Joomla! 3.2 includes an abundance of new features appealing to end users and developers alike. One of these new features is two factor authentication. In this tutorial you will learn what two factor authentication is and how you can use it in your components to enhance the security of potentially dangerous or important operations, just like most banks do.
As a Joomla! developer I often find myself providing support to users of my software. Sometimes, despite my best intentions, I hit a stone wall: a server setting is amiss. In this case I explain to my users what the problem is and ask them to contact their host to rectify it. One of the most irritating situations I’ve found myself dealing with is when a host replies “we can’t do this for security reasons”. I would generally accept that, if only the host actually knew what they’re talking about. And, yes, I am specifically talking about the fopen URL wrappers and the fact that they are stupidly disabled on many hosts.
There is a very common misconception that moving configuration.php outside of your Joomla! root somehow makes your site more secure. It’s so common that you can even find instructions on the Joomla! documentation wiki. Let’s separate the myth from the facts and let’s see why this “security” advice may not be as secure as one might think.
This is a user-submitted French translation of my “777: The number of the beast” blog post. Please do not post questions in the comments in French. My French is very rusty 🙂
Je vous promets, cet article n’a rien à voir avec la religion, il traite de la sécurité des sites web. Le démon que je mentionne se refaire au fait d’ouvrir une éventuelle porte pour permettre aux pirates de compromettre votre site. Cet article est long mais je vous promets que vous allez apprendre des choses que vous n’avez jamais imaginées. Faisons la lumière sur le mystère du numéro 777 et tuons le démon !
If you are into Joomla! extensions development you are undoubtedly familiar with the rule of index.html, that is the necessity to put a “blank page” index.html file on any and all directories containing PHP files. This habit is so ingrained to the mentality of Joomla! developers that it’s now dubbed a “security feature” and made a prerequisite to publishing your extension in the Joomla! Extensions Directory. The thing is, is it really a security feature or are we trying to solve the wrong problem?
Joomla!’s temporary off-line mode is a very handy option to temporarily take your site down while performing maintenance —e.g. updating the Joomla! core or an extension— and is even suggested by the official documentation for the unfortunate time that your site has been compromised. However, is this really off-line, or are there any pitfalls you should be aware of?
I promise you, this article doesn’t have to do anything with religion. It talks about site security. The beast I am referring to is unwittingly opening a back door to your site to potential hackers. You may not know it, but you could be a sitting duck. It all lies in the dark world of ownership, users, groups and permissions. This is a long article, but I promise you to learn things you would have never imagined. Let us shed some light to the mystery of the 777 number and kill the evil beast!
As you all know, every new Joomla! installation comes with a Super Administrator account with a well-known user ID: 62. Nobody really knows for sure why 62 was chosen, but this can lead to your site’s security being compromised. Why? It is a very well known value and potential hackers can take advantage of it in conjunction with another vulnerability to take control of your site. Known constants are a security nightmare as made clear in the case of the attack against Joomla! 1.5.5 which caused a lot of sites to be compromised as the researcher who found the vulnerability released it to the general public before the Joomla! team had a chance to fix it.
One easy workaround is to demote this well-known user account down to the Registered level and block it, hanging potential hackers to dry. However, in order to complete our security modification we do need another Super Administrator. The problem is that if you just create a new user his ID will be 63, which is not secure at all; it’s a hacker’s next best bet. So, we need a way to create a Super Administrator with a random ID, preferably in the 1-61 range which is otherwise unused in Joomla!. This is what we are going to do, folks, without even using phpMyAdmin for the task.
Note: You will be modifying your site’s database. Even though the following procedure is well-tested, it’s best to practice it on a local testing server first.
If you have ever been a regular of the Joomla! forums you have most certainly come across some frustrated post of a paniced user whose site has been hacked. The truth is all web applications suffer from the same phenomenon, not because they are insecure by nature, but because most people don’t have the slightest clue on what they are supposed to do to protect their site. Security isn’t all that hard, but isn’t all that straightforward, either. It’s a bit like contraception. It’s necessary, but no method is bulletproof. As a result, this article is not meant to be a complete guide to Joomla! security, but – very much like the Joomla! Security Checklist – it is just a set of guidelines you can easily follow, for that extra peace of mind.
[span class=notice]This article was originally written in December with the intent of being volunteered to the Joomla Community Magazine. Three months down the road and things are still stagnating for JCM, mostly due to the unavailability of volunteers. I decided to post this article on my site for two reasons. First being, it would become irrelevant by the time JCM would finally be online. The second – and most important – being a call for volunteers. Joomla! needs you. Please, give some of your time to be part of this. Thank you![/span]