03 Sep

Critical Update for Joomla! Users

If you are a Joomla user, you better start updating your sites now.

Joomla was updated recently! Joomla issued a new minor versions, v2.5.14 and v3.1.5, that patches some very critical security holes, so it is very important you update as soon as possible! We are urging all customers to log in to update their Joomla sites to the latest version to help keep your site secure! They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

  • Project: Joomla!
  • Severity: Critical
  • Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
  • Exploit type: Unauthorised Uploads
  • Reported Date: 2013-June-25
  • Fixed Date: 2013-July-31
  • Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here: http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

If you have any questions, feel free to email us at support[at]tetrahostbd[dot]com.

02 Feb

Joomla! Protection

Joomla! is a great CMS that is used worldwide. Now-a-days many user prefer to design their site with Joomla. It is designed simply but still has lots of feature in it. Being one of the most popular CMS can attract bad people to do bad things as well. Actually the issue is not related with the Joomla script but with the extra module/plugin that is available on market for Joomla. At the end it is the site owner responsibility to protect his/her site by hardening the security. I will try to give some security tips on this article and by following these steps you will be able to enhance the security of your Joomla site significantly.

Don’t Forget to Update: Never forget to update your Joomla to latest version. Older version are more valnureable then the newer version.

Rename the default htaccess.txt file: Joomla does come with a default htaccess.txt which has some rules in it. The rules in it will block the majority of well-known attacks against your website.In order to rename the file, Login to your cPanel >> Go to File Manager >> find the htaccess.txt file on your home directory and rename it to .htaccess

File Permission of Configuration File: Make sure to have 600 permission which means read and write permission for the user only on your configuration.php file. You should be able to change the permission from cPanel File Manager.

Install Security Plugins: On the following two links you will find some extension which will help you to secure your Joomla site many way, please try them.

http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection

Change Default Database Table Prefix: 

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections. You can use the EasySQL for Joomla, if you without phpMyAdmin component in order to do this. Download the component to your PC and install it by going to your Admin panel. Now follow the below steps:

i. Go to Components >> Easy SQL
ii. Now, pull down the Command Menu and select REPLACE PREFIX.
iii. Here you will see something following: REPLACE PREFIX `jos_` TO `newprefix_`
iv. You now have to remove the word “newprefix” and set to something else per your choice.
v. Once you set the new prefix, click on EXEC SQL and you are done!

Please make sure you are following the steps properly.

Change Admin Username: By default your administrative username is admin. The majority of the attackers would expect the username to be admin. Changing it will protect you against many attacks. Here is how you can change the username:

i. Login to your Joomla Admin Panel
ii. Go to User Manager from the Home Page
iii. Now, select the Admin User and Click on EDIT
iv. Here you should see the Username field and it will show you the current username, change it to something else and Click on SAVE

From now, you will have to use the new Admin Username to login.

Password Protect Administrator Directory: You can protect your Joomla Administrator folder with Directory Protection feature of cPanel which will add extra layer of security. You can enable the protection by going cPanel >> Password Protect Directories.

Limit Admin Access: As Joomla administrator folder is one of the most important folder, so we suggest to limit the admin access with IP. Only the allowed IPs will be able to access the admin folder. Here is how to do this:

i. Create a .htaccess file under the Joomla administrator folder
ii. Put the following code in it

order deny,allow
allow from 0.0.0.0
deny from all

Please change the allow IP with your IP. You can find your IP by accessing the following site: http://www.whatismyip.com

Backup Regularly: TetraHost do take weekly backup of your content but it is always better to take regular backup of your working database and Joomla contents. Unfortunately if it got hacked then, you can easily restore your site from the latest backup you’ll have for it.

Uninstall Unused Extension: It is recommended that you uninstall any unused extensions complete from the account. It will reduce the chance for getting attacked.

That’s it! You are protected now. If anyone have any more tips please share with us by commenting on this article.