IntroductionWelcome| 00:04 | Hello, there!
| | 00:05 | I'm Kenneth Crowder and welcome
to Joomla! Developing Secure Sites.
| | 00:09 | In these videos, I have broken down the
topic of Joomla! security into easy-to-
| | 00:12 | follow best practices.
| | 00:14 | I'll be showing you how to
schedule backups, assess extensions for
| | 00:18 | vulnerabilities, create effective
passwords, discourage hackers by using proper
| | 00:24 | naming conventions, and I'll show you
how to keep your Joomla! web site secure.
| | 00:29 | Implementing these best practices will
minimize the risk of your web site being compromised.
| | 00:34 | It's time for you to stop being
insecure about Joomla! security.
| | Collapse this transcript |
|
|
1. Getting StartedBacking up| 00:00 | It's hard to express how
important it is to take regular backups.
| | 00:03 | The comment I get most is, "My host
takes backups for me, so I don't need to."
| | 00:08 | You cannot and should not trust
your host to do this task for you.
| | 00:11 | Today we're going to install an
extension called AkeebaBackup.
| | 00:14 | It's a good way to back up your site,
so that you can download it in case you
| | 00:17 | need to restore it, or move it to a
different server later. Let's start by going
| | 00:21 | to AkeebaBackup.com.
| | 00:25 | From their homepage, hover over
Download and click Official Releases.
| | 00:30 | The first option in the list is
Akeeba Backup. Click the button for View
| | 00:34 | releases in this category.
| | 00:35 | We'll scroll down a little bit, and
we'll click View files for the most
| | 00:41 | current stable version.
| | 00:44 | Clicking Download now, under
Akeeba Backup Core, will download the
| | 00:48 | AkeebaBackup extension.
| | 00:52 | Now, we're going to install this extension.
| | 00:54 | Go into your Administrator,
| | 00:56 | we need to log in, hover over
Extensions, and click Install/Uninstall.
| | 01:05 | Under Upload Package File, click the
Browse button, find your extension and
| | 01:11 | then click Open.
| | 01:13 | When you're ready, click
Upload File & Install. Great!
| | 01:17 | We've installed AkeebaBackup.
| | 01:18 | The next thing we want to do is
take a backup of your web site.
| | 01:22 | Hover over Components >
Akeeba Backup, and click Backup Now.
| | 01:28 | You can add some comments if you wish,
or just go ahead and click Backup Now!
| | 01:31 | on the right side of the screen.
| | 01:34 | While this is backing up, you'll notice
at the bottom it says Last server response.
| | 01:38 | This typically goes between 0 and 3 seconds.
| | 01:41 | The reason for this is that on large
web sites, while it's backing up files, it
| | 01:45 | may appear that the server has stopped responding.
| | 01:48 | This is here so that the user knows
that the server has not stopped responding.
| | 01:53 | This backup is successful.
| | 01:55 | Now that we're on this screen, we
can click Administer Backup Files.
| | 01:58 | The screen shows you a list of
all the backups that you have taken.
| | 02:02 | You can keep the backup on your web site,
but in all reality, if you do that and
| | 02:06 | the server crashes, you're really
not better off than you were before.
| | 02:09 | You want to make sure you download this backup.
| | 02:12 | You could do so by checking the check
box at the left and clicking Download.
| | 02:19 | Your backup has now been downloaded.
| | 02:21 | Now that you've downloaded your backup,
you may think you're done, but you're not.
| | 02:26 | It's important to know that even though
you've backed up your download, you also
| | 02:30 | need a backup your backup.
| | 02:31 | I know it's a crazy concept, but
what happens if your computer crashes?
| | 02:35 | Having a service like Mozy, IDrive,
or Carbonite on your system to backup
| | 02:41 | your files to an off-site server is very
important to ensure that your files are safe.
| | 02:46 | If you are a professional web site
developer and you have clients that depend on
| | 02:49 | you for services, it's your obligation
to ensure that those files are backed up.
| | 02:54 | Before we conclude backing up your
web site, I want to talk about one more
| | 02:57 | application that Akeeba
offers, called Remote Control.
| | 03:01 | Going back over to AkeebaBackup.com,
hover over Download, click Official
| | 03:05 | Releases, and scroll down
and find Akeeba Remote Control.
| | 03:10 | This is a great application that allows
you to schedule backups of your web sites.
| | 03:15 | You no longer have to log in to each web site,
back it up and download it individually.
| | 03:19 | You can now set up Akeeba Remote
Control to automate this task for you.
| | 03:23 | It's a great application, and I
really suggest that you check it out.
| | 03:27 | The last extension on AkeebaBackup.com
that we'll look at is a module
| | 03:31 | that helps you remember
when to back up your web site.
| | 03:33 | Scrolling to the top of the page,
let's click View releases in this category,
| | 03:37 | under the Akeeba Backup heading.
| | 03:40 | Scrolling down a little bit, click on
View files, under the latest stable release.
| | 03:44 | This is the file we backed up earlier.
| | 03:48 | Right underneath it is the
Administrator icon module.
| | 03:51 | Click Download now to download it.
| | 03:54 | Clicking OK to save it.
| | 03:55 | Now, I want to go back over to the Joomla!
Administrator and install this extension.
| | 04:02 | We do this just like we did the
AkeebaBackup extension earlier.
| | 04:05 | Click Install/Uninstall
underneath the Extensions dropdown.
| | 04:09 | Click Browse, find the module we just
downloaded, click Open, and when you're
| | 04:17 | ready, click Upload File & Install. Great!
| | 04:21 | It's installed.
| | 04:22 | By default, Joomla! does not publish
modules, so we need to go publish it, and
| | 04:27 | also change its module position.
| | 04:29 | Let's go up to Extensions > Module Manager.
| | 04:34 | This is the list of modules that you
would typically see if you were editing
| | 04:37 | a module. Since this is an administrator
module, our module would not be in this list.
| | 04:42 | You need to click this link that
says Administrator to access the
| | 04:45 | administrator modules.
| | 04:47 | Scrolling down a little bit, we see the
Akeeba Backup Notification Module.
| | 04:51 | Go ahead and click it, and let's see what's inside.
| | 04:53 | The first thing we want to do is Enable
it, and we want to put it in the icon
| | 04:57 | position. Then we want to click Save. Great!
| | 05:01 | Now let's go back to the Control Panel.
| | 05:03 | You can get there by
clicking Site > Control Panel.
| | 05:05 | Here you can see a new icon has
showed up on our control panel.
| | 05:09 | It currently says Backup is up-to-date.
| | 05:11 | This is because we just took a backup.
| | 05:13 | If we were to wait for some time, this
would change to a different icon, letting us
| | 05:17 | know that we needed to back up our site.
| | 05:19 | Now that we've learned how to install
Akeeba, take a backup, download that
| | 05:23 | backup, and we've learned the
reasons why you should backup your backup,
| | 05:27 | let's just take a moment
and understand why we do this.
| | 05:30 | I know of a host who had a server
that crashed and the backup that they'd
| | 05:34 | taken would not restore.
| | 05:36 | I was very fortunate that none of my
web sites were on that server, but it did,
| | 05:39 | however, serve as a wake up call.
| | 05:41 | For those people who had web sites on
that server but did not have a backup,
| | 05:45 | they were just plain out of luck, and
that's not some place you want to be.
| | Collapse this transcript |
| Restoring| 00:00 | Now that we have backed up your site,
I want to show you how to restore it.
| | 00:03 | This process is also important if
you're moving your site from one server to
| | 00:06 | another, or if you just want to make a
local copy, so you can test out stuff
| | 00:10 | without affecting your live site.
| | 00:12 | The first thing we want to do create a new
folder wherever you're going to restore this.
| | 00:15 | For me, I'm going to do it locally,
but you might want to do it out on your
| | 00:18 | server under a different directory.
| | 00:19 | I will call this new folder joomlasecurity2.
| | 00:27 | All right, we have this folder.
| | 00:29 | I will navigate into it.
| | 00:31 | We need put two files in here.
| | 00:34 | One of them is our backup file.
| | 00:38 | This is the file that we downloaded
earlier after creating our backup.
| | 00:44 | The next thing we need to do is go
out to AkeeBabackup.com and download
| | 00:49 | the Kickstart software.
| | 00:51 | You can do this by going to
AkeeBabackup.com, hover over Download, and click
| | 00:56 | on Official Releases.
| | 00:58 | Scroll down until you find Akeeba
Kickstart. Click on the View release in
| | 01:02 | this category button.
| | 01:03 | We will want to download the latest
stable version. To do this, click the View
| | 01:09 | files button, and then you click
Download now, under Kickstart package.
| | 01:14 | We'll save it to our Downloads folder.
| | 01:20 | Now I'm navigating to my Downloads folder to
find my Kickstart application that I downloaded.
| | 01:24 | I want to extract the zip file.
| | 01:30 | We see we have nine files here.
| | 01:35 | The only file that's really
important to us is kickstart.php.
| | 01:38 | I am going to copy this over to
our new folder that we created.
| | 01:41 | It's also the folder that
we copied our backup to.
| | 01:45 | If English isn't your first language,
and your first language is one of these
| | 01:48 | that are listed here, you could copy
this file also over there with Kickstart,
| | 01:54 | and then Kickstart it run
in your native language.
| | 01:56 | For us, we're going to just leave
it as the default, which is English.
| | 02:00 | The next thing we need to do is pull
up this directory within our browser.
| | 02:05 | Since I'm working locally, my
URL is localhost/joomlasecurity2.
| | 02:12 | Here you can see we have the two
files that we had in our directory.
| | 02:15 | Let's execute the kickstart.php script.
| | 02:19 | Initially, when the script runs, it
puts a little disclaimer, just basically
| | 02:23 | stating that kickstart really isn't
for all server configurations, kind of a
| | 02:27 | best effort type of script.
| | 02:29 | I've never had any issues with this,
but I have heard of people that do.
| | 02:34 | So we'll click Click here.
| | 02:36 | We're now on the first screen
of the Akeeba Kickstart script.
| | 02:40 | The dropdown here shows all of the
backups that are within the current directory.
| | 02:44 | Since we only copied one over, we only have one.
| | 02:46 | This is typically the case.
| | 02:48 | The other settings are fine as a
default, and then we'll click Start.
| | 02:53 | This screen starts
extracting the compressed file.
| | 02:56 | So your one file now becomes hundreds of files.
| | 02:59 | When it completes, it will
automatically take us to the next screen.
| | 03:03 | Now we are ready to do the
restoration and clean up.
| | 03:05 | We need to run the installer.
