Protecting Joomla: Part 2
It is important, like all software, to update Joomla when a new version is released. These usually consist of important security fixes. CentOS 5 still uses PHP 4 but the security patches have been fixed for PHP 4 so you will also need to update your CentOS distribution.
Joomla file permissions should be 644.
Joomla folder permissions should be 755. The only exceptions are the cache directory and the temporary directories which must be writable.
Delete the installation directory completely as this represents a major security issue. Change the permissions of the configuration.php to 644 as well once you have completed the setup.
Change the administrator name to something else so it is more difficult to guess and create an excellent password as users will attempt to guess this on a regular basis. On the Joomla sites I run one of the most often visited pages is the administrator login…because people are trying to hack it. Create GOOD Passwords!!!! Passwords must include case differences, include symbols and numbers and be at least 8 characters long.
Created a Restricted Folder for Administrator
One of the most effective ways to protect Joomla is to create a restricted folder with Apache so that only administrators can get access to the folder.
Restrict Scripting Injection Attacks
Edit your /etc/php.ini file to turn off register globals.
register_globals = off
You can also force SQL inject attacks to bounce by adding this information to the php.ini file.
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:
* shows_source — an alias of highlight_file() which provides syntax highlighting for files;
* system — allows execution of external programs;
* shell_exec — allow execution of commands via a shell;
* exec — allow execution of commands;
* passthru — similar to the exec() function, allows execution of commands;
* phpinfo — outputs PHP information that could be used by potential intruders;
* popen — opens a pipe to a process being executed by a certain command;
* proc_open — similar to popen() but provides better control over command execution.
This may cause you some problems so you need to test, however, in initial testing it seemed to work OK.