Twitter
Tue
07
Jul
'09
PDF
Print
Send
Secure your Joomla website
 
Hits (4862) | Comments (38) | Favorited (3) | Votes (1)

Joomla security issues are worring everyone and especially whose Joomla site was hacked at least once. It is not enough just install security component like Defender, RS Firewall, X-Defender or whatever. All of them not capable to secure everything and have limitation though give quite good protection in some points.
So here is the steps you can implement that can save you from hacker attacks.

1 - Htaccess protection

Change .htaccess file in Jomla root. Add to .htaccess following code.

<Filesmatch ".(php)$">
order deny,allow
deny from all
</Filesmatch>
 
<Filesmatch "^index.php">
order allow,deny
allow from all
</Filesmatch>
 
<Filesmatch "^index2.php">
order deny,allow
allow from all
</Filesmatch>

This will prevent to execute any PHP file except index.php. So if hacker is lucky to upload backdoor on the server he cannot access it anyway.

But hacker can upload backdoor with name index.php and put to other folder and it will be accessible. Then you need to put .htaccess to all first level sub folders with this code.

<Files ~ ".(php)$">
Deny from all
</Files>
 

And this will prevent from running any PHP file directly.

In administrator directory you need following htaccess code

<Files ~ ".(php)$">
Deny from all
</Files>

htaccess protection is done.

2 - FTP Protection

You know that Joomla save FTP details in configuration.php. And it gives more access level if hacker read this file. SO we need to protect FTP service and allow FTP access only from particular IPs. Thus if hacker even gets FTP login information he cannot login to FTP. Here is example how you can do it with proftpd.

In /etc/proftpd.conf insert this code

<Limit LOGIN>
Order allow,deny
Allow from 11.22.33.44
Allow from 127.0.0.1
Deny from all
</Limit>
 

Where 11.22.33.44 id the IP from allowed to login from. Do not forget to add there 127.0.0.1 of your server IP that Joomla through PHP could login to FTP to manage files.

3 - Block IPs

Next step to block some IPs or countries by IPs. To get correct IPs you can use this site.

You can do it with iptables. For that you need SSH. If you do not have it, then write to server admin and ask to do it for you or give you SSH access. Run this command line in shell.

/sbin/iptables -I INPUT -s 88.147.196.0/88.147.253.255 -j DROP

-I – Insert. You also can use –A append. You can block range separated by / or individual IP. Blok Iran, Iraq, …

4 - Files and folders

Next step to protect files and folders. Basically idea is all your files and folders should be reset to  e owned by FTP user. Also folders to 755 and files to 644 permissions. If you have SSH the command will be like this.

Navigate to joomla root
chown -R user:group ./
chmod -R 0644 ./
find . -type d -exec chmod 755 {} ;

If you do this, then folders and files will not be writable through PHP.

But you should make cache and backups folders 777 manually. Do not forget it.

5 - Install Defender v3

Install Defender v3 (aprox. release end of August 2009). This component will do the rest. As we protected any access but only through Joomla index.php now we can control what is going on.

Defender v3 is a next generation of Joomla Security component that should have all most recent and modern features of high quality. It will check your files and folders permissions, size, file versions, injections, flood, and many more…

Conclusion

With this 5 simple steps you can prevent 99.9% attacks.


Comments
melhAvatar
Quote
- -
Written by melh VIP on 10 July 2009

Re: 2. FTP Protection On my server there is no proftpd.conf file in 'etc' folder (which is outside of public_html) Should this file already exist or do I create this file and put in just the code you have written?

-
caaneoAvatar
Quote
- -
Written by caaneo VIP on 17 July 2009

It depends on which FTP server you are using on your server. proftp is the name of the Joomsuite's ftp server. Another example would be vsftpd, there are many others. If you are using linux distro, just look up ftp client/server apps.

-
pixelpunkAvatar
Quote
- -
Written by pixelpunk on 07 August 2009

Where do I put the semicolon in .htaccess? In the beginning? Anywhere?