| | 03:07 | This installer is a lot like the
default installer that comes with Joomla!, only
| | 03:11 | it's been branded a little
bit differently for Akeeba.
| | 03:14 | If you're copying this back over to
the same server that you took the backup
| | 03:18 | from, all of these settings would be correct.
| | 03:20 | If any of these say no, you would
want to look at it that further.
| | 03:23 | We'll click Next to go to the next screen.
| | 03:28 | Now we're on the database restore screen.
| | 03:31 | This is where the database that was
backed up is then restored under a new server
| | 03:35 | or back on the old location.
| | 03:37 | But we haven't created that database yet,
| | 03:39 | so we need to jump over
to phpmyadmin and do that.
| | 03:42 | To do that, I'll open a new tab.
| | 03:44 | Since I'm working locally, I can
just type localhost/phpmyadmin.
| | 03:51 | If your web site is out on a
different server, chances are you have cPanel
| | 03:55 | installed, and there should be a
link for phpMyAdmin within cPanel.
| | 04:00 | Now that phpMyAdmin is loaded,
let's create the database.
| | 04:05 | Inside the input box for Create new database,
| | 04:07 | let's type "joomlasecurity2,"
and then we'll click Create.
| | 04:15 | Now we need to go back over the installer.
| | 04:18 | The User name is still root.
| | 04:19 | I am working locally. Password is blank.
| | 04:22 | Chances are if you're installing this
on a remote server, you would have a
| | 04:26 | different username and password.
| | 04:28 | The database name is now joomlasecurity2, and
then we'll click Next, to go to the next page.
| | 04:34 | During the restoration process, the database
backup is imported back into the database.
| | 04:39 | Since our site is so small, this
happened pretty much instantaneously.
| | 04:43 | If you had a large web site,
this might take a little time.
| | 04:45 | We'll click OK to close this screen.
| | 04:50 | Now we're on the Site Info page.
| | 04:52 | The Site Name here is as it
was when we took the backup.
| | 04:55 | If you are moving your site from one
server to another or from one domain to
| | 04:59 | another, you could change this as you wish.
| | 05:01 | The e-mail address, I'll leave the same.
The sender name I'll leave the same.
| | 05:06 | Live site URL is almost always blank.
| | 05:09 | It really hasn't been used since Joomla! 1.0.
| | 05:10 | Now we can click Next to go to the Finish page.
| | 05:16 | Okay, we're almost finished.
| | 05:17 | One of the last steps that
we have to do is to remove the
| | 05:20 | installation directory.
| | 05:21 | Typically you would have to go in and
delete this folder by yourself, but
| | 05:25 | Akeeba backup makes it easy for you;
just click this link that says remove the
| | 05:29 | installation directory automatically.
| | 05:32 | It has now deleted that folder, and
there's our site. There you have it.
| | 05:37 | You've successfully taken a backup of
your web site, moved it to a different
| | 05:41 | URL, and restored it.
| | 05:42 | This might seem like a complicated
process at first, but once you've done it
| | 05:45 | once or twice, it actually gets a lot easier.
| | Collapse this transcript |
| Keeping Joomla! up to date| 00:00 | Keeping Joomla! up-to-date is one of
the key task to having a secure web site.
| | 00:03 | When a vulnerability in Joomla!'s core
code is found, you can typically expect
| | 00:08 | an update within 24-48 hours.
| | 00:10 | Before upgrading your web site, it's very
important that you take a backup of your web site.
| | 00:15 | This is done so that if something goes
wrong, you could always restore it back to
| | 00:18 | the point it was before you
attempted to make the update.
| | 00:21 | To check and see what the current version
of Joomla! is, open up a browser to joomla.org.
| | 00:29 | On the right side of the screen, you'll
see a black button that says Download
| | 00:32 | Joomla! Get The Latest Version, click
that, and here we can that the latest
| | 00:36 | version of Joomla! is 1.5.20.
| | 00:39 | Now we want to log in to the back-end of our
web site and see what version we are using.
| | 00:48 | It appears that we are using version 1.5.19.
| | 00:51 | We can see this in the top right-hand
corner of the Joomla! Control Panel.
| | 00:56 | Since we are one version behind, we
need to update our Joomla! installation.
| | 01:01 | Back over on the Download Joomla! page,
we can see that the Joomla! leadership
| | 01:05 | team has conveniently put a link here
to the update file from the most recent
| | 01:09 | version to the current version.
| | 01:12 | But let's say that you have a
version that's previous to 1.5.19.
| | 01:16 | By clicking download other
Joomla! 1.5.x packages, we can see other Joomla!
| | 01:22 | 1.5.x packages that we can
upgrade to the latest version.
| | 01:26 | Here we see we have 1.5.14 to 1.5.20.
| | 01:31 | If you are using 1.5.14, that
means that you're six updates behind.
| | 01:36 | You don't need to go from 14 to 15 and 16;
| | 01:39 | you can just jump from 14 to 20.
| | 01:42 | What's nice about Joomla! updates is
that they never touch the database.
| | 01:45 | They only touch files.
| | 01:47 | So all you have to do is
overwrite your files with the patch files.
| | 01:50 | We're going to take a look into that now.
| | 01:52 | Since our version of Joomla! is only
one update behind, we can click the back
| | 01:58 | button, and then we can download the
1.5.19 to 1.5.20 Upgrade Package link.
| | 02:06 | Click that. Click OK to save it.
| | 02:12 | Now we'll go to our Downloads folder.
| | 02:13 | Now as you can see, here is our patch file.
| | 02:22 | We'll right-click on it, and we'll
extract it, and when it's complete,
| | 02:31 | those files will open.
| | 02:32 | Now I'm going to pull up the
folder that contains our web site.
| | 02:42 | This is the Joomla! security folder.
| | 02:46 | All we have to do is copy these files
over to Joomla!'s root directory, and if it
| | 02:50 | asks you, do you want to
overwrite the files, just click Yes.
| | 02:55 | Click Copy and Replace,
do this for all conflicts.
| | 02:59 | Now we can go back over to the administrator.
| | 03:03 | You can see here, it says 1.5.19.
| | 03:07 | If I hit refresh, it now says 1.5.20.
| | 03:11 | We've just successfully upgraded our
Joomla! installation from 1.5.19 to 1.5.20.
| | 03:18 | That seems like a lot of steps,
but there's an easier way to do it.
| | 03:24 | Okay, now we're back at 1.5.19.
| | 03:27 | The extension we want to look for is
Update Manager for Joomla!. There's a
| | 03:31 | couple ways to find it.
| | 03:32 | I prefer to go to joomla.org.
In the top, click on Extensions.
| | 03:41 | This is the Extensions
directory where you'll find thousands of
| | 03:43 | Joomla! extensions.
| | 03:45 | In Search JED, type in
"update manager" and hit Search.
| | 03:54 | Scrolling down, it's probably the first listing.
| | 03:56 | It's called Update Manager for Joomla!.
Clicking on this link will bring up its page.
| | 04:02 | Clicking the Download button will take
you back to Joomla!, code where you can
| | 04:06 | download this extension.
| | 04:07 | Clicking on com_updateman, the downloads start.
| | 04:12 | Now that the file is
downloaded, we need to install it.
| | 04:18 | Going back to your Joomla!
Administrator, hover over Extensions >
| | 04:21 | Install/Uninstall, click Browse, and then
click on com_jupdateman, and click Open.
| | 04:31 | Click Upload File and Install.
| | 04:34 | It's a pretty quick install.
| | 04:36 | Now that it's installed, you can hover
over Components and click Update Manager.
| | 04:42 | I'll admit that this extension isn't
very pretty, but it does its job very well.
| | 04:46 | Click on download and update file.
| | 04:50 | What this does is it goes out to
Joomla!'s server and says, okay, I'm using this
| | 04:54 | version, what's the latest version?
| | 04:56 | And then it automatically brings back
the full package, which contains all the
| | 05:00 | files, or just the patch package -
| | 05:02 | that's the files that have changed.
| | 05:03 | For the most part, you'll
always use patch package.
| | 05:07 | If something goes wrong on your site,
you may want to do a full package update.
| | 05:10 | I'll click Patch Package.
| | 05:13 | Step 2 is telling us which file
it's going to download and extract.
| | 05:18 | The last sentence says, "If you are
certain you want to use this method, you can
| | 05:22 | proceed with the install." Go ahead and click
| | 05:24 | you can proceed with the
install. And that's it!
| | 05:27 | You have successfully upgraded your
Joomla! install. Congratulations!
| | 05:32 | Going back to Control Panel, now you
can see your installation of Joomla! has
| | 05:36 | been upgraded to the latest version.
| | 05:40 | One thing I would recommend is
signing out for forum announcements.
| | 05:44 | To do this, open a new tab
and go to forum.joomla.org.
| | 05:50 | You can also get there by going to
joomla.org and clicking Forum at the top.
| | 05:55 | If you scroll down a little bit,
| | 05:56 | you'll see that there is
Announcements board here.
| | 05:58 | Clicking on it, you can see
all the latest Announcements.
| | 06:01 | 90% of what you see here is used for
updates and releases that come out.
| | 06:06 | To subscribe to this forum, you'll
need to register on the site and then
| | 06:10 | click the subscribe link.
| | 06:13 | To register, just click the
Register link here at the top of the page.
| | 06:17 | A lot of people don't keep their
Joomla! web sites up to date because they
| | 06:21 | think it takes a lot of time,
and that's partially true.
| | 06:23 | It does take time to upgrade them
all, especially if you maintain a lot
| | 06:26 | of Joomla! web sites,
but I will say that it's time well spent.
| | Collapse this transcript |
|
|
2. Managing ExtensionsChoosing secure extensions| 00:00 | Nearly all of the Joomla! web sites
that have been comprised were done so
| | 00:03 | through one of the thousands of
third-party extensions available for Joomla!
| | 00:07 | To date, only one vulnerability in the
core code has been severe enough to allow
| | 00:10 | someone to gain full access to your web site.
| | 00:12 | When that vulnerability was discovered,
an update was available within hours.
| | 00:16 | The point that I am trying to make
here is that since almost all of the
| | 00:19 | vulnerabilities are from third-party
extensions, you have to be very careful
| | 00:23 | about which extensions you
install on your web site.
| | 00:25 | One of the first things you want to do
when choosing a third-party extension is
| | 00:30 | check to see if it exists on
the Joomla! extensions directory.
| | 00:33 | You can access the Joomla!
extensions directory by going to
| | 00:36 | http://extensions.joomla.org
| | 00:41 | In the Search box, type in the
name of the extension you wish to use.
