This talk was delivered at the first CMS Africa summit in Nairobi, Kenya which was held between 7-8 March 2014. The talk explores basic security precautions to take when considering using a Content Management System.
5. Understand permissions
Read (r)
Write (w)
Can view the file
Chmod +r / -r
Numerical value = 4
Can make changes or modify the file
Chmod +w / -w
Numerical value = 2
Execute (x)
Can run the file (generally applicable at command line)
Chmod +x / -x
Numerical value = 1
NOTE: Folders cannot be listed and files within
can't be accessed if the folder does not have
execute permissions
15. To find more information
magazine.joomla.org
docs.joomla.org
Ruth Cheesley - @RCheesley
Hinweis der Redaktion
Good afternoon, and thank you for inviting me to speak at CMS Africa
Joomla! Community Leadership Team for just over a year
User Group team,
Marketing Working Group
experiences within Open Source communities, and particularly around the topic of getting more women involved in technology.
Passionate about promoting Science Tech Eng Maths as an exciting and interesting career choice for women.
Security starts before you even get to installing the CMS, it starts when you select a hosting provider
- Hosting
- experience with CMS's
- Linux based (personal preference)
- Security practices
- Trust
- Working with contractors
- Extensions
– refer to joomla docs/JCM for more detail
- Resources.joomla.org
It's important to understand how file & folder permissions work. Use the best practices for your CMS, don't compromise on this because your hosting environment isn't set up properly.
It's your job to stay up to date with security updates
Make sure that you sign up for updates from extensions and template providers
Keep up to date with CMS core updates, apply them.
This is your responsibility as web developer. If you use a CMS, you take the responsibility for keeping it secure.
Sell the CMS with the understanding that clients need to update
Opportunity – sell them training
Opportunity – sell a support contract
Be clear. Be responsible. If they aren't willing to do updates themselves, or pay you to do it, walk away.
Keep up to date with new developments
Md5
Salting
Bcrypt
Things are changing all the time, you have to keep up to date with these changes by keeping your CMS up to date (and/or getting involved with bringing these new features to your CMS through getting involved in OS projects).
How many people have 2 factor authentication enabled?
Use YubiKeys or mobile phone app (Google authenticator).
Easy to implement, easy to explain, something you know (Password) and something you have (unique one time password).
Problems with spam?
Admin tools for Joomla
Project Honeypot
Stop forum spam
Black/whitelist
Look out for malicious activity and block before it gets to your site
Hide admin panel
Sooner or later, with all the best security, you will have a disaster happen.
Client deletes site, server gets compromised, site gets compromised.