Part V Site Maintenance and Management IN THIS PART Chapter 25: Keeping Your Site Secure and Up to Date Chapter 26: Managing Performance and Accessibility Chapter 27: Making a Site Search Engine Friendly 685 CHAPTER Keeping Your Site Secure and Up to Date IN THIS CHAPTER Security best practices Keeping up with security notices Managing site maintenance Upgrading a Joomla! installation S ite security and change managements are two critical issues for site owners and administrators. This chapter looks at security best prac- tices for Joomla! and provides advice and tips on how to set up your Joomla! site in a secure manner and thereafter keep it secure. Keeping your site patched and up to date is one of the keys to maintaining your site’s integrity and protecting it against hackers. Accordingly, this chap- ter also discusses basic back up and upgrade processes. Management of upgrades and patches can be time consuming, particularly for complex sites with numerous extensions. Accordingly, adoption of a formalized process for handling these recurrent issues is your best bet for decreasing your site man- agement overhead. Security Best Practices Creating and maintaining a secure web site requires attention to a variety of issues. The process starts at server setup and continues throughout the life of the site. There is no such thing as a site you can create and forget; no such thing as a site that takes care of itself. To keep your site safe you must take affirmative steps and you must develop an awareness of the issues. Although you cannot protect yourself from every conceivable threat, you can reduce the vulnerability of your site to a manageable level with a reasonable amount of effort. Caution The single most important factor in maintaining the integrity of your site over time is the creation and maintenance of a backup and recovery process. Part V: Site Maintenance and Management 686 Securing the Joomla! core Security is not one single thing; it is a process, a set of steps that need to be taken to achieve a result. The process begins with your server settings and the Joomla! core files. If you fail to make this base level of the system secure, then additional steps are at the very least of limited effective- ness, at the very worst pointless. Tip The first step toward assuring your site’s integrity is also one of the easiest: Only install the most recent version of the Joomla! core file packages found at the official download site, JoomlaCode.org. Do not download and install core file archives from other sites, because you cannot be certain of their origins, completeness, or integrity. Protecting directories and files You can take several steps to enhance the security of the directories and files on your server. The first step is adjusting the permissions to be as strict as possible without impairing use of the site. Write-protect your critical directories. As a general rule, set the directory permissions to 755 and the file permissions to 644 using either FTP or the options in the Global Configuration Manager. Note that this is best done after you have fully completed your installation of the core and all extensions. It is possible that you may have to make these setting more permissive if you need to install extensions in the future. Cross-Reference The file permissions controls in the Global Configuration Manager are discussed in Chapter 4. Tip There’s a good discussion of how to set file permissions and what they all mean on the Joomla! docs site at http://docs.joomla.org/Security_and_Performance_FAQs#How_do_UNIX_file_ permissions_work.3F There are a number of other steps you may want to consider taking; however, you should note that each of these has a trade-off, either in terms of increased admin overhead or other limitations: l Move the configuration.php file outside of the public HTML directory on your server and rename it: Place a new configuration.php file in the public HTML directory pointing to the new file. Make sure your new file is not writable in order to avoid it being overwritten by the Global Configuration Manager. Note that making this change forces you to modify the new configuration file manually, rather than by using the Global Configuration Manager. For more information on how to set this up, see http://docs. joomla.org/Security_and_Performance_FAQs l Use .htaccess to block direct access to critical files: Note this is only applicable to serv- ers using the Apache web server and web hosts that allow you to modify .htaccess. Make sure you back up your old .htaccess file before you try this in case you experience prob- lems and need to restore the old file. Chapter 25: Keeping Your Site Secure and Up to Date 687 l Change the default log path: Hackers sometimes look to the log files as a way to identify what extensions you have installed, in hopes of finding an extension that has a known vulnerability they can exploit. To help deter this bit of information-fishing, alter the log path settings in the Global Configuration Manager. l Change the default temp directory: The contents of the temp directory can also provide information you may not want to disclose about your site. You can alter the temp direc- tory settings in the Global Configuration Manager. l Use SEF URL