| | 00:45 | If the extension is listed on the
extensions directory, then you can be sure
| | 00:48 | that the current version doesn't
have any vulnerabilities reported.
| | 00:52 | This does not mean that it's 100% safe;
| | 00:54 | it just means that there
aren't any that have been reported.
| | 00:57 | The next thing you could
do is go to inj3ctOr.com.
| | 00:59 | When you pull up inj3ctOr.com, type
in the name of the extension that you
| | 01:04 | are concerned about.
| | 01:05 | If it comes up, check the version
number on inj3ctOr.com to the version number
| | 01:09 | that is listed on Joomla! extensions directory.
| | 01:12 | If those two things match, you
shouldn't use that extension.
| | 01:15 | Something else you can do that's a
little bit more complicated is to actually
| | 01:18 | look at the source code within the extension.
| | 01:20 | We have an example to look at.
| | 01:23 | Here we have two copies of the same extension:
| | 01:25 | The one on the left is called Vulnerable.
| | 01:27 | The one on the right is called Not Vulnerable.
| | 01:30 | The purpose of these two examples is to
show what's not good and what is good.
| | 01:35 | The first thing, and the easiest thing
you could check for is that you've the
| | 01:39 | line defined JEXEC or die
restricted access defined ('_JEXEC' ) or die(
| | 01:43 | 'Restricted access' );
at the top of every single PHP file.
| | 01:46 | On the right side, you see we have this, on
the left side you can see that it's missing.
| | 01:50 | This opens this file up to several exploits.
| | 01:53 | The next thing we want to check for is
to see if the data that is pulled into
| | 01:57 | this extension has been sanitized.
| | 02:00 | We can see that this value on the left
side in the vulnerable.php file just uses
| | 02:04 | PHP's request variable.
| | 02:06 | On the right side, we're actually
using the JRequest class that is contained
| | 02:09 | within the Joomla! framework.
| | 02:11 | By using the Joomla! framework, we can
use functions such as getInt to verify
| | 02:15 | that the only value that can
come in from ID is an integer.
| | 02:19 | On the left side, we cannot verify that.
| | 02:21 | This leaves the extension open
to something called SQL injection.
| | 02:24 | The other thing we can look for is
to see if the database prefix has been
| | 02:28 | hard-coded into the SQL statements.
| | 02:30 | By default, the database
prefix within Joomla! is jos_.
| | 02:33 | We can see that here on the vulnerable.php file.
| | 02:37 | On the right side, we see
that #__ has been used.
| | 02:41 | By using #__ as
your database prefix, as soon as Joomla!
| | 02:46 | executes the query, it will replace
it with the proper database prefix.
| | 02:51 | The example on the left only works if
you are using the default database prefix,
| | 02:54 | and will not work if you have changed it,
which we recommend in other lessons.
| | 03:00 | The last tip I have about choosing
extensions is to not use pirated extensions.
| | 03:04 | Some extensions within Joomla! are
not free, although they should be GPL.
| | 03:08 | The use of pirated extensions are
strongly discouraged, since you cannot be sure
| | 03:12 | if it has been modified to allow a
hacker easy access to your web site.
| | 03:16 | Third-party extensions are a vital
part of what makes Joomla! so popular,
| | 03:20 | however, each time you install one,
the risk meter goes up just a little bit.
| | 03:24 | Remember to choose few and choose carefully.
| | Collapse this transcript |
| Uninstalling and disabling unused extensions| 00:00 | When people learn about the thousands
of extensions available on the Joomla!
| | 00:03 | extensions directory, they jump
right into action and start installing.
| | 00:07 | There is nothing wrong with this as
long, as you do it on a test web site,
| | 00:10 | preferably when installed locally.
| | 00:12 | When a site goes live, any unused
extensions should be uninstalled or disabled.
| | 00:16 | The key thing to remember is to know the
difference between a test site and a production site.
| | 00:21 | A test site is one that you could install
anything and just play around with stuff,
| | 00:24 | but a production site is one
that is accessible to the world.
| | 00:28 | Let's take a look at how to
uninstall and disable extensions.
| | 00:31 | The first thing we're going to do is
log into our Joomla! administrator.
| | 00:34 | This can either be done after you've
deployed your web site out on a web server,
| | 00:38 | or you can do it locally
before you move your site.
| | 00:43 | The next thing we want to do is go
to Extensions > Install/Uninstall.
| | 00:45 | Let's go to the Components tab and start there.
| | 00:53 | If we look over in the Author column,
we can see who the author is of all
| | 00:56 | of these extensions.
| | 00:58 | The main reason why we only disable
extensions where the author is Joomla!
| | 01:01 | project is that other
components may have interdependencies.
| | 01:05 | The components with the core team has
deemed harmful, if you uninstall them,
| | 01:08 | have been grayed out.
| | 01:09 | I would take it a step further and say
that any extension that was written by
| | 01:12 | the Joomla! project should not be uninstalled;
| | 01:14 | instead, you should disable those.
| | 01:16 | Looking at line two, we can
see the Banners component.
| | 01:19 | Since we are not using the Banners
component, we can click this check box to
| | 01:22 | make it an X, and that will disable it.
| | 01:25 | Going on down, we know that we're not using
newsfeeds, so we can disable that one as well.
| | 01:29 | Since we are using polls, we
want to leave that one checked.
| | 01:32 | We're not using web links,
so we can disable that one.
| | 01:35 | We see here that we have three other
extensions that are not written by the Joomla! team.
| | 01:41 | Like that all web sites you build,
you should have a backup solution.
| | 01:43 | So we'll leave that one. We are not using
easysql anymore, so we can uninstall that one.
| | 01:50 | Xmap is a sitemap component that we are using.
| | 01:52 | Since we are using that one,
we want to leave it alone.
| | 01:54 | Next, we click Uninstall to uninstall easysql.
| | 02:00 | The component has successfully been uninstalled.
| | 02:02 | Let's go over to the Modules tab.
| | 02:05 | Again, we have extensions that are
written by the Joomla! project that we
| | 02:08 | should not uninstall.
| | 02:10 | By looking at the Author column, we can
see that we have three modules that are
| | 02:14 | not written by the Joomla! project.
| | 02:16 | We know we don't need this one
because we are not using it anymore.
| | 02:18 | We are not using the simpsons quotes,
but we are in fact using the akeeba admin
| | 02:23 | module, so we'll leave it alone.
| | 02:25 | Scroll back to the top, and click Uninstall.
| | 02:28 | Those modules have been
uninstalled successfully.
| | 02:30 | Next, we go to the Plugins tab.
| | 02:33 | We haven't installed any plug-ins.
| | 02:35 | There is really nothing here to mess with.
| | 02:36 | The same goes for Languages and Templates.
| | 02:38 | We haven't installed anything extra,
so we'll just leave that alone.
| | 02:40 | Please remember that you do not want
to uninstall any extensions where the
| | 02:45 | author is the Joomla! project;
you only want to disable them.
| | 02:48 | The key thing to take away from all of
this is to launch your web site with the
| | 02:51 | fewest number of extensions possible.
| | 02:53 | Each extension that you uninstall not
only reduces the size of your web site for
| | 02:57 | when you take backups, but it also
lowers your risks meter just a little bit.
| | Collapse this transcript |
| Assessing vulnerabilities| 00:00 | Although I will not be teaching you
how to hack a Joomla! web site, I will
| | 00:03 | encourage you to think like a hacker.
| | 00:05 | By periodically checking sites like
inj3ctOr.com, you can stay up to date with
| | 00:09 | what vulnerabilities are
circulating the hacker community.
| | 00:12 | I use the term "hacker" lightly,
| | 00:14 | since most of the people who use sites
like that to hack Joomla! web sites are
| | 00:17 | just high school kids on a virtual joy ride.
| | 00:19 | You will also want to
subscribe to Joomla! Security Updates.
| | 00:23 | There are various ways of doing
this, but the Announcement forum at
| | 00:26 | forum.joomla.org is one method
that will be there long-term.
| | 00:30 | Going to forum.Joomla.org,
you should log in or register.
| | 00:35 | If you don't already have
a login, click Register.
| | 00:38 | Once you've registered,
we can log in to the site.
| | 00:45 | Once logged in, click on
Announcements, under Joomla! Announcements.
| | 00:52 | At the top of the forum, under the
Announcements title, click the link
| | 00:55 | for Subscribe forum.
| | 00:56 | Now you have been subscribed
to the Announcements forum.
| | 01:00 | Any updates that come through, like
new releases or security updates, will be
| | 01:04 | sent to your e-mail.
| | 01:06 | The last way to stay on top of
vulnerabilities is to subscribe to the third
| | 01:09 | party developer mailing list
for the extensions that you use.
| | 01:13 | These mailing lists are really good about
using them for actual updates and not for spamming.
| | 01:18 | Staying ahead of the game is crucial
when using any content management system,
| | 01:21 | and not just Joomla! By staying up to
date on vulnerabilities, your web site is
| | 01:25 | less likely to be targeted by hackers.
| | Collapse this transcript |
|
|
3. Administering EffectivelySetting up passwords| 00:00 | It goes without saying that
having a strong password is important.
| | 00:03 | Although I am just as guilty as the next person,
| | 00:05 | the use of a child's
name should never be done.
| | 00:08 | The information on this video is
important when using any web site and not just
| | 00:12 | your Joomla! web site.
| | 00:14 | So, what does make a strong password?
| | 00:15 | Let's start by taking a look at some
characteristics of a strong password.
| | 00:22 | Password should contain letters,
numbers, mixed cases, as well as symbols.
| | 00:29 | If you combine all of these, it makes
it really hard for someone to guess your
| | 00:33 | password, or even brute force,
| | 00:35 | where they use a script or a program
they systematically tries checking every
| | 00:39 | single password, like AA, AB, AC, all the way
up until, well, as many characters as they want.
| | 00:47 | The more complicated your password is,
the harder it is for those methods to work.
| | 00:51 | Well, what makes a bad password?
| | 00:54 | The use of a child's name is not a
good one because anyone who knows you more
| | 00:57 | than five minutes could
probably guess that child's name.
| | 01:00 | Some people like to use anniversaries,
birthdays, and that sort of thing.
| | 01:04 | I wouldn't recommend that either.
| | 01:06 | If you have a hard time remembering
passwords, I would recommend you try what's
| | 01:09 | called character substitution.
| | 01:11 | Let's take a look at someone's name.
| | 01:13 | Instead of just having
your password be TomMueller,
| | 01:18 | we can use character
substitution and spell it like this.
| | 01:29 | That's a lot harder to guess t0mmu3113r,
and since we need symbols, it's always good
| | 01:36 | to add a couple of symbols at the end.
