If you’re a regular reader of this blog then by now you’ve heard about our Joomla Utilities cPanel tool for easy upgrading, security fixes, permissions fixes and site migration among other features available for our Joomla Hosting customers.

Recently we’ve taken all of the great cPanel plugin features and integrated them into WHM (Web Host Manager) as an extra convenience for our Rochen Reseller Hosting customers.

Joomla Utilties for WHM is in the plugin section of the left side menu

The WHM plugin will allow you to easily upgrade all core files for Joomla 1.5 or 1.6 installations that are hosted on your Reseller account right from WHM instead of having to do all manually from their individual cPanel accounts.   You can upgrade the installations individually or you can also choose to update them all at once!

In addition to the upgrading feature we’ve also added the ability to fix file permissions and apply security tweaks, again directly from WHM to your Joomla 1.5 and 1.6 installations and just like when upgrading, you can choose to apply the changes to individual installations or all at once.

You can find the WHM Joomla Utilities tool in the Plugins section at the bottom of the left side menu in your WHM account.

Displays a list of all Joomla 1.5 and 1.6 Installations within your Reseller account

-Wendy

Wendy Robinson joined the Rochen team in June 2010 as a sales support staff member. She is also currently involved with the Joomla! project as a member of the Community Leadership Team.

However, the responsibility of maintaining and securing websites lies with the site owner (you). This includes core upgrades, extension upgrades, file permissions and settings. That can be a daunting task if you have multiple websites to manage, each functioning with a unique combination of addons and possibly using different content management systems.

Rochen has recently introduced a unique service that can help you keep your websites secure and avoid spending money and/or lengthy periods of time fixing your site in the event of a compromise. This new service is Rochen Alert.

What is the best way to prevent an attack or compromise and be sure that your site is as secure as possible? By keeping yourself informed about the software you use and making sure you are receiving every bit of critical security news that gets released. The reality is that it can be rather tedious to comb through all the news you receive and it’s possible that the amount of spam and irrelevant information that lands in your inbox can keep you from getting the critical news when you need it.

The advantage of Rochen Alert is that it allows you to subscribe to a security notification service that will send you automatic emails any time a critical security vulnerability or upgrade is reported. This covers not only core but also extensions, modules and plugins that pertain to Joomla!, Drupal, and WordPress. The spam, junk and irrelevant news is filtered out ensuring that only the important information gets sent to you.

How does it work?

The system is powered by a proprietary engine built to discover, categorize and deliver security related information. It combs the internet continuously ingesting security related topics and rejecting everything else.

• Security notifications for scripts you choose. E.g. Joomla, Drupal, WordPress etc.
• Security notifications for plug-ins or extensions. E.g. Joomla Extensions, WordPress plug-ins etc.
• Clear instructions on resolving the issue contained within the security notification.
• Alerts about threats provided within hours of release.

With Rochen Alert you can carry on with your day, manage your business, and be sure that any critical security notifications will find their way to you before most people even know about them. As the alerts arrive within a timely manner you can take necessary steps to prepare your sites ahead of time, keeping your own site safe and allowing your clients to have full confidence that their websites are in good hands with you.

Our security optimized hosting infrastructure combined with the convenience and quality of Rochen Alert notifications will always keep you one step ahead of everyone else, including the hackers.

Where Can I Sign Up?

Rochen Alert is available here for a annual subscription fee. Upon sign up you can choose your own combination of alerts pertaining to each of the three big content management systems, Joomla!, Drupal and WordPress. As soon as your order is processed you will be on the list to start receiving your critical alert notifications.

Can I get a discount?

Sure! For a limited time you can use the promotional code “alertpromo” and receive $10 off the annual subscription fee for the first year of your Rochen Alert service. The promotional code will expire January 31, 2011, so sign up soon in order to save!
-Wendy

Wendy Robinson joined the Rochen team in June 2010 as a sales support staff member. She is also currently involved with the Joomla! project as a member of the Community Leadership Team.