rewriting: Joomla!’s default URLs often carry with them information that indicates the extensions used on the site. The default URLs provide another source of information for those who might be looking for vulnerable URLs. Implement an SEF URLs extension to avoid this problem. In addition to providing search engine benefits, the SEF URL writing will obscure your original URLs and mask this information. Cross-Reference Working with the Global Configuration Manager is discussed in detail in Chapter 4. Protecting from unauthorized access Humans are your most common point of security policy failure. Admin passwords should be changed often. The default username that is produced for the administrator during the installation process should also be changed immediately after the system is set up. Leaving the default user- name as “admin” gives a hacker one half of the answer to the puzzle he needs to solve to gain access to your site. Passwords should always be as secure as practicable. When the Joomla! creates your first user account, it always gives it the same ID number, 62. As a result, this means that hackers have a place to start trying to gain access to your site; they know the userID of your super administrator account. In order to shut down this avenue of attack, create a new super administrator user and delete the default account. Cross-Reference Creating and deleting users is covered in Chapter 10. In addition to controlling the access to your admin system, you need to be sensitive to the access issues that relate to your database. If you have control over the access privileges to the user accounts on your MySQL database, make sure that all accounts are set with limited access. If you want to go further, you may want to vary from the default database prefix used by the Joomla! installer. During the installation process you are given the choice of whether to use the default prefix, jos_, or to set your own. If you want to increase the security of your site, select the option to designate your own prefix. By varying from the default setting, you make it more difficult for a hacker to compromise your database. Cross-Reference Setting the database table prefix is covered in the discussion of Joomla! installation in Chapter 2. Part V: Site Maintenance and Management 688 Caution A good administrator password should be at least seven characters in length and employ a combination of upper- and lowercase letters, numbers, and nonalphanumeric characters. Never, under any circumstances, use words that can be found in the dictionary! This is common sense: “4tG~9fU#ss3” is a lot harder to crack than “tinytoons.” Removing unnecessary files If you don’t need it now and you don’t intend to use it, get rid of it. Logical targets for deletion include: l Unused templates l Extensions you have installed then decided not to use l Unused applications you have installed on your server l Archive files copied to your server during the course of installation l The installation directory Tip As mentioned in Chapter 3, don’t simply rename the installation directory, delete it. l Another candidate for deletion in Joomla! 1.5.x is the system’s XML-RPC server. If you are not using this functionality, delete it. It is located in the Joomla! root in the directory named xmlrpc/. Another good idea is to disable all unused core components that cannot be uninstalled. Disabling unneeded core components shuts down one more avenue of attack and has the added advantage of cleaning up the administration interface. To disable a core component in Joomla! 1.5.x, follow these steps: 1. Access the admin system of your site. 2. Click on the InstallUnistall option under the Extensions menu. The Extensions Installer dialogue opens in your browser. 3. Click on the Components link. The Components dialogue opens in your browser. 4. Indentify the components you want to disable and then click on the green arrow in the Enabled column. The Enabled column indicator changes to show a red X, and the component is now disabled. Maintaining a sensible server setup In an ideal world, we would all have our own dedicated servers where we could control every aspect of the system. In the real world, shared hosting is the reality for many users. Shared hosting, although certainly more cost effective than a dedicated host, involves trade-offs in terms of security and access privileges. Chapter 25: Keeping Your Site Secure and Up to Date 689 Your goal should be to make the host setup as secure as possible, regardless of whether it is dedi- cated or shared. Exactly what you are permitted to do with your server varies, but you should con- sider the following: l Use Secure FTP, if available: Doing this helps avoid the possibility that someone can determine your username and password while you are in the process of a file transfer. l If possible, use PHP 5: While both PHP 4 and 5 are supported by Joomla!, PHP 5 is the superior solution, and PHP 4 is being phased out. l Make sure your server does not have Register Globals enabled: Joomla! does not need it and it is a security risk. l If the mod_security module is installed on your Apache web server, use it: It acts as an embedded web application firewall and provides significant protection against many common