And that makes it a lot easier to
| | 01:40 | remember this password.
| | 01:42 | Now, if you want a really strong
password, let's say that give someone access to
| | 01:46 | a server or FTP account to your web site,
| | 01:49 | I recommend using a free
random password generator.
| | 01:53 | If you go to google.com and just type in free
random password, a bunch of them will come up.
| | 01:57 | Although these are very hard to remember,
and you most likely have to write them
| | 02:01 | down unless you use them
infrequently, they are the best way to go.
| | 02:04 | I would also recommend that your
company, or even just yourself if this is you
| | 02:09 | alone, that you have some sort
of password changing policy.
| | 02:12 | Put a reminder on your calendar.
| | 02:13 | And every three or six
months, change all your passwords.
| | 02:17 | This keeps your password fresh
and harder for people to crack.
| | 02:20 | The main thing to remember is that
passwords should not be something that someone
| | 02:24 | or some program can figure out quickly.
| | 02:27 | By using some of the ideas we just
discussed, you can be sure that your password
| | 02:31 | is really, really difficult to crack.
| | Collapse this transcript |
| Creating a new super administrator| 00:00 | By default, Joomla! creates a
super administrator called 'admin' during
| | 00:04 | installation. Knowing this, a would-be
hacker could use this against you.
| | 00:07 | We will need to create a new super
administrator user and delete the old one.
| | 00:11 | Okay, the first thing we want to do is
head over to the administrator of our
| | 00:14 | web site and log in with our username Admin,
and the password was set up during installation.
| | 00:22 | On the Control Panel, you'll see
an icon here for User Manager.
| | 00:26 | Likewise, you can go under Site and click
User Manager; they both link to the same place.
| | 00:31 | When User Manager loads, we can see
that we only have one user created.
| | 00:36 | Let's go ahead and create a
new user for ourself. Click New.
| | 00:39 | For Name, I'll type my name. I'll enter
a username, enter my e-mail address, and
| | 00:52 | I'll choose a secure password.
| | 00:55 | For a group, we want to choose Super
Administrator and then click Save.
| | 01:02 | You can see that the user
Kenneth Crowder was successfully saved.
| | 01:06 | This error at the top is okay.
| | 01:07 | This error is basically stating that it
was unable to send the welcome e-mail.
| | 01:11 | Since we're working locally, a mail
server is not installed, so we can just
| | 01:15 | ignore this for now.
| | 01:16 | Now that we've created the new
super administrator, we need to delete
| | 01:21 | the username admin.
| | 01:23 | You would think that we could just check the
box next to Administrator and click Delete.
| | 01:27 | This is not the case, because you
cannot delete a super administrator.
| | 01:30 | What we have to do is demote the super
administer to a lower group, and then delete it.
| | 01:36 | Since we are logged in as admin, we
need to log out and then log back in as a
| | 01:41 | user we just created.
| | 01:46 | Once again, we'll go to User Manager.
| | 01:49 | We want to edit the admin user;
| | 01:51 | We can do so by clicking its name or
clicking the check box and clicking the
| | 01:54 | Edit icon in the upper right-hand corner.
| | 01:57 | To demote the user, we just
click on the different group.
| | 02:00 | We'll go head and make the admin
user a registered user and click Save.
| | 02:06 | Now that our Administrator is saved, and
it's a registered user, we can now delete it.
| | 02:10 | We'll click the check box next
to Administrator and click Delete.
| | 02:14 | I'm glad to see that this tidbit is
spreading throughout the Joomla! community,
| | 02:18 | however, it is still one task
that is most often times left undone.
| | 02:22 | Thankfully, in the next version of
Joomla!, users will be able to choose their
| | 02:26 | username during installation.
| | Collapse this transcript |
| Understanding the jos_prefix| 00:00 | When you first install Joomla!, each
database table is prefixed with jos_.
| | 00:04 | By using different database prefixes,
you can have multiple installations of
| | 00:08 | Joomla! on the same database.
| | 00:10 | The problem is that many exploits
rely under database prefix being jos_.
| | 00:15 | For this reason, it's important to
change that to anything other than jos_.
| | 00:19 | Here we have the default
installation screen for Joomla.
| | 00:23 | The first page is to choose a language.
| | 00:25 | If your language is English, just click Next.
| | 00:28 | This is the Pre-installation Check.
| | 00:30 | We'll click Next, the Licensing. Click Next.
| | 00:35 | This is the Database Configurationscreen;
| | 00:37 | this is where we will
change our database prefix.
| | 00:40 | The Host Name we've seen before. This is
typically localhost. The Username is the
| | 00:44 | username you've created to access your database.
| | 00:48 | I'll enter my password, which for
this local installation is blank, and the
| | 00:53 | Database Name is joomlasecurity.
| | 00:57 | What's new here is this Advanced Settings tab.
| | 00:59 | When we click that, it flies out, and
you can see here we have Table Prefix.
| | 01:05 | You can change this to anything
other than jos_ or bak_, as this is used
| | 01:10 | to backup all tables.
| | 01:12 | I will just use my initials.
| | 01:14 | You can choose your initials or
just three or four random characters.
| | 01:17 | I'm often asked if the underscore is needed.
| | 01:19 | The truth is that it's not, but it's
good to add it just for clarity purposes.
| | 01:23 | Whenever you're looking at your
database tables in phpMyAdmin, it's much easier
| | 01:27 | to distinguish one table from
another if the underscore is there.
| | 01:31 | Let's click Next to continue to the next screen.
| | 01:34 | This is the FTP Configuration screen.
We won't go over that in this lesson, so
| | 01:38 | we'll just click Next.
| | 01:40 | For Site Name, we'll enter Joomla!
Security, I'll enter my e-mail address and my
| | 01:46 | Admin Password, click
Install Sample Data, Next. Congratulations!
| | 01:56 | Joomla! is now installed.
| | 01:58 | All we have to do is go delete the
installation directory and then click Site, up
| | 02:09 | here in the corner, and there we have it.
| | 02:11 | We've installed Joomla! using a
database prefix that is different than jos_.
| | 02:16 | Just to make sure, let's go check.
| | 02:17 | I am pulling up phpMyAdmin.
| | 02:25 | As you can see, all of our database tables
begin with kwc_. Just doing this one best practice
| | 02:31 | will prevent most of the exploits
that are used to hack your web site.
| | 02:35 | Now that we've looked at how to
change your database prefix during
| | 02:39 | installation from the default,
| | 02:41 | let's take a look at what you do
if your web site has already set up.
| | 02:44 | The first thing we need to do is log
in to the back-end of our web site.
| | 02:53 | Go into Global Configuration, we
can take a look at what our current
| | 02:56 | Database Prefix is.
| | 02:58 | We can see here that it's currently jos_.
| | 03:00 | This is the default.
| | 03:01 | This is what we want to change.
| | 03:02 | So, to change this we need to
install an extension called easysql.
| | 03:07 | We can get to it from the
Joomla! extensions directory.
| | 03:09 | I'll do so by opening a new tab, going
to joomla.org, clicking Extensions at
| | 03:18 | the top of the page, and in this
Search bar, type "easysql," all one word.
| | 03:26 | Scrolling down a little bit,
you should only have one result.
| | 03:28 | Go ahead and click on its title and
then click the Download button. The download
| | 03:36 | should start immediately.
| | 03:37 | Now, going back over to the Joomla!
administrator, let's install this extension.
| | 03:43 | Go to Extensions > Install/Uninstall,
click Browse, find the component you just
| | 03:50 | downloaded, click Open,
and Upload File & Install.
| | 03:55 | Now, we want to go up to Components >
Easy SQL. In the Command dropdown, the very
| | 04:01 | last option should say
REPLACE PREFIX jos_TO blank.
| | 04:07 | This is not valid SQL, but this
extension understands what you're trying to do,
| | 04:10 | and it takes care of changing the
prefix, as well as updating Joomla!'s
| | 04:14 | configuration.php file.
| | 04:16 | Rename newprefix_ to whatever you would like.
| | 04:21 | I recommend you choose three or four
random characters, followed by an underscore.
| | 04:25 | Let's go ahead and change newprefix_ to lynd_.
| | 04:30 | Again, the underscore is not required,
but it's preferred to make it easier to
| | 04:34 | distinguish tables from each
other when looking in phpMyAdmin.
| | 04:38 | When you finish typing in your new prefix,
click Exec SQL in the top right-hand corner.
| | 04:45 | Now that the SQL is executed, let's go
back to Global Configuration and verify
| | 04:49 | that it did in fact change.
| | 04:51 | As you can see, under
Database Prefix is now lynd_.
| | 04:54 | The reason why we didn't just change it
here is because this would only change it
| | 04:59 | within the configuration.php file; it
would not go and update your tables.
| | 05:04 | There is a warning here basically
telling you that you shouldn't change this
| | 05:07 | unless you know what you are doing.
| | 05:09 | I'll click Close to go back to the
Control Panel. That way I don't change
| | 05:12 | anything accidentally.
| | 05:14 | You may not realize it, but this is
one best practice that could be the
| | 05:17 | difference between your
site being hacked or not.
| | 05:19 | Given how simple it is, you really
do get the most bang for your buck.
| | Collapse this transcript |
| Setting different database and super administrator passwords| 00:00 | A lot of the previous best practices
that we have discussed have a lot of
| | 00:03 | bang for their buck.
| | 00:04 | Unfortunately, this is not one of them.
| | 00:06 | While important, this best practice
combined with other ones will drastically
| | 00:10 | reduce the risk of your web site being hacked.
| | 00:13 | We're going to discuss why it is
important to have a different database password
| | 00:17 | than your super administrator password.
| | 00:20 | The first thing we need to do is go
into cPanel to create our database.
| | 00:31 | Once logged in, scroll
down to the Databases section.
| | 00:35 | Click on MySQL Databases. Create your database.
| | 00:42 | In the Add New User section,
we need to create a username.
| | 00:45 | I will just use the username joomla.
| | 00:48 | For Password, we want to
create something completely cryptic.
| | 00:52 | I'll explain why a little bit later.
| | 00:54 | Click on the Password Generator button.
| | 00:56 | As you can see, a password
has been generated for us.
| | 01:00 | Let's copy this, as we will need it later.
| | 01:03 | Check the box that says "I have
copied this password to a safe place," and
| | 01:07 | click Use Password.