While at CMS Expo Adam and I delivered two 90 minute presentations on “WordPress Hosting and Security” and “Joomla Hosting and Security“. I have linked both of these below in PDF format in case anyone wishes to review them. Rochen also had a fantastic 20 ft x 10 ft booth setup at CMS Expo which I have attached a picture of as well. Apologies for the poor quality – it was taken with an iPhone.

Download “WordPress Hosting and Security” Presentation

Download “Joomla Hosting and Security” Presentation

In the last slide of the “Joomla Hosting and Security” presentation you may notice we discuss a new Joomla Utilities plug-in for our control panel that we will be releasing in beta here at Rochen later today. This new tool will make managing and keeping your Joomla sites secure a lot easier. We plan to develop similar tools for both Drupal and WordPress as well. More details on this to come very soon.

(I would also advise reviewing my original blog post on Joomla Hosting Security from September 2008.)

Disclaimer: Security advice and best practices change over time. The details posted in the above presentations are correct, to the best of our knowledge, at the time of posting. For the most up to date security information please consult with your web hosting provider and site developer directly. Please always seek expert advice.

Second to last, you may have noticed that we launched a new website at the start of May just before CMS Expo. We are still tweaking the design a little and also building out the pre-sales FAQ sections but we are very happy with it so far.

Finally, at CMS Expo we issued a promotional code for 20% off your first invoice with Rochen for any Business Hosting, Reseller Hosting or Managed Virtual Server (MVS) solution. This promotional code has now expired however we have decided to re-activate it with this blog post through until midnight UTC on Monday, June 7th 2010. The promotional code is: CMSX

Rochen’s hosting platform is purpose built to deliver the very best performance and tightest security for database driven dynamic scripts like Joomla and WordPress. If you would like to discuss your hosting needs then please contact us via sales@rochen.com and we will be happy to assist.

Thanks for reading.

- Chris

Chris Adams is the Founder and CEO of Rochen Ltd.

Recently on the list of events we attended and supported was the Sydney JoomlaDay 2009.
Thanks to all the people behind this event, the day was both informative and enjoyable. I was able to meet up with a number of current customers (and hopefully future ones) and discuss with them their needs and plans for the future. Here’s a small picture I took at the end of the event: http://yfrog.com/0sdfqj If you attended this event and missed the coupon code we shared, please get in touch with me.

Later in the year we’re proud to be providing support to the Joomla! Developer Conference in New York City on Dec 5 and 6 2009.

Other JoomlaDays currently being planned in 2010 that we will also attend include: Melbourne JoomlaDay 2010 and CMS Expo 2010. We may be able to have more than one staff member present at some of these future events as we try to contribute to the Joomla Community by sharing our knowledge and services of Joomla Hosting, after all, we knowhow to host Joomla sites being the Official Hosting Partner of the Joomla Project.

In the nearer future, you can catch us in Vietnam at the JoomlaDay Ho Chi Minh City on November 1 2009. We’re not only attending this event, but also providing sponsorship.

If you have any questions regarding your hosting needs (present and future) and you can attend any of these events, be sure to let us know and we’d be happy to arrange to spend some time with you.

- Brad

Brad Baker has been a member of the Rochen team since early 2003 and is a founding member of the Joomla! Open Source Project. He currently is part of the Joomla LeadershipTeam, and also blogs here.

I can’t hold back any more, I’m seeing still, so many people who do not keep their Joomla sites up to date, and then end up being exploited/compromised and cause more stress to themselves.. so.. again.. please Keep Your Joomla Sites Updated and Secure!

A simply way to do this, and with minimal effort is to use this great free component: Update Manager for Joomla! – Joomla! Extensions Directory – it will enable you to update your site, all from your Joomla backend. What could be easier?

BTW It’s not just Joomla that needs to be kept up to date, but any scripts you run. Joomla, along with scripts like WordPress are very popular and as a result attract the ‘script kiddies’ and others who once a patch is released, work out how to scan for compromised sites and exploit … YOU.

