It Only Takes One

It only takes one site that is not up to date to allow a hacker access to the server and all its bounty. Not neglecting to update a website when there is a security release is paramount to ensuring that the server and all the other sites on it are secure. Even in our due diligence we can have many sub domains where we may be testing or building the next big thing for our clients and it is these sites that are the most vulnerable because once we are done we move on to other things and will likely forget about them until it is too late!

 

When Joomla or any software for that matter posts a critical updates it is like a newspaper headline telling all hackers where the vulnerability is. So even if they did not know it existed before they do now and it is critical to do your best to stay at least one step ahead of them at all times!

Also take the time to ensure that you don’t have any of these long forgotten demo sites or sites you was using to build a client’s website resting in some dark corner of your accounts. Below is a checklist that I use when I am messing around in my accounts of things I am looking for while I am there.

Things I look for when I am in FTP:

• Sub domains that I forgot about
• Files and Folders that seem strange or should not be there (knowing the Joomla file structure is very important and knowing this makes this task easy to spot foreign files and folders)
• A leftover Kickstart.php, Akeeba backup file, Joomla install package file or an installation folder.
• Check the size of the .htaccess file to make sure it is the size it should be and if it is not enabled it’s a good idea to find out why if you are using user friendly URL’s and I don’t know anyone running Joomla that would not be using this?

Things I look for when I am in cPanel:

• With the above I might use the file manager to check for those issues and it is faster and easier to delete folders here than in an FTP program.
• Leftover databases where it is important to delete the files for our test sites it is also just as important to delete the database or at the very lease remove the user from it so it is not accessible.
• FTP accounts to make sure there are none there that should not be there
• Email accounts that should not be there
• Look at the bandwidth meter and other sidebar items that may give you a sign that something is not right

Things I look for in Joomla Admin:

Check the Global Configuration:

• ensure that basic things are setup correctly and a client has not enables something they should not have.
• default editor is set to NONE
• session lifetime is not some ridiculous length of time
• server email address is set to something other than a legitimate address ( I like to use This email address is being protected from spambots. You need JavaScript enabled to view it.)
• If using 2.5 check that you did not get caught by the Admin Tools bug and your text filter permissions are setup correct.

Insure your common extensions are up to date: (The main reason we need to do this is because like me I am sure you do not pay for a subscription to the vulnerability list that reports extensions that have critical updates.

• Admin Tools
• Akeeba Backup
• JCE (be careful with this tool in 1.5 sites as an update can crash the site!)
• RSFirewall (I try and make sure an updated copy of this is on the server so if you use this check there for the updated package. Note that every time the core is updated this tool is updated so it knows the latest version of Joomla and I have yet to see a critical update for this powerful tool)
• Any other component that you know gets regular updates

Not so common but I do check this when I remember is to make sure that if I use a template that has a framework, and that is almost all of them these days. That there are no updates to them and if I have made modifications to the core files I will check that this is not a security update and normally if it is not and the site works I don’t worry about it.

Admin Tools specific:

• In the tools panel I will run three of these on a regular basis regardless if I thing the site needs it or not. I will run the Fix Permissions, Clean Temp-Directory and the Repair & Optimize Tables tools.
• While you are here if you have not done so and I recommend this for all fresh installs is to click the Super Administrator ID tool and make sure your super user is not listed on the default position and if so run this tool to quickly fix that problem. In the past we was told not to delete the super admin that this tool created but from version 2.2.0 on we can delete this user. Still make sure that if your site gets a lot of users that there is no user that has higher than registered permissions on user ID 42 (62 for Joomla 1.5 sites). Hopefully the Joomla team will actually fix this in the next version. As is they knew about this vulnerability in 1.5 and instead of giving us the control to set a user ID they just changed it, thinking that somehow a hacker would never figure this out! Who says developers are not morons?

Joomla 2.5 specific checks:

• In extension manager there are some new features that can help with trouble shooting and also for overall integrity of your site. Go to the Database tab and make sure the database is configured properly and if there are warning click the fix icon in the top right.
• There is also a new feature that we can use to make sure that extensions and templates on the site are properly installed and going to the Discover tab we can check to make sure they are. This is also a great tool if you have a template that does not have an installer, just upload the template and run this tool to install it. It will not work with Rocket Theme templates though because these morons found it necessary to add parts of their framework in other areas of the site.
• One note while we are talking about the Extension Manager, there is a new tab called Update and while this is a great addons it is new and as such using it should be considered at your own risk! Primarily because many of the better extension developers saw the need for this feature long before the Joomla team added it and they built their own. If you use this tool rather than the extensions tool to update it, you are likely to at best crash the extension but this has also been reported to brick the entire site. So my recommendation is not to use this tool for the time being and then only for the tools you know for sure are designed to use it.

I hope it helps you somewhere to have a better understanding of the things I do for my Joomla sites security and integrity.