| | 01:08 | The password has been populated into the Password,
and Password (Again) fields. Click Create User.
| | 01:15 | The last step that we have to do in
here is give the user permissions to
| | 01:19 | access that database.
| | 01:21 | In the Add User To Database, we want
to select the users that we want to have
| | 01:24 | access to our database.
| | 01:25 | In this case, we only have one.
| | 01:27 | Then we choose which database it gets access to.
| | 01:31 | Again, it only has one.
| | 01:32 | You may have more in this list. Click Add.
| | 01:36 | On this screen, you have to tell
it which privileges this user has.
| | 01:40 | For the purposes of using this user and
database with Joomla!, you want to click
| | 01:44 | All Privileges, and click Make Changes.
| | 01:48 | The next thing we want to do is go over
to the Joomla! web installer and start
| | 01:52 | our installation process.
| | 01:53 | We'll click Next to go past
the Language screen. Next.
| | 02:00 | For Host Name, we will choose localhost.
| | 02:04 | The Username, going back over to cPanel,
scrolling down a little bit, we can see
| | 02:10 | that our user is demojoom_joomla.
| | 02:18 | I copied the password to my clipboard,
| | 02:20 | so I'll just press Ctrl+V to paste that there.
| | 02:22 | For the Database Name, we can go back
over to cPanel, and see that our database
| | 02:27 | name is the same as our username.
| | 02:28 | It's demojoom_joomla.
| | 02:30 | To help make this secure, we're going
to change our database prefix, since we're
| | 02:40 | on this screen. Then click Next.
| | 02:46 | Click Next to get past
the FTP Configuration screen.
| | 02:50 | For Site Name, we will type Demo Joomla! Site.
| | 02:55 | I will enter my e-mail
address and my admin password twice.
| | 03:02 | Clicking Install Sample Data will
install all of the sample data that comes
| | 03:05 | with Joomla! by default.
| | 03:07 | If you don't click this, you'll just have a
blank site, which is fine for most experts.
| | 03:12 | Click Next.
| | 03:13 | The next thing we need to do is
remove the Joomla! installation directory.
| | 03:17 | I'm going to open up an FTP client,
connect to my web site, navigate into the
| | 03:25 | public_html folder, and
delete the installation directory.
| | 03:31 | Some people just rename
their installation directory.
| | 03:33 | While this is typically safe.
| | 03:34 | I wouldn't recommend that it's
best to delete it completely.
| | 03:37 | Now that the installation directory has
been deleted, let's go back over to our
| | 03:41 | Installation screen, and click Site.
| | 03:44 | Now that Joomla! is installed, let's
just go in and take a look and see what
| | 03:49 | the two passwords look like,
and see how they're different.
| | 03:50 | Going back over to my FTP client,
I'm going to open configuration.php.
| | 04:02 | In this file, we can see that the
variable password equals
| | 04:06 | something completely cryptic.
| | 04:08 | This is our database password.
| | 04:09 | The password we entered for our admin
account was something that we could remember.
| | 04:13 | Since we'll never use the database
password again, it's okay to have it
| | 04:16 | something completely cryptic,
since we don't have to memorize it.
| | 04:20 | The reason we want this password to be
different than our super administrator
| | 04:23 | password is that this
one is stored in plain text.
| | 04:25 | Later, we'll take a look at our super
administrator password, and see how it's
| | 04:29 | stored in the database.
| | 04:31 | On its own, this isn't that big of a
deal, except that if this issue is in
| | 04:35 | place, and other issues are in place,
a potential hacker could read your
| | 04:39 | database password, log in to your database,
and then make changes without your knowledge.
| | 04:46 | Something fun to do is to go into
the database and see exactly how the
| | 04:50 | admin password is stored.
| | 04:52 | To do this, we'll go back over to cpanel.
| | 04:54 | I'll click on Home.
| | 04:56 | Let's scroll back down to the
Database section, and click on phpMyAdmin.
| | 05:02 | Selecting which database I would like,
and then again, selecting the users table,
| | 05:10 | we can see that our password
is stored as an MD5 salted hash.
| | 05:15 | This is nothing more than a fancy way
of saying that your password is very
| | 05:18 | secure when it is saved to the Joomla! database.
| | 05:21 | Again, there is nothing
fancy about this best practice.
| | 05:23 | Just knowing that you should keep
your database password and your super
| | 05:27 | administrator password
different is really all that matters.
| | Collapse this transcript |
|
|
4. Setting Up User AccountsSetting up user permissions| 00:00 | When thinking about user permissions,
compare it to a safe at your place of
| | 00:03 | business. I don't have to tell you that
giving everyone who works for you the
| | 00:07 | combination to the safe is a bad idea.
| | 00:09 | Think of it this way.
| | 00:10 | You might have some employees that
only need access to the safe's drop box.
| | 00:14 | You might also have some employees that you
don't even want to know that there is a safe.
| | 00:19 | Ideally, you would limit which
people have access to your safe.
| | 00:23 | Let's take a look at User Manager, at the
groups that we have available within Joomla!.
| | 00:26 | I'm going to click New, as
if I'm creating a new user.
| | 00:33 | Here you see that we have seven
groups within the back-end of Joomla!.
| | 00:35 | Technically, there are eight, because
if you don't have a group, you're just
| | 00:39 | considered a public user.
| | 00:41 | The groups are Registered, Author,
Editor, Publisher, Manager, Administrator,
| | 00:47 | and Super Administrator.
| | 00:49 | The first four are front-end
access groups, and the next three are
| | 00:53 | back-end access groups.
| | 00:55 | Whenever I build a site for a client,
I'm often asked by clients, "Why not make
| | 00:59 | all of the users super administrators?
| | 01:01 | The reason is that the difference
between a super administrator and an
| | 01:05 | administrator is that a super
administrator can break your site.
| | 01:09 | The only thing that they can do
that an administrator cannot is go into
| | 01:12 | Global Configurations,
| | 01:14 | they can change your site's
language, and they can also use the mass
| | 01:17 | mail functionality.
| | 01:18 | This isn't something that a normal user
would need to do after the site is launched.
| | 01:22 | As a convenience, you can find the
User Permissions Guide document as a free
| | 01:26 | download under the Exercise Files tab.
| | 01:29 | It will outline the different groups, and
exactly what permissions each group member has.
| | 01:34 | Something else that should be noted is
that you should periodically go through
| | 01:38 | each of your sites, and check to make
sure that all of the people who have
| | 01:41 | back-end access still work for your company.
| | 01:44 | It might surprise you how many former
employees still have access to the sites
| | 01:47 | that they used to work on.
| | 01:49 | This is a gaping hole in your security,
especially if they left on a bad note.
| | 01:53 | I hope that I have convinced you to
take a hard look at which permissions each
| | 01:56 | member in your organization really needs,
as well as convinced you to schedule
| | 02:00 | routine audits on back-end user accounts.
| | 02:03 | It doesn't take much time, and it
will help protect your site from
| | 02:06 | unintentional changes.
| | Collapse this transcript |
| Turning off the editor by default| 00:00 | This next tip or best practice is one
that I find that not many people have
| | 00:04 | given much thought to.
| | 00:05 | Joomla! has a fantastic editor that allows
you to do a lot of things to construct HTML.
| | 00:10 | It also allows you to upload and
manipulate files within specific directories.
| | 00:14 | As with user permissions, it is a good
idea to limit who has access to the editor.
| | 00:19 | I firmly believe that you should limit
the editor's access only to users who are
| | 00:23 | logged in to the back-end.
| | 00:25 | To do this, you want to log into the
back-end of your Joomla! web site, and go
| | 00:28 | to Global Configuration.
| | 00:32 | Once here, click the Site tab in the top.
| | 00:35 | Under Default WYSIWYG Editor, change the
Editor from TinyMCE to No Editor, and click Save.
| | 00:43 | What we have just done is we have
turned off the editor site-wide.
| | 00:48 | This just needs one more step.
| | 00:49 | We need to go into User Manager and
assign editor rights to those users that
| | 00:54 | need access to them.
| | 00:55 | We'll click on Administrator.
| | 00:57 | Under User Editor, we will
select TinyMCE Editor, and click Save.
| | 01:06 | Now, if an editor appears
anywhere on the site, only the admin will
| | 01:09 | actually see the editor.
| | 01:11 | Any other user will just see a text area.
| | 01:13 | You should be aware that occasionally
you will forget to assign an editor to
| | 01:17 | newly created back-end users.
| | 01:19 | I believe that this hassle
is well worth the benefit.
| | Collapse this transcript |
|
|
5. Tips, Tricks, and Industry SecretsAvoiding PHP 4| 00:00 | Some of you may laugh, but there
are still servers running PHP 4.
| | 00:04 | The truth is that PHP 4 hit its end-
of-life on December 31st, 2007, and
| | 00:09 | development completely
stopped on August 8, 2008.
| | 00:12 | This means that any and all security
issues found after August 8, 2008 in PHP
| | 00:18 | 4 will not be fixed.
| | 00:19 | So let's take a look and find out
what version of PHP you're running.
| | 00:23 | From Joomla!'s Administrator, hover
over Help and click on System Info.
| | 00:28 | Under the System Info tab, you will find
the PHP version that you are currently using.
| | 00:34 | You can see here that I'm using version 5.3.1.
| | 00:39 | If your PHP version begins with the
number four, then there are some steps that
| | 00:42 | you need to take to fix it.
| | 00:43 | It should also be noted that
Joomla! has been optimized for PHP 5.
| | 00:48 | Most web hosts that run PHP 4 also
support PHP 5 on the same server.
| | 00:53 | You might be surprised to find
that if you go into your web site's
| | 00:55 | Configuration area, you might be
able to find a radio box to switch what
| | 00:59 | version of PHP you are using.
| | 01:01 | If you're not sure how to do this,
it's just best to contact your host.
| | 01:04 | This is typically something they can
do very quickly and don't mind doing.
| | 01:08 | Each time I speak in public on this
topic, and even while preparing for this
| | 01:11 | video series, I consider
pulling out this best practice.
| | 01:15 | The problem is that well, it's still a
problem, and until the day the web host
| | 01:18 | stops supporting PHP 4, I will
continue to warn people about its risks.
| | Collapse this transcript |
| Using SEF URLs| 00:00 | Most people think of search engine friendly
URLs as a great way to improve page ranking.
| | 00:04 | This is true, however, they can also be
used to remove a large target off your back.
| | 00:09 | Looking at your Joomla! site,
let's click on Joomla! Overview.
| | 00:12 | We could see in the URL that
that URL contains index.php?
| | 00:16 | and then a bunch of parameters and values.
| | 00:20 | Opening a new tab, and going to
google.com, we can type allinurl:com_contact.
| | 00:30 | This brings up a list of all of the
pages that Google has indexed that contain
| | 00:34 | com_contact in the URL.
| | 00:38 | Knowing this a would-be
hacker could type in allinurl:
| | 00:41 | then the name of the component
that they have found to be insecure.
| | 00:45 | This would give them a list of every
web site that Google has indexed that
| | 00:48 | contains this component.
| | 00:50 | To combat this, we need to turn
on search engine friendly URLs.
| | 00:54 | Let's go over to Joomla!
