Viewers: in countries Watching now:
In Joomla! 1.5: Developing Secure Sites, author Kenneth Crowder covers key steps to secure against data loss and minimize vulnerability to attack. The course covers simple, yet effective best practices that will minimize the risk of a Joomla! web site from being compromised or hacked, as well as what to do if a vulnerability in the core Joomla! code or a third-party extension is found.
A lot of the previous best practices that we have discussed have a lot of bang for their buck. Unfortunately, this is not one of them. While important, this best practice combined with other ones will drastically reduce the risk of your web site being hacked. We're going to discuss why it is important to have a different database password than your super administrator password. The first thing we need to do is go into cPanel to create our database.
Once logged in, scroll down to the Databases section. Click on MySQL Databases. Create your database. In the Add New User section, we need to create a username. I will just use the username joomla. For Password, we want to create something completely cryptic. I'll explain why a little bit later. Click on the Password Generator button. As you can see, a password has been generated for us. Let's copy this, as we will need it later.
Check the box that says "I have copied this password to a safe place," and click Use Password. The password has been populated into the Password, and Password (Again) fields. Click Create User. The last step that we have to do in here is give the user permissions to access that database. In the Add User To Database, we want to select the users that we want to have access to our database. In this case, we only have one. Then we choose which database it gets access to. Again, it only has one. You may have more in this list. Click Add.
On this screen, you have to tell it which privileges this user has. For the purposes of using this user and database with Joomla!, you want to click All Privileges, and click Make Changes. The next thing we want to do is go over to the Joomla! web installer and start our installation process. We'll click Next to go past the Language screen. Next. For Host Name, we will choose localhost. The Username, going back over to cPanel, scrolling down a little bit, we can see that our user is demojoom_joomla.
I copied the password to my clipboard, so I'll just press Ctrl+V to paste that there. For the Database Name, we can go back over to cPanel, and see that our database name is the same as our username. It's demojoom_joomla. To help make this secure, we're going to change our database prefix, since we're on this screen. Then click Next. Click Next to get past the FTP Configuration screen.
For Site Name, we will type Demo Joomla! Site. I will enter my e-mail address and my admin password twice. Clicking Install Sample Data will install all of the sample data that comes with Joomla! by default. If you don't click this, you'll just have a blank site, which is fine for most experts. Click Next. The next thing we need to do is remove the Joomla! installation directory. I'm going to open up an FTP client, connect to my web site, navigate into the public_html folder, and delete the installation directory.
Some people just rename their installation directory. While this is typically safe. I wouldn't recommend that it's best to delete it completely. Now that the installation directory has been deleted, let's go back over to our Installation screen, and click Site. Now that Joomla! is installed, let's just go in and take a look and see what the two passwords look like, and see how they're different. Going back over to my FTP client, I'm going to open configuration.php.
In this file, we can see that the variable password equals something completely cryptic. This is our database password. The password we entered for our admin account was something that we could remember. Since we'll never use the database password again, it's okay to have it something completely cryptic, since we don't have to memorize it. The reason we want this password to be different than our super administrator password is that this one is stored in plain text. Later, we'll take a look at our super administrator password, and see how it's stored in the database. On its own, this isn't that big of a deal, except that if this issue is in place, and other issues are in place, a potential hacker could read your database password, log in to your database, and then make changes without your knowledge.
Something fun to do is to go into the database and see exactly how the admin password is stored. To do this, we'll go back over to cpanel. I'll click on Home. Let's scroll back down to the Database section, and click on phpMyAdmin. Selecting which database I would like, and then again, selecting the users table, we can see that our password is stored as an MD5 salted hash. This is nothing more than a fancy way of saying that your password is very secure when it is saved to the Joomla! database.
Again, there is nothing fancy about this best practice. Just knowing that you should keep your database password and your super administrator password different is really all that matters.
There are currently no FAQs about Joomla! 1.5: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.