So, avoid being blacklisted by Google, avoid the downtime and pain involved with recovering from a site compromise, and simply Keep Your Joomla Sites Updated and Secure!

If you are in the unfortunate situation where you’ve been ‘driving a racing car without a helmet or seat belt’ aka not bothering to Keep Your Joomla Sites Updated and Secure and your site has been compromised, please see the following articles: How do I use Rochen Vault? and My site has been compromised, help!

- Brad

Brad Baker has been a member of the Rochen team since early 2003 and is a founding member of the Joomla! Open Source Project. He currently is part of the Joomla LeadershipTeam, and also blogs here.

Joomla Events where you can meet some of the Rochen team:

Melbourne JoomlaDay – Sat 7th February – Sun 8th February 2009
I’ll be attending this event, along with some other Joomla Core Team and Workgroup members. Look out for my presentation on Joomla Hosting, as well as others on the day regarding Joomla Security.

UK JoomlaDay – Sat 14th March – Sun 15th March 2009
Chris as well as Martin will be attending this event. This is only the second UK JoomlaDay, so I’d expect it to be a sold out event. Chris will also be speaking on Joomla security from a web hosting prospective. In the mean time you may wish to review his previous blog post on Joomla Security.

Las Vegas JoomlaDay – Sat 4th April 2009
Chris will be attending this event, and it’s shaping up to be one of the biggest Joomla Events of the year. Some of the presenters include: Steve Burge, Vic Drover, Andrew Eddie, Anthony Ferrara, Louis Landry, Toni Marie, Jennifer Marriott, Wendy Robinson, Rob Schley and Elin Waring.

Rochen do more than just Joomla hosting. We try to support Joomla as much as we can by not only our sponsorship of the project, but also of JoomlaDays.

Which events will you be attending this year? We be happy to catch up with any current or potential customers while we attend these events.

We’re looking forward to seeing some of you there!

- Brad

I think it is fair to say that Joomla! has received a lot of unjustified and misinformed criticism from many in the web hosting community. In my opinion the main reason for this is that when a Joomla! powered website is hacked on a host’s server then the vast majority of providers automatically assume the problem lies with Joomla! itself (because that’s what the site is running) and immediately tag it as a script with a lot of security problems without any proper research. Some hosts have even gone as far as banning Joomla! from their servers.

From our own experiences here at Rochen we have found that the vast majority of security issues that come up with Joomla! sites are nothing to do with the core code released by Joomla! themselves but due to poorly coded, insecure or out of date third-party extensions that are installed under Joomla. Even if your Joomla install is kept fully updated but you have a single insecure extension installed then this will allow your entire site to be compromised. Vulnerable extensions are lethal to your site security.

As you might be aware Rochen know a thing or two about Joomla hosting. We host thousands of Joomla! powered websites but we also host all of the Joomla! official sites at www.joomla.org as well. We hosted the very first install of Joomla before any other provider. So I have put together a few recommendations based on things we have seen at Rochen that will hopefully help you keep your Joomla site more secure. Hosting with Rochen never hurts, but these tips are not specific to us.

1. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777. Not having PHP configured in this way opens you up to cross-account attacks from other users on the shared server since you will need to CHMOD to 777 any directories Joomla! need to be able to write to. It also makes installing and managing extensions a real nightmare for the webmaster. A shameless plug, but in case you were wondering, yes, Rochen meets this requirement and we also performance tune all of our PHP installs as well for good measure.

2. Providing you are hosted on a server that runs PHP as directed above then you should ensure all of your files are CHMOD to 644 and directories to 755. One exception is to ensure your Joomla configuration.php file is CHMOD to 640. You should never CHMOD any files or directories to 777, especially your configuration.php file.

3. The Joomla! FTP Layer was developed as a work around solution in case a user was hosting a site on a server that did not run PHP under the account user. It allows for extensions to be installed under Joomla without running into file ownership issues. Unfortunately, it also opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. If you are hosting in a secured and tuned environment, like we have here at Rochen, then you don’t actually need the FTP layer to be enabled as extensions will install out of the box without any hassle and you can manage them without running into file ownership issues. You should disable the Joomla FTP Layer and ensure it has not stored your login details.