Administrator and get started.
| | 00:57 | Having logged in to the Joomla!
Administrator as a super administrator, click on
| | 01:01 | Global Configuration.
| | 01:02 | Under the Sites tab in the SEO
Settings box, check Yes for all three options.
| | 01:08 | This warning icon here tells us
that Apache users need to rename the
| | 01:11 | htaccess.txt file, to
.htaccess before SEF URLs will work.
| | 01:17 | Click Save to save your changes.
| | 01:20 | Now we need to open up an FTP client,
connect to our web site, navigate to
| | 01:28 | Joomla!'s root directory, scroll down
and find the htaccess.txt file and
| | 01:34 | rename it to .htaccess.
| | 01:38 | Now we should be able to go back to the
front end of our web site, go back home,
| | 01:42 | and then I'll click on Joomla! Overview again.
| | 01:46 | You can see that this URL
is much cleaner than before.
| | 01:49 | Not only is it better for SEO, it also
doesn't contain the name of the component
| | 01:53 | that's being loaded.
| | 01:54 | If you need more control over your
URLs, you might want to consider an
| | 01:57 | extension called SH 404 SCF, but
for most people, the built-in SCF URL
| | 02:03 | functionality is more than efficient.
| | 02:05 | Searching different URLs
serve multiple purposes.
| | 02:08 | Now, you no longer have to think of
them as just another way to help with
| | 02:10 | search engine ranking.
| | Collapse this transcript |
| Using .htaccess and robots.txt files| 00:00 | In this video, we will be looking at
the .htaccess and robots.txt files, and
| | 00:05 | discussing why they are important.
| | 00:07 | The .htaccess file is a great way
to prevent several types of hacks.
| | 00:11 | You should think of this as
your first line of defense.
| | 00:13 | The .htaccess file is not on by default.
| | 00:16 | By default, it is called htaccess.txt.
| | 00:19 | If you have turned on search engine
from the URLs, then you have already
| | 00:22 | renamed this file properly.
| | 00:24 | Let's open this file and take a look at
some of the protections that it offers.
| | 00:28 | One of the first things of the .htaccess
file prevents is the reading of .xml files.
| | 00:33 | Unfortunately, this is off by default.
| | 00:35 | Scrolling down to deny access to the
extension XML files, un-comment the next five lines.
| | 00:44 | Once this is done, no one will be
able to pull up an XML file in a browser.
| | 00:48 | The reason this is important is because all
components have an XML file attached to them.
| | 00:54 | If the hacker were to pull up the XML
file for your component, they can then see
| | 00:58 | which version of that component you are using.
| | 01:00 | Scrolling down a little bit farther, we
could see a bunch of rewrite condition rules.
| | 01:04 | I'm not going to go over each of
these individually, but in a nutshell, it
| | 01:08 | prevents users from having
certain key combinations within the URL.
| | 01:11 | All of the ones listed here
are to prevent common exploits.
| | 01:15 | One of the last things you would want
to do is scroll to the very bottom of
| | 01:18 | the .htaccess file.
| | 01:20 | You want to add a new line and type
Index with a capital I, Ignore with the
| | 01:27 | capital I. That's all one word, IndexIgnore *.
| | 01:32 | This prevents someone from using a
browser to list the contents of a directory.
| | 01:35 | Now, moving on to the robots.txt file,
the robots.txt file is used to prevent
| | 01:41 | search engine web crawlers from
indexing certain parts of your site.
| | 01:44 | Let's go ahead and pull up the
robots.txt file that we have.
| | 01:50 | You could find the robots.txt
file in Joomla!'s root directory.
| | 01:54 | The very first line is called a
user-agent line. It says all.
| | 01:57 | You could actually specify which web
crawlers you want to allow and disallow to
| | 02:02 | certain parts of your site.
| | 02:03 | The following lines all say Disallow.
The point of this is to tell - we'll
| | 02:07 | use Google as an example, that we don't
want them to index the administrator directory.
| | 02:12 | There's no reason that anyone
searching Google would ever need to find a URL
| | 02:15 | underneath the administrator directory.
| | 02:17 | They wouldn't have access anyway.
Although not really related to security,
| | 02:21 | I find that it is very beneficial
to remove the Disallow images line.
| | 02:25 | The reason for this is oftentimes there are
images and PDF documents that you would
| | 02:29 | Google to index to
improve your search engine ranking.
| | 02:32 | The robots.txt is one of the easiest
tips that we have, since it's on by default.
| | 02:37 | These tips are easy to implement and
go a long way to helping secure
| | 02:40 | your web site.
| | Collapse this transcript |
| Evaluating directory permissions| 00:00 | Have you ever uploaded a file in Joomla!
and later found that you could not edit it?
| | 00:04 | On some servers, when a file is uploaded,
that file is not owned by you but by
| | 00:08 | the web server itself.
| | 00:10 | This can cause issues if you try to
edit the file using methods such as FTP.
| | 00:14 | Since you did not technically own the file,
you did not have permission to edit it.
| | 00:18 | To get around this, some hosting
companies will change the permissions of your
| | 00:21 | files, so that anyone can edit them.
| | 00:23 | This appears to work great, since she
will then be able to edit your files.
| | 00:27 | Notice that I said that
anyone can edit your files.
| | 00:30 | That means that any other user on the server
could potentially edit or delete your files.
| | 00:35 | To put a band-aid on this issue,
Joomla! 1.5 comes with what is called the FTP layer.
| | 00:40 | This will force the file to be
owned by you, and not by the web server.
| | 00:44 | By the way, the FTP layer can be turned
on during installation or from within a
| | 00:48 | global configuration.
| | 00:50 | It might surprise you to know
that I never use the FTP layer.
| | 00:53 | Some disagree, but my personal opinion
is that if you need to use the FTP layer,
| | 00:57 | there are other issues in the
server that need to be addressed.
| | 01:01 | You may not have these issues, but if
you do, I recommend that you contact
| | 01:04 | your host and ask them to correct the
issue of PHP running as Apache and not
| | 01:08 | as your hosting account.
| | 01:10 | Some hosts are very
accommodating, while others are not.
| | 01:13 | If your host is not, you may
need to look for a new host.
| | 01:16 | It should make you wonder what
other little security issues they are
| | 01:19 | not addressing.
| | Collapse this transcript |
| Resetting forgotten passwords| 00:00 | Let's say that you are helping a
friend retrieve their lost password.
| | 00:03 | There are several ways to go about this.
| | 00:05 | We will start with the easiest to
implement, and work our way up if the
| | 00:08 | previous methods fail.
| | 00:10 | The easiest way to retrieve your lost
password is to search your Inbox for the
| | 00:14 | welcome e-mail that you
received when you signed up.
| | 00:17 | In the Search box, type in "added as a user,"
| | 00:21 | and that should pull up any e-mails that you
received when you registered on any Joomla! site.
| | 00:27 | Here we can see our welcome e-mail.
| | 00:29 | My friend's username is tom
and his password is lynda.
| | 00:33 | But let's assume we didn't have this
e-mail or that we changed our password.
| | 00:38 | The next easiest way is to use the password
reset feature from the front-end of the site.
| | 00:44 | In the default installation of Joomla!,
this is located on the bottom of the
| | 00:47 | left-hand side of the screen.
| | 00:50 | Underneath the Login button,
there's a link for Forgot your Password?
| | 00:54 | Clicking it will bring up the
Forgot your Password? screen.
| | 00:56 | This screen asks you to type in the
e-mail address that you entered when you
| | 01:02 | registered on the site.
| | 01:03 | Once you have typed in your
e-mail address, click Submit.
| | 01:07 | An e-mail has been sent to your Inbox.
| | 01:10 | Go over to your Inbox and look for it.
| | 01:12 | Here is the e-mail we received.
| | 01:15 | This is the password reset e-mail.
| | 01:17 | Opening the e-mail, you can
see the password reset token.
| | 01:20 | We copy that token.
| | 01:22 | We turn back to our site.
| | 01:25 | Type in our username,
which we should know is tom.
| | 01:29 | If we didn't, we can use
the Forgot your username?
| | 01:31 | link, underneath the Login module.
| | 01:34 | In the Token field, paste the token that
you copied from your e-mail, and click Submit.
| | 01:38 | Now Joomla! is prompting us
to type in a new password.
| | 01:41 | We will enter our new password and click Submit.
| | 01:47 | Our password has successfully been reset.
| | 01:49 | We can now log in using that password.
| | 01:51 | Well, let's assume that didn't work.
| | 01:57 | Well, what would we do next?
| | 01:58 | The next thing we could do is ask
another super administrator to reset
| | 02:02 | your password for you.
| | 02:03 | Going over to the Joomla! Administrator,
once that administrator has logged in
| | 02:11 | to the Joomla!