-
pixelpunkAvatar
Quote
- -
Written by pixelpunk on 07 August 2009

I posted this in support, but I'll add it here: at the moment I can only see #1 and #5. Items 2-4 are missing.

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 10 August 2009

Hi!

What do You say about using RSFirewall ? This component looks like much powerful that Defender 3. Any suggestion ?

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 12 August 2009

Please comment this tread http://forum.joomla.org/viewtopic.php?f=432&t=429938

-
SerhioAvatar
Quote
- -
Written by Serhio STAFF on 13 August 2009

Defender v3 is not yet released. And when it is out it will be not less powerfull then RSFireWall.

-
petterthgAvatar
Quote
- -
Written by petterthg VIP on 14 August 2009

I have that prolem after starting using this that a directory on my server, /app/oversettelser where i have translations, and there i will need to show the default file list who comes up if no index files. Joomla! thinks now this is a component, and shows 404 - component not found.

Is there a way to allow this directory and under directorys?

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 15 August 2009

What is date until this powerful Defender 3 are coming, Sergei ?

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 31 August 2009

FYI,

If you are running the Apache suPHP module then you need to set folders to 775 and files to 664 permissions.

DM.

-
WVPCAAvatar
Quote
- -
Written by WVPCA VIP on 07 September 2009

Can someone please reply to the comments above?

>Where do I put the semicolon in .htaccess? In the beginning? Anywhere?

Also

>I posted this in support, but I'll add it here: at the moment I can only see #1 and #5. Items 2-4 are missing.

-
WVPCAAvatar
Quote
- -
Written by WVPCA VIP on 07 September 2009

In JS Community People Touch, in the configurations, it states "Do not forget to protect with .htaccess"

Specifically what do I need to do?

-
pixelpunkAvatar
Quote
- -
Written by pixelpunk on 13 September 2009

Hey WVPCA, I left a support desk ticket about the missing items 2-4 on this page a couple of months ago and got a response saying they were working on it. it's too bad they don't fix it or answer questions as this could be a really be a really valuble post for users. what the point of the post if more than half of it is missing?

 

 

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 19 September 2009

Me thinks there is code missing from original post, add this to bottom of .htaccess files

########## Begin - MightyExtensions Extra Security Config
#
<Filesmatch ".(php)$">
order deny,allow
deny from all
</Filesmatch>

<Filesmatch "^index.php">
order allow,deny
allow from all
</Filesmatch>

<Filesmatch "^index2.php">
order deny,allow
allow from all
</Filesmatch>

<Filesmatch "^index3.php">
order deny,allow
allow from all
</Filesmatch>

<Filesmatch "^livezilla.php">
order deny,allow
allow from all
</Filesmatch>

<Filesmatch "^phpinfo.php">
order deny,allow
allow from all
</Filesmatch>

#
########## End - MightyExtensions Extra Security Config

Cheers, DM.

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 19 September 2009

Also you should put the following .htaccess file in top level of every subdirectory:

<Files ~ ".(php)$">
Deny from all
</Files>

I believe the one exception should be cache folder.

Cheers, DM.

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 19 September 2009

In fact I think you should prob put:

<Files ~ ".(php)$">
Deny from all
</Files>

also in the cache folder, perhaps some can confirm if this is correct...

D<

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 19 September 2009

As for the secure folder mentioned above I have protected mine with addition of .htaccess and .htpassword using a .htaccess generator

Example contents of .htaccess:

AuthUserFile /var/www/vhosts/mydomain.com/httpdocs/secure/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic

<limit GET POST>
require valid-user
</limit>

<Files ~ ".(php)$">
Deny from all
</Files>

Example contents of .htpassword

username_of_your_choice:generated_password

Hope this helps, DM. Laughing

-
hchAvatar
Quote
- -
Written by hch VIP on 15 November 2009

Hi All,

#1 prevents other installed systems in a subdirectory to run properly.
It is possible to add some exceptions but not possible to add them all.
The best in that case seems to exclude this subdirectory from the restrictions.

