. Chris Sharville

    Your comments about the security of extensions is very helpful. I do email extension companies to ask about their security policy. Have things changed since you wrote this blog? Is there any other advice you can give? I host my client’s sites with Rochen and use Akeeba Admin Tools to improve security but it is an issue that I like to keep abreast of.

    With thanks,

    Chris

  14. Wendy Robinson

    Hi Chris,

    It’s always best to check in with developer’s of any scripts that you use, to make sure that you’ve got the most up to date versions. Often times they’ll have the option to subscribe to email alerts, so always check for that as well. Staying vigilant and on top of your scripts will always be your best bet to keeping your sites safe, no matter how much things change.

    Another helpful tool that’s come out in recent years is the Joomla! Vulnerable Extensions List, organized by volunteers from the Joomla community: http://docs.joomla.org/Vulnerable_Extensions_List

    Thanks for stopping by!