Administrator, go to User Manager.
| | 02:14 | Click on Tom's name to open his account.
| | 02:18 | Type in a new password and hit Save.
| | 02:23 | We have successfully saved Tom's new password.
| | 02:26 | So, what happens if none of these
methods work for you or what happens if you
| | 02:30 | are the only super administrator?
| | 02:31 | That only leaves one method left,
and that's to do it the hard way.
| | 02:35 | The hard way, which always works,
is done by opening up phpMyAdmin.
| | 02:40 | We can get to it by going to cPanel,
scrolling down, and clicking the phpMyAdmin
| | 02:48 | link under the Databases section.
| | 02:50 | On the left side, choose the
database that you're using for your
| | 02:55 | Joomla! installation.
| | 02:59 | Scroll down to your Users table.
| | 03:01 | If you're using the default Database Prefix,
the naming for users table will be jos_users.
| | 03:08 | Here we can see Tom's password is 28b2.
| | 03:12 | Well, you get the idea.
| | 03:13 | As it appears, we probably just can't
change this to his password, because
| | 03:16 | that wouldn't work.
| | 03:17 | What we need to do is change it to
the encrypted value of his password.
| | 03:22 | To do this, click the SQL
tab at the top of the screen.
| | 03:25 | In the SQL box, type "UPDATE."
| | 03:31 | In my case, I am typing "lynd_users,"
but again, if you are using the default
| | 03:36 | database prefix, yours would be jos_users.
| | 03:39 | We're basically saying update users
table, Set password =, md5 () is a function
| | 03:52 | that encrypts your password in
a way that Joomla! can read it.
| | 03:55 | Then we need to tell it WHERE username = 'tom'.
| | 04:05 | So to say this in plain English, it's
basically saying update the users table,
| | 04:09 | setting the password to
lynda where the username is tom.
| | 04:13 | Let's click Go and watch what happens.
| | 04:14 | It says one row affected. That's Tom's row.
| | 04:18 | That means that we have
successfully changed Tom's password to lynda.
| | 04:22 | Since Tom is a super administrator, let's
go over to the Administrator and test it out.
| | 04:27 | Let's enter tom for the username and
for the password, let's enter lynda.
| | 04:32 | As we can see, the
password reset worked correctly.
| | 04:36 | Call me crazy, but resetting
passwords the hard way is kind of fun.
| | 04:41 | Hopefully knowing this information will
lessen your stress level and give you a
| | 04:44 | plan to reset your password.
| | Collapse this transcript |
|
|
6. Handling VulnerabilitiesFinding vulnerabilities| 00:00 | We have discussed how to look for known
vulnerabilities, but what happens if you
| | 00:04 | find a vulnerability. What do you do?
| | 00:06 | The last thing you want to do
is post it on the Joomla! forums.
| | 00:09 | The best thing you can do is to discretely
notify the team in charge of that code.
| | 00:14 | This might be the Joomla! development
team, or in the case of an extension, the
| | 00:17 | developers who wrote the extension.
| | 00:19 | In the case of Joomla!, you really want
to notify the Joomla! security strike
| | 00:23 | team with as much technical information
that you are able to provide, which in
| | 00:26 | some cases might just be "this acts funny."
| | 00:30 | You want to notify them by
e-mailing them at security@joomla.org.
| | 00:36 | Again, at no time do you want to
post the vulnerability on the forum.
| | 00:39 | If in fact you have found a true
vulnerability, you want to give the development
| | 00:43 | team of that code a chance to fix it
before the rest of the world finds out.
| | 00:47 | In the case of an extension developer,
just notify them via their web site.
| | 00:51 | For general security questions, you can
go to forum.joomla.org and then click on
| | 00:57 | the Securities forum.
| | 00:59 | Here you can post your
security questions and get answers.
| | 01:02 | I hope that you never have to use this
information since that would mean that,
| | 01:04 | even for a short time,
your web site is vulnerable.
| | 01:07 | I am happy to know that if you find a
vulnerability that you are prepared to
| | 01:11 | report it accordingly.
| | Collapse this transcript |
| Reporting vulnerabilities| 00:00 | When an update is made to Joomla!,
it typically contain security fixes.
| | 00:04 | Although these fixes are usually non-
critical, they still need to be dealt with.
| | 00:08 | Other times it is a third-party
extension that needs to be updated.
| | 00:12 | When this happens, I recommend that
you immediately take a backup of your
| | 00:14 | web site just in case.
| | 00:18 | Going to Akeeba Backup, we will
take a backup of our web site.
| | 00:24 | If the update is made to a third-
party extension, we need to go to the
| | 00:27 | developer's web site and look for a patch.
| | 00:29 | If you loaded the vulnerability in a
third-party extension but a patch is
| | 00:33 | not available, you need to go to
Extension Manager and either disable or
| | 00:37 | uninstall that extension.
| | 00:39 | Depending on the extension and the
vulnerability, disabling it may not be enough.
| | 00:43 | If you are using this extension, please
be aware that uninstalling it may cause
| | 00:47 | it to lose some data.
| | 00:48 | It is sad to think that you may need to
react to vulnerability, but if that day
| | 00:52 | comes, you will be prepared.
| | Collapse this transcript |
|
|
7. Applying Best PracticesInstalling Joomla!| 00:00 | A lot of people who are not very
technically savvy have issues installing
| | 00:03 | Joomla! for the first time.
| | 00:05 | Most resort to using a cPanel
application called Fantastico to help them out.
| | 00:10 | Fantastico is very well intended, but
it is not ideal, for a variety of reasons.
| | 00:15 | The main reason is that the Fantastico
application is not updated immediately
| | 00:19 | after an update comes out.
| | 00:21 | Let's walk through a secure
installation of Joomla! from scratch.
| | 00:24 | The first thing we want to do is download the
latest version of Joomla! from joomla.org.
| | 00:28 | From the homepage, click Download
Joomla!. Then download the latest full package.
| | 00:33 | Now that we have downloaded
Joomla!, we need to extract it.
| | 00:41 | To save some time, we've already
extracted the Joomla! package we downloaded.
| | 00:45 | To upload these files, we
need to open our FTP client.
| | 00:52 | Next, we want to connect to our server
and navigate to the directory where you
| | 00:57 | wish to install Joomla!.
| | 00:59 | Select all of the extracted files
and then upload them to your server.
| | 01:05 | As you can see, there are over 4,000
files, so this could take some time.
| | 01:09 | Now that our files are uploaded,
let's go back over to our web browser and
| | 01:12 | create the database and
user for our Joomla! web site.
| | 01:17 | This is done by using cPanel.
| | 01:19 | To get to cPanel, you typically
type in www.yourdomainname.com/cpanel.
| | 01:25 | Once in cPanel, scroll down to the
Databases section. Click on MySQL Databases.
| | 01:31 | We need to create a new database.
| | 01:34 | I am just going to call this one
joomla. Then click Create Database.
| | 01:44 | We also need to create a user.
| | 01:46 | We'll use the username joomla as well.
| | 01:49 | For the password, we should
use the Password Generator,
| | 01:51 | since as we said before, you're only ever
going to use this password once, and it
| | 01:55 | should be something completely unique.
| | 01:57 | This one will do just fine.
| | 01:59 | Highlight the password and copy it.
| | 02:02 | Check the box to say that you've
copied the password in a safe place and
| | 02:05 | click Use Password.
| | 02:07 | Then click Create User.
| | 02:10 | Okay, we're almost there.
| | 02:12 | The next thing we need to do is give the
user you created access to the database you created.
| | 02:17 | This is done in the Add
User To Database section.
| | 02:20 | Select the User and Database from the dropdown.
| | 02:23 | Since we only have one, it's
already set for us. Click Add.
| | 02:28 | Select All Privileges and click Make Changes.
| | 02:31 | We've successfully created our database
and our user, and we've linked them up.
| | 02:38 | We should note that our database
name is demojoom_joomla, and our user is
| | 02:43 | actually the same thing: demojoom_joomla.
| | 02:46 | Our password, we copied at the clipboard.
| | 02:48 | We will definitely need that later.
| | 02:51 | Opening a new tab, navigate to where
you uploaded your files via a browser.
| | 02:54 | This should bring up the Joomla! installer.
| | 03:02 | We can click Next on the Language
screen and next on the Pre-installation
| | 03:06 | Checklist. All of these should be green.
| | 03:08 | If any of them are red, they should be
evaluated to see if anything needs to be corrected.
| | 03:13 | In my case, Display Errors is
recommended off, but I have it set to on.
| | 03:17 | This is okay, since I actually like
having the errors displayed when there are
| | 03:21 | errors in my extensions.
| | 03:23 | Click Next to go to the next screen.
| | 03:25 | This is the GPL License.
| | 03:27 | This is the license that
Joomla! is released under.
| | 03:30 | Click Next to go to the next screen.
| | 03:32 | On the Database
Configuration screen, enter your host name.
| | 03:35 | This is typically localhost.
| | 03:37 | The username for our site is demojoom_joomla.
| | 03:42 | The password, we copied at the clipboard, so
I will just press Ctrl+V and paste it there.
| | 03:46 | The database name is also demojoom_joomla.
| | 03:52 | Click the Advanced Settings tab.
| | 03:55 | Let's change the database
prefix to something other than jos_.
| | 03:59 | It also should not be bak_, as
that is reserved for backup table.
| | 04:03 | I'll just enter lynd_ and click Next.
| | 04:08 | Since we are not using the FTP
layer, we can just click Next.
| | 04:13 | On the Main Configuration screen,
we need to enter a site name.
| | 04:16 | We should enter our e-mail and our password.
| | 04:29 | Remember to choose secure passwords.
| | 04:31 | If you wish to have sample data, click the
Install Sample Data button, and click Next.
| | 04:40 | Congratulations!
| | 04:41 | Joomla! is now installed.
| | 04:43 | We need to go back over to our FTP
client to delete our installation folder.
| | 04:53 | Some people prefer to just rename their
installation folder with an underscore
| | 04:56 | or something else at the end.
| | 04:57 | While this is sometimes okay, it
really is a good idea to just delete the
| | 05:01 | folder, as suggested.
| | 05:02 | Going back over to the browser, let's click
Site to see the front-end of the web site.
| | 05:09 | As we can see here, our web site is
installed, but we're not done yet.
| | 05:12 | We need to log in to the Administrator.
| | 05:15 | Open a new tab, type in your URL, /administrator.
| | 05:22 | The login is "admin," and the password is the
password that you set up when you installed it.
| | 05:26 | We are going to go create a
new super administrator user.
| | 05:31 | As discussed in other videos, you
don't want to have a username of admin.
| | 05:35 | Clicking New, we will create a new user.
| | 05:37 | I'll type in my name, my username.
| | 05:41 | I'll type in my e-mail,
and I'll type in a password.
| | 05:50 | Again, remember to always
choose secure passwords.
| | 05:54 | I'll choose Super
Administrator for my group and click Save.
| | 05:56 | Now that I have created my new username,
I need to log out of admin and then log
| | 06:01 | in with my new username.
| | 06:07 | Returning back to User Manager, we could
then continue to delete the username admin.
| | 06:12 | The reason why we do this is because a
lot of SQL injection attempts rely on the
| | 06:16 | username being admin or the ID being 62.
| | 06:20 | For this reason, we can't just change the
username admin to something else either.
| | 06:23 | In order to delete the admin
account, we first need to demote it.
| | 06:28 | We can change its group to
anything other than Super Administrator.
| | 06:31 | The reason why we do this is because
super administrator accounts are not
| | 06:35 | allowed to be deleted, but now that it's
considered an administrator account, we
| | 06:39 | have full rights to delete this account.
| | 06:41 | Now that the admin user has been deleted,
we are finished with the User Manager screen.
| | 06:47 | One last thing to note is that before
this web site goes live, we should turn on
| | 06:51 | Search Engine Friendly URLs.
| | 06:53 | It is typically easiest to develop a
web site with Search Engine Friendly URLs
| | 06:57 | turned off, but please remember, before
your web site goes live, to turn those
| | 07:00 | Search Engine Friendly URLs on.
| | 07:02 | As stated before, not only will they
help you with page ranking, but they will
| | 07:06 | also keep a big target off your back.
| | 07:08 | I hope that this video inspires you
to properly install Joomla! and not use
| | 07:12 | shortcut methods, even if they
seem much easier at the time.
| | Collapse this transcript |
| Auditing your Joomla! web site| 00:00 | In this video, we'll be discussing
the process of auditing your web site.
| | 00:04 | Bringing everything we have learned thus far
together, this video is broken up into two parts.
| | 00:09 | The first part will primarily
discuss Joomla!-specific best practices.
| | 00:13 | The second part will focus more on
server-specific, as well as lower-level
| | 00:17 | non-Joomla! administrator type best practices.
| | 00:20 | Let's log in to the Joomla!