attacks. Learn more about how to use it at www.modsecurity.org/. l Turn safe mode off: Safe mode is not necessary for Joomla! and may cause problems with some extensions. l Set Magic Quotes GPC to On: Set this option to On. l Don’t use PHP allow_url_fopen: Set this option to Off. l Use PHP open_basedir: Set this option to On. Tip Contracting with a web host solely on the basis of price is a bad idea. Moreover, as competition has increased in the hosting space, it is becoming more of a commodity business and price points have narrowed. Instead of simply taking the cheapest host, make your selection based on service levels, quality of hardware, access privi- leges, software installed, and backup policies. Securing third-party extensions From a security perspective, every extension you install on your Joomla! site increases the risk you face. Each extension comes with its own set of files and potential vulnerabilities. Moreover, the fact that extension quality varies wildly is a serious issue for site owners, and each extension you install brings with it a need for due diligence and ongoing maintenance. Given these issues, the first point of concern for site owners should be the issue of trust: Do you trust that the developer is capable of producing solid, secure code and do you trust this developer to keep it patched and keep users abreast of risks as they arise? Never forget that, just like the core files, extensions have to be main- tained, patched, and upgraded. The wide variety of Joomla! extensions means that you have choices. Accordingly, before you decide to adopt a particular extension, you need to do your research. Not only should you be con- cerned with whether it works and looks like you want it to, but also you need to be convinced that the extension is of good quality and comes from a reputable source. There are no guarantees; it is up to you to do your homework and make a judgment call. Visit the developer’s site. Is it profes- sional? Is it up to date? If this is a project-based extension, check for levels of project activity and Part V: Site Maintenance and Management 690 issues that have been reported but remain unfixed. Extensions listed on the Joomla! Extensions Directory include ratings and reviews — read them! Tip Joomla! maintains a Vulnerable Extensions List. You should always check this before making a final decision on the adoption of a particular extension. The list is maintained at http://docs.joomla.org/Vulnerable_Extensions_List . Next, before you install a new extension on a live site, test it locally. Check to make sure it installs cleanly and without error messages. Test all the various functionalities, regardless of whether you intend to use them all. It’s also a good idea to check and see if the extension comes with a README file; if it does, read it! Finally, before installing the new extension on your live site, back up the live site. That way, if a problem occurs you can roll back and restore from the backup. If at some point in time you decide that the extension is no longer necessary and you uninstall it, make sure that the extension has uninstalled cleanly and has not left any files on your server. Often, extensions leave directories and files behind on your server, despite being uninstalled. Keeping Up With Security Notices Things change. New vulnerabilities are discovered and new exploits are created to take advantage of them. Sometimes the rate of change is quite impressive, and it becomes a challenge to keep up and maintain all aspects of your site. The Joomla! Security Strike Team was formed by the commu- nity as an attempt to address the dynamic nature of threats to the Joomla! system. As new issues are discovered, the community reports them to the Strike Team. The team formulates responses, works to learn more and, when needed, get patches out to the users. Keeping up with the announcements from the Joomla! Security Strike Team is one of the ways you can stay informed of important news that may impact your Joomla! site. Important notices are always published on the home page of Joomla.org. In addition, the default Joomla! 1.5.x system includes in the control panel an RSS feed from the Joomla! Security Strike Team, as shown in Figure 25.1. Of course, if you rely on these default notifications, you only discover new alerts when you visit Joomla.org or when you log into your Joomla! installation. If you want more imme- diate notices, then you should consider either subscribing to the RSS feed with a separate news reader or joining the mailing list so that notifications are sent to you by e-mail. The URLs for both services are included in the Table 25.1. . candidate for deletion in Joomla! 1. 5 .x is the system’s XML-RPC server. If you are not using this functionality, delete it. It is located in the Joomla! root in the directory named xmlrpc/. Another. disable a core component in Joomla! 1. 5 .x, follow these steps: 1. Access the admin system of your site. 2. Click on the InstallUnistall option under the Extensions menu. The Extensions Installer. project-based extension, check for levels of project activity and Part V: Site Maintenance and Management 690 issues that have been reported but remain unfixed. Extensions listed on the Joomla! Extensions