This document provides an overview and recommendations for securing a Joomla! website. It discusses hosting and server configuration, including using secure file permissions, disabling unnecessary PHP functions, and protecting admin directories. It also recommends only installing official Joomla! versions and extensions from trusted sources, using strong passwords, regular backups, and staying up-to-date with security patches. Tips are provided for monitoring the site, detecting intrusions, and recovering from hacks. Links to documentation and security resources are included.

1. Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009

2. Is Joomla! safe?

3. Is the World Wide Web Safe?

4. You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

6. I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not "safe" on the Internet.

7. What is this presentation about?

9. Hosting and Server Setup

10. Joomla Setup

11. Site Administration

12. Site Recovery Presentation overview

13. Getting started

14. Getting started

15. Getting started

17. Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST

19. RSS feed http://feeds.joomla.org/JoomlaSecurityNews Getting started

20. Hosting and server set up Shared hosting? Or Dedicated hosting?

21. Hosting and server set up “ register_globals” “ open_basedir”

24. Configure your php.ini file properly (most of the times limited with shared hosts) Hosting and server set up

26. “ Use PHP open_basedir ”

27. Don't use “ PHP safe_mode ” (it gives a false sense of security)

28. Don't use “ PHP register_globals ”

29. Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.

30. Joomla! setup

32. Change the default administrator username

34. Ensure that all configurable paths to writable or uploadable directories

38. Always test before you install on your life server

39. Check for extension vulnerabilities

40. Download from trusted sites

41. User beware! Check the code quality

42. Test! Test! Test!

43. Remove junk files (all that is not needed)

44. Avoid encrypted code Joomla! setup

45. Site administration

47. Maintain a strong site backup process

48. Monitor crack attempts (tripwire, SAMHAIN)

49. Perform manual intrusion detection (manual logfile scan)

50. Stay current with security patches and upgrades Site administration

52. Follow a logical and rigorous recovery process

53. Reset your administrator password (and all admins/super admins)

54. Find exploit attempts using the *NIX shell Site recovery

55. Links

57. Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html

58. Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html Links

60. developer.joomla.org/security.html

61. www.secunia.org

64. www.openbsd.org/security

65. www.redhat.org/apps/support Sites to monitor when you take security seriously

66. Questions?