How do you deal with such a case?
In advance Thanks.
-Charles

-
DirtyMonkeyAvatar
Quote
- -
Written by DirtyMonkey VIP on 15 November 2009

Yeah very true, i forgot to update the thread accordingly... its not quite as easy as I had initially thought.

DM.

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 15 November 2009

Hey, team !

We are all very frustrating about economical situation over the world, but.... where is Defender v3 ?  Cool

-
hchAvatar
Quote
- -
Written by hch VIP on 15 November 2009

The method described in this thread is very good. But all my tests of exclusion fails miserably. :-D
So I'm still seeking the rigth way to exclude some sub directories from the restrictions.
That's hard. :(
-Charles

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 17 February 2010

Hi there! Is any news about Defender 3 ?

Cannot waiting...

-
elemental.tmAvatar
Quote
- -
Written by elemental.tm STAFF on 17 February 2010

I was looking at .htaccess management but couldn't fine any documentation... I tried installing via. FTP but couldnt get it working... ...no idea!

-
SergeiShablovskyAvatar
Quote
- -
Written by SergeiShablovsky VIP on 22 February 2010

Is anybody there ? Staff ?

A lot of words about Defender3, of it's amazing features, etc., but where is result ?

Could You be so please to determine date of Defender3 coming out as RELISE not betta, alpha, etc ?

Tnx!

-
SerhioAvatar
Quote
- -
Written by Serhio STAFF on 25 February 2010

I know it looks stupid. We promised august 2009 but it is still not ready but that is how it is going. Yet you will be surprised that I cannot say when it will be released. I may only say that possible beta version may be released in 3-4 weeks but this is from the words of others. The same others who told August 2009 so I can say. "They say in 3-4 weeks". 

-
avatar
Quote
- -
Written by Dan on 13 October 2010

<FilesMatch ".(db|default|htaccess|html|htpasswd|ini|php|phps|ser|sh|spc|sql|xss)$">
order deny,allow
deny from all

<Filesmatch "^(index.php|index2.php)$">

order deny,allow
allow from all
</Filesmatch>

I think that should do it :D

-
den2009Avatar
Quote
- -
Written by den2009 VIP on 30 May 2011

In this post in 2 places it sais:

<Filesmatch "^index.php">
order allow,deny
allow from all
</Filesmatch>
is this typo and it should be order deny,allow
or is it correct?

-
astoryanAvatar
Quote
- -
Written by astoryan on 05 June 2011

please how can i secure ftp access in sharied hosting

thank you in advance

-
aurabanditAvatar
Quote
- -
Written by aurabandit VIP on 15 June 2011

Dear friends,

Regarding topic 1 - Htaccess protection I am a little bit confused. Wishing for some assistance here. 

Question 1:

Shall I place the code exactly as specified in the above topic for my .htaccess file if my situation is as below:

  1. The main site (the domain cms) is using Joomla
  2. I have another 2 sub-domains (http://subdomain.domain.com) where the first sub-domain is using Joomla and another one is using non-Joomla (php-based as well).

Question 2:

Shall I place the code exactly as specified in the above topic for my .htaccess file in my sub-domain main folder? Well... probably this question related to my first question but just to ensure that this issue is covered.

Regards,

-
aurabanditAvatar
Quote
- -
Written by aurabandit VIP on 15 June 2011

And, I'm a little bit confused which one is better either the codes mentioned by Mighty or the codes suggested by Dirty Monkey ("Me thinks there is code missing from original post, add this to bottom of .htaccess files").

Perhaps, somebody could clarify on this.

Cheers!

-

«StartPrev12NextEnd»
Page 1 of 2

Add New Comment
Name:
Email:
Comment:
Attachment
Hide Comment
Security code:
Enter text as you see on image
 
 
What is best way for Download/Installation MightyExtensions?
 


Member Area



Member Activity

We have 2007 guests and 7 members online


MightyTemplate - Professional Joomla Templates