4. There was a security issue with Joomla reported around a month ago that allowed an attacker to reset the Joomla administrator password for a site. Although it is not a complete solution a really simple thing you can do to help protect yourself if an issue like this comes up again is to change your Joomla! administrator username. Change it from the default “admin” to something else like “chris.admin”. Make it that bit harder for an attacker to compromise your site.

5. Although it might be tempting to install every extension under the sun (there are a lot of wonderful ones out there and some not so great!) only install the ones you need. The more you install under Joomla! then the more likely your site is to be compromised. You should also ensure you remove any components (including the files themselves via FTP) for any extensions you are not using.

6. It might seem like an obvious one but ensure your web hosting provider is keeping up with their responsibilities. Ensure they are keeping PHP and other software on the server updated (nobody should be running PHP4 anymore as it is now “End of Life” and potentially open to security issues), ensure they are running their operations in a secure way (PHP in CGI mode with su_php as noted above) and ensure they are taking steps to help ward off attackers by running modules like mod_security under Apache and open_basedir under PHP. Having mod_security on your server can help to stop a lot of XSS attacks against your Joomla! install getting through, but it can’t stop them all so you still need to ensure you keep up with your Joomla! security updates.

7. Ensure you are setting secure passwords for both your Joomla! administrator user but also your web hosting account control panel and FTP logins. It would be a real shame to have spent lots of time securing your Joomla! install to then let an attacker in through a weak password. I recommend a password that is at least 8 characters in length and containers letters (both upper and lower case), numbers and at least one symbol. Also ensure your passwords do not contain dictionary words. Using a password generator is a good idea.

8. Another useful tip I can share with you is to password protect your Joomla! /administrator directory. You can do this under an Apache web server using a .htaccess file and if you are a Rochen customer this can be easily configured using the “Password Protection” option within your control panel. By password protecting the /administror directory you will have to enter a username and password prior to reaching the Joomla! administrator login page. It means that even if your Joomla! admin password is stolen then your site is still largely protected since the attacker will not be able to reach your administrator login page. Remember, it is important to use a diffrent password on the /administrator directory than you do for your Joomla! admin password or it defeats the purpose of doing this.

9. Last but not least, and probably most important, you need to ensure you keep your Joomla install itself fully updated with the latest security patches from Joomla. You also need to ensure you keep all of your extension installs updated too. Remember, even if your Joomla install is updated having even one insecure extension can allow your site to be compromised. You should subscribe to the Joomla Security Mailing List as well as the mailing lists maintained by the developers of third-party extensions you have installed. If you are using an extension from a developer that doesn’t maintain a security mailing list, then question them why. It is something all developers should be doing.

So, if you have read this far down the blog post, then you might be happy you did because I am pleased to provide you with a Rochen promotional code: joomlasecurity. Simply enter this during the Rochen ordering process and you will receive 15% off your first month’s hosting for any of our plans. This coupon is good through to the end of October 2008. We don’t issue many coupons, but when we do they will be in sneaky places like this. Who ever said reading blogs while you should be working wasted money?

One other thing worth mentioning. If your Joomla! site hosted at Rochen is hacked then you can easily roll your account back within a few minutes to points in time over the past 30 days using our Rochen Vault recovery system. Simply login, select the files you want to restore and boom – your site is rolled back to an unhacked state. You do of course then need to secure the site otherwise it will simply be hacked again, but if you follow what I have outlined in this post then your Joomla! powered sites being hacked should be a thing of the past.

If you have any comments, questions or better yet security tips of your own then please leave a comment under this blog. Thanks for reading and I hope you have found some of the tips useful.

- Chris

Chris Adams is the Founder and CEO of Rochen, a web hosting provider specializing in providing a performance tuned hosting platform for dynamic database driven scripts like Joomla! Rochen has hosted all of the official Joomla! websites since the project began in August 2005.