10 tips to improve your website security
-
Upload
sucuri -
Category
Technology
-
view
43 -
download
2
Transcript of 10 tips to improve your website security
Overwrite your files
Right clicks and presses Delete
Re-direct your clients to other websites
Steal sensitive information
10 Tips to Improve Your Website Security
1. Update, Update, Update
2. Extension Selection
3. Default CMS Settings
4. Server Configuration Files
5. File Permissions
10 Tips to Improve Your Website Security
6. Sensible User Access
7. One Site, One Server
8. Backups
9. SSL
10. [Secret Topic]
Update, Update, Update!
• Check your server for old CMS installations!
• “But my website breaks whenever I update to the latest version!”
Extension Selection
• Check for when it was last updated
• Age of the extension
• Number of installs
• Verify its source
Default CMS Settings
• Most attacks are entirely automated and many attacks rely on default settings
Default CMS Settings
• Joomla’s Media Manager
• backdoor.php would end up at /images/stories/backdoor.php
• The attacker can then execute that file as site.com/images/stories/backdoor.php.
Server Configuration Files
• Prevent directory browsing
• Prevent image hotlinking
•Protect sensitive files- https
://docs.joomla.org/Htaccess_examples_(security)- There is currently no easy way to move the
Joomla! /image and /media directories.
File Permissions
Read (4): View the file contents.
Write (2): Change the file contents.
Execute (1): Run the program file/script
File Permissions
• Confirm your permissions status
For files use:find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;
Everyone can read the file but only the owner may write to the file
For directories use:find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;
Everyone may read/execute (run) but only the owner(you) may change the directories
*configuration.php should be set to 444
Sensible User Access
• Every user has the appropriate permission they require to do their job
• Separate user accounts for every user
Sensible User Access
• Monitor any recent file changes
find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;
One Site, One Server• With 5 sites on a single server now an attacker might have:
2 Joomla! 3.x installs 3 Joomla! 2.5.x installs 5 Themes 50 plugins that can be
targets
Backups
• Should be stored offsite and not on the same server as your website (e.g. Dropbox)
• Should be automatic
• Adjust frequency as needed
• Test backups to make sure the work!
Backups
• Consider backing up only key files (i.e., themes, plugins, extensions, etc…).
• Often backing up core directories like administrator, includes will be unnecessary
• Keep a clean copy of the original install; you never know when you’ll need it
SSL
•What are the benefits?
• SSL encrypts communications between Point A & Point B – the website server and browser.
•E-Commerce security, websites with sensitive user data or Personally Identifiable Information (PII)
Passwords mean P@s5w0rD$
• 3 key requirements should always be followed
(CLU – Complex, Long, Unique)
• Complex: Should be random• Long: Should be 12+ characters• Unique: Do not reuse passwords