6. Multifactor back-end authentication Password protection Secret URL parameter Use your host’s Control Panel, or .htaccess Best protection Doesn’t cost More difficult to setup Use jSecure Authentication Very easy to setup Costs money Doesn’t protect against direct access to files
18. PHP has a big mouth RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR] RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR] RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR] RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR] RewriteRule ^(.*)$ - [R=404,L]
19. Blind the elephant before it stomps you nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18 NEWSFLASH: Hackers easily find out which Joomla! version you are using on your site RewriteRule ^(images/stories/*(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L] RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+)?wwwexamplecom [NC] RewriteRule (jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L] More .htaccess rules for further protection in my Master .htaccess:http://snipt.net/nikosdion/the-master-htaccess