Comments on: Joomla! Security – Ever been hacked? Sorting fact from fiction. Useful security tips for Joomla! users.

By: I.Adam

I.Adam — Mon, 09 Nov 2009 23:57:51 +0000

May be slightly off topic but I am worried about my admin login info when I use free wifi or other public networks. Is there a way in joomla to not send my username and password in clear text? i do not have SSL on my site.

By: Jon Hibbitt

Jon Hibbitt — Mon, 05 Oct 2009 12:26:50 +0000

Hi Chris,

Thanks for this excellent information, a quick couple of checks to ensure all was done according to your instructions was a big relief. This has got to be the reason why so many sites host with Rochen – you guys are on it.

Cheers,
Jon

By: Chris Adams

Chris Adams — Thu, 19 Feb 2009 23:51:45 +0000

Hi Sam,

Yes, this is correct. The Joomla FTP Layer is not required for hosting with Rochen. I suspect there is something amiss with your configuration. Please drop a post into our Customer Forums: http://forums.rochen.com with further details or open up a support ticket referencing this comment.

Kyle, I have just seen your comment now while responding to Sam’s one above. You can read more about CHMOD here: http://en.wikipedia.org/wiki/Chmod – a CHMOD of 777 means any user on the system can write to your files. In a shared environment it is very insecure but a lot of hosts require it. You don’t need to use CHMOD of 777 anywhere at Rochen.

Thanks for your comments.

Chris

By: Sam

Sam — Thu, 19 Feb 2009 21:07:35 +0000

Hi Chris,
Thanks of the advice re: security. Question…
You wrote..”..If you are hosting in a secured and tuned environment, like we have here at Rochen, then you don’t actually need the FTP layer to be enabled as extensions will install out of the box without ….You should disable the Joomla FTP Layer and ensure it has not stored your login details.”

I couldn’t install a Template without enabling the FTP layer. Based on what you said, any idea why I wasn’t able to install the Template if it Rochen doesn’t require it?
Thanks,
Sam

By: Live Your Way

Live Your Way — Fri, 16 Jan 2009 22:06:58 +0000

Thanks for these pointers. I run my own blog and, while I am familiar with networking and a little php, these little codlets of destruction are good to know about. Thank you for the heads-up. Great article!

By: Kyle

Kyle — Thu, 15 Jan 2009 14:34:34 +0000

Quote from above:
“…and you don’t need to set insecure global permissions like CHMOD of 777. Not having PHP configured in this way opens you up to cross-account attacks from other users on the shared server since you will need to CHMOD to 777 any directories Joomla! need to be able to write to…”

I am a newcomer when it comes to security. I am extremely unfamiliar with some of the terms you talked about in your article above. What does CHMOD mean and numbers like 777…?

Also, where can I find the FTP layer to find out whether or not it is disabled. Thanks for the help!

By: Rochen Blog » Blog Archive » Joomla! Events Rochen are Attending and Sponsoring. Joomla Hosting and Security.

Mon, 05 Jan 2009 23:10:21 +0000

[...] UK JoomlaDay – Sat 14th March – Sun 15th March 2009 Chris as well as Martin will be attending this event. This is only the second UK JoomlaDay, so I’d expect it to be a sold out event. Chris will also be speaking on Joomla security from a web hosting prospective. In the mean time you may wish to review his previous blog post on Joomla Security. [...]

By: Arnaldo Gallo

Arnaldo Gallo — Thu, 18 Dec 2008 01:20:44 +0000

Instructive for newcomers to open source like me, and written in a rather honest way. Guidance on the requirements for a secure installation of Joomla and other issues, useful when selecting a hosting provider. I may be wrong, but I believe potential subscribers like me increasingly rate a secure hosting environment as their #1 requirement. Anyway, I am not a potential subscriber anymore. I ‘ve just subscribed to your Starter Plan.

By: Stephen

Stephen — Tue, 07 Oct 2008 10:17:19 +0000

Interesting post. As a beginner to open source web development it seems that security is the big question people ask. As someone looking to take a global business down the open source route, i’d be interested to know if a hosting provider / third party will look after these security issues for me? Do the custom template providers for instance offer security management as a service (and therefore take accountability for website attacks)?

By: Chris Adams

Chris Adams — Thu, 02 Oct 2008 23:37:31 +0000

The basic points noted above will apply to any script and not just Joomla. We started off with a Joomla blog as that’s by far the most popular script we host, but we will certainly look into covering others in the future.

Thanks for your comment! :-)