Administrator and get started.
| | 00:26 | First and foremost, we need check to
make sure the Akeeba Backup is installed.
| | 00:31 | Hovering over Components, we can see
the Akeeba Backup is in fact installed.
| | 00:35 | By looking at the Control Panel, we can
also see that the current backup is up to date.
| | 00:39 | The next thing we want to check is
to see that Joomla! is up to date.
| | 00:43 | We are currently using Version 1.5.20.
| | 00:46 | Opening up a new tab and going to
joomla.org, we can check to see what
| | 00:50 | the current version is.
| | 00:51 | By going to the Joomla! Download page,
we can see that the current version
| | 00:57 | is 1.5.20. This is the version we have, so
our installation of Joomla! is up to date.
| | 01:04 | The next thing on our list is to make
sure that the super administrator account
| | 01:07 | admin does not exist.
| | 01:09 | Since we did not log in as admin,
we know that our account is not admin.
| | 01:12 | Let's go to User Manager and verify
that the admin account does not exist.
| | 01:17 | Quickly scanning the Username column,
we can see the admin is not a user.
| | 01:21 | You might have noticed, when I logged in,
that my password was only five characters.
| | 01:24 | This is too short, and probably not secure.
| | 01:26 | By clicking on my name, I can change
my password to something more secure.
| | 01:31 | I have entered a password that contains
letters and numbers and symbols and mix cases.
| | 01:40 | I will then click Save to save my password.
| | 01:42 | An important thing to do is to
periodically audit you user permissions.
| | 01:47 | Looking through this list, I can see that we
have four people with access to our web site.
| | 01:51 | Knowing that John Doe has not worked here
for a long time, I should delete his account.
| | 01:55 | That way he no longer has access.
| | 01:57 | Michelle's account and
Tom's account are okay to stay.
| | 02:03 | Now that we have finished our audit in
User Manager, let's go over to Global
| | 02:07 | Configuration and verify
that the editor is turned off.
| | 02:12 | As you can see, the Default
Editor is set to Editor - No Editor.
| | 02:15 | If we wanted to, we could go back
over to User Manager, and we could verify
| | 02:20 | that each person that needs access to the
editor has an editor chosen from this dropdown.
| | 02:27 | Finally, we need to review the
extensions that we have installed.
| | 02:30 | Going through this list and looking at
the extensions that are not made by the
| | 02:38 | Joomla! Project, we can see
that we have Akeeba and XMap.
| | 02:41 | Since we are using both
extensions, we do want to keep those.
| | 02:44 | Since we're not using the Weblinks
component, we can just disable it.
| | 02:49 | The same goes for Newsfeeds and Banners.
| | 02:54 | We are using polls on our web site,
so we want to keep that one enabled.
| | 02:57 | Next, we'll go for the Modules.
| | 03:00 | On this page, we see that we have two
modules that were not made by the Joomla! Project.
| | 03:05 | We are using to Akeeba Backup
Administrator module, so we'll keep that one.
| | 03:08 | We're no longer using mod_show_on_user_state,
so we'll check that box and hit Uninstall.
| | 03:14 | We also need to go to page two, just
to verify that there aren't any modules
| | 03:17 | over there that need to
be deleted. There are not.
| | 03:21 | Lastly, we will check the Plugins tab.
| | 03:23 | On the Plugins page, we scroll down and
we see that all of the plug-ins are owned
| | 03:27 | by the Joomla! Project.
| | 03:28 | Since uninstalling these plug-ins might have
adverse reactions, we want to leave them alone.
| | 03:33 | The plug-ins at the bottom are
grayed out, so we can't uninstall those.
| | 03:36 | Let's go to page two.
| | 03:39 | These are also grayed out, so
there is nothing to uninstall here.
| | 03:41 | We're done looking at extensions.
| | 03:44 | Now that we have audited the Joomla!
side of your web site, in the next video,
| | 03:49 | we are going to audit your web
site from a server and non-Joomla!
| | 03:52 | administrator perspective.
| | Collapse this transcript |
| Auditing your site's server| 00:00 | This is the second and final part of
our videos on auditing your web site.
| | 00:04 | This video will focus on server-
specific, as well as lower-level non-Joomla!
| | 00:08 | administrator type best practices.
| | 00:10 | The first thing we need to
check is your PHP version number.
| | 00:14 | Going to Help > System Info, we can see
that our current version of PHP is version 5.
| | 00:20 | Since this is not version 4, we can continue on.
| | 00:24 | We then need to verify that your
database password is not the same as your super
| | 00:27 | administrator password.
| | 00:29 | In Joomla!, there is no way to see what
the actual super administrative password is;
| | 00:32 | however, since you've logged in to
the Control Panel, you should know what
| | 00:35 | your own password is.
| | 00:38 | To see what the database password is,
open up your FTP client, log in, and
| | 00:43 | navigate to Joomla!'s root directory.
| | 00:46 | In that directory, you should
find a configuration.php file.
| | 00:50 | Opening it in a text editor,
you should look for var $password.
| | 00:54 | This is the password to our database.
| | 00:57 | Since I've logged in to Joomla!, I know
that my password is not the same as this one.
| | 01:00 | While we have the configuration.php
file pulled up, we need to verify that our
| | 01:05 | database prefix is not jos_.
| | 01:08 | On this same screen, we can see
that $dbprefix is set to lynd_.
| | 01:14 | Since this is not jos_, we
know that this is correct.
| | 01:17 | The database prefix should
be anything but jos_ or bak_.
| | 01:21 | Now that we are done checking the
configuration.php file, we can close that
| | 01:28 | file and the FTP client.
| | 01:31 | Up next on our list is to verify that all third-
party extensions appear to use the framework.
| | 01:36 | Going to Extensions > Install/Uninstall
and then to Components, we should look
| | 01:42 | at the components that were not
written by the Joomla! Project.
| | 01:46 | In your FTP client, you should navigate
to Joomla!'s root directory, and then go
| | 01:49 | to Components, and then find
the directory for that component.
| | 01:53 | Opening up one of the files within that
component, you should verify that it is
| | 01:56 | using the framework.
| | 01:58 | Since we did this when we installed
them, we don't need to go through it now.
| | 02:01 | If you did not verify these whenever you
installed them, you'll want to refer to
| | 02:04 | the video called Choosing secure
extensions, within this series.
| | 02:09 | While you're in Extension Manager, you
need to look up any extension that you
| | 02:12 | have installed on a web site like inj3ct0r.com.
| | 02:16 | The first component we have here is Akeeba.
| | 02:18 | Going over to inj3ct0r.com and typing
in akeeba and clicking Submit, we can see
| | 02:24 | that there are no known
vulnerabilities, which is great.
| | 02:28 | If there were any vulnerabilities,
you'd want to verify its version number
| | 02:33 | with the version number listed here.
| | 02:36 | In the spare of time, we
will not be checking each one;
| | 02:38 | however, you will want to go through
each extension that you have installed.
| | 02:42 | The next thing to check is to
verify that SEF URLs are turned on.
| | 02:45 | There are several ways to check this, but
the easiest way is to just go to the homepage,
| | 02:51 | click a link, and then look in the address bar.
| | 02:56 | Since we don't see index.php?
| | 02:58 | along with the bunch of parameters, we
know that SEF URLS are in fact turned on.
| | 03:03 | The last thing we want to
check is the .htaccess file.
| | 03:06 | Going back to our FTP client, we log
back in to our web site, navigate to
| | 03:14 | Joomla!'s root directory and look for .htaccess.
| | 03:22 | Scrolling down, we can verify that
we have in fact uncommented the lines
| | 03:25 | dealing with XML files.
| | 03:28 | If these were commented out, they
would have hash symbols at the front.
| | 03:31 | Scrolling down to the bottom, we
need to check to make sure that we have
| | 03:34 | added IndexIgnore *.
| | 03:37 | This is Index, with a capital I, Ignore,
with a capital I. That's all one word,
| | 03:41 | there is no space in-between, space, asterisk.
| | 03:45 | Since we have verified both
these, there is nothing else to do.
| | 03:49 | We can close this file and the FTP client.
| | 03:52 | Assuming that you have watched both
videos on auditing your web site and
| | 03:56 | implemented the things we've covered,
you can feel confident about your
| | 03:59 | web site's security.
| | 04:00 | Even though no server is 100% secure,
you should no longer feel insecure
| | 04:04 | about yours.
| | Collapse this transcript |
|
|
ConclusionFinal thoughts| 00:00 | Thanks for watching.
| | 00:01 | Using the information that you have just
learned, you should now be able to stay
| | 00:04 | one step ahead of those who
wish to do harm to your web site.
| | 00:07 | Some of the items we discussed only
need to be done once, while other items
| | 00:11 | are an ongoing process.
| | 00:13 | If you have clients that are paying
you to manage their web site, you have an
| | 00:16 | obligation to make sure most,
if not all, of these best practices we
| | 00:19 | discussed are put into place.
| | 00:22 | Although I tried to put emphasis on
all of the best practices, the most
| | 00:25 | important thing to remember is to back up,
back up often, and back up your backup.
| | 00:29 | If you have a question, or would like
to learn more about Joomla! security,
| | 00:33 | please visit the Security
forum at forum.joomla.org.
| | 00:37 | If you would like to get involved in
the Project at any level, please visit
| | 00:41 | community.joomla.org and click Join in.
| | 00:45 | Thanks again for watching.
| | Collapse this transcript |
|
|
