How to Secure and Harden Joomla Web Site

How to Secure and Harden Joomla Web Site

Security on Internet is very fast moving challenge. There is no right way to secure a website.

Backups Joomla Web Site Regularly:

Choose good Joomla hosting company, which has good backup plan.

Even if you have reliable host company, take Joomla backup manually. If possible, put a cron to take backup on weekly basis. Do It Right Now!

Enabling Search Engine Friendly (SEF) URLs:

Search engine friendly, human-readable or clean URLs are URLs that make sense to both humans and search engines because they explain the path to the particular page they point to. And good SEF component also gives security benefit. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.

Login into Joomla Administration:

Click on Site

>> Global Configuration

On Site tab select “Yes” next to Search Engine Friendly URLs

Secure Administrator login with Complex Password:

Make Sure to change default administrator account as “admin” and bad password, which is not easily guessable.

Its probably biggest security risk in Joomla. By keeping default user and guessable password, you are helping hacker in their job.

Secret Key to login into Joomla Administration:

You need to hide administrator back end from potential hackers and allows those that have secret URL to access the administration area.

There are number of Login protection extension available which helps to add secret key to access administrator URL.

Like jSecure & kSecure and found them good.

Check for latest secure version of Joomla?

Most important any administrator of Joomla website must keep Joomla, extension, up-to-date.

Monitor Joomla Web Site:

Web Site Availability is key for your customer, client and business.

Keep file/folder permission appropriate:

All files should have good CHMOD configuration.

Config Files – 666
PHP files – 644
Other folders – 755

Remove all the unwanted & avoid third party un-identified developer’s extension

It’s good to try and improve but bad without knowing developer. Delete extensions, which you are not going to use.

As an Administrator you install lost of modules to try out new functionality.

Scan your website:

You can perform online scan on your website to do security check.

Implement Two-Factor Authentication:

You need provide username, password and random generated OTP (One Time Password).

OTP is six numeric digit code, generated by cryptographic functions in a short interval.

Even if hacker break your Joomla Administrator username and password, they  require OTP to login. It’s typical financial transaction authentication way.

How to Use TRACERT Utility

tracert
tracert

The traceroute is a function which traces the path from one network to another. TRACERT diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination.

In these packets, TRACERT uses varying IP Time-To-Live (TTL) values.

Following is a example of the tracert command and its output, the packet travels through two routers (158.58.38.2 and 12.1.0.64) to get to host 12.1.0.2

In  example, the default gateway is 158.58.38.2 and the IP address of the router on the 12.1.0. network is at 12.1.0.64.

The command:

C:\>tracert 12.1.0.2

The output from the command:

12102

List for Plesk Server Ports

Plesk
Plesk

Normally, It depends on which services are running the server.

Default ports which can be used by Plesk are listed below:

20 ftp-data
21 ftp
22 ssh
25 smtp
53 dns (TCP and UDP)
80 http (web server and Plesk updater)
106 poppassd (for localhost only)
110 pop3
113 auth
143 imap
443 https
465 smtps
587 mail message submission
990 ftps
993 imaps
995 pop3s
3306 mysql
5224 (outgoing connections only) plesk-license-update
5432 postgres
8443 plesk-https
8880 plesk-http
9080 tomcat

Not all ports are required but some are optional.

Learn about WordPress Security

wordpress security
wordpress security

How strong is WordPress security? There has been a mumbling around the internet lately about a large scale brute force attack on WordPress.

They are not just targeting high profile WordPress websites. But are using a large network of bots to target any WordPress site they can find.

The attackers are attempting to brute force access to WordPress sites by hitting the wp-login.php with a dictionary password attack.

The belief is that the goal may not be to deface your site. Instead use it as a platform to launch an attack on other sites when needed.

  • WordPress Security Tips
Rename your wp-admin folder : 

You Should rename wp-admin folder then this make it much more difficult for automated bots to find, as majority of attacks rely on simply hitting it and guessing where it is.

Delete the admin user account:

Brute force attempts will try the username admin with password combinations, you need to add a different account and then delete the admin this will make dictionary attacks even harder.

Secure wp-config.php:

This puts it outside of browsable files but still accessible by WordPress. Or you can deny access via htaccess

  1. <files wp-config.php>
  2. order allow, deny
  3. deny from all
  4. </files>
Restrict Access to your IP:

Limit access your site to to the wp-admin and wp-login.php files from a set of specified IP addresses.

The disadvantages of that are you will not be able to log-in from different connection… to WordPress until you edit this rule.

Install an SSL Certificate:

It will not stop brute force attacks. However it will mean that whenever you login to your website your username and password are encrypted.

This can stop hackers snooping in when you are using Wifi or public networks.  Cheap SSL certificate.

Install WP Security:

Better WP Security Plugin will automate many of the above tasks for you. It is by far the best option if you feel uncomfortable changing file settings yourself.

Use a WAF Service:

Cloud based Web Application Firewalls are becoming more popular nowadays.

They provide a simple way to help protect your website and provide more details about what is going on.

Find cPanel logs file for Web, Email, FTP, WHM and MySQL services

Error-Log
Error-Log

cPanel logs is a honeypot of information to quickly resolve various issues and server errors.

Below is a list of the cPanel logs most commonly used by cPanel administrators, and the commonly sought information in them.

cPanel mail logs

Incoming and outgoing mail log:-

To find what happened to email’s  sent to an outside server, or one that came into this server.

  • /var/log/exim_mainlog

POP or IMAP login or transaction records:-

To find out when the mailbox was accessed, using which IP, and if it was successful.

  • /var/log/maillog

Anti-spam logs “SpamAssassin” :-

To find out if a mail was tagged as spam and what was the reason for it.

  • /var/log/maillog

Emails rejected by Exim SMTP sever:-

  • /var/log/exim_rejectlog

To find out if a mail was rejected at connection level due to an Exim security policy.

Mailman logs

  • /usr/local/cpanel/3rdparty/mailmain/logs/*

This Logs under the directory  will shows what happened to various mailing lists.

SMTP, POP & IMAP server crash logs

  • /var/log/maillog
  • /var/log/messages
  • /var/log/exim_paniclog

Find out why Exim or Dovecot servers crashed.

SquirrelMail logs

  • /var/cpanel/squirrelmail/*

Logs related to SquirrelMail errors.

RoundCube delivery and error logs

  • /var/cpanel/roundcube/log/*

Logs under this directory shows mail delivery details and RoundCube access errors.

Horde error logs

  • /var/cpanel/horde/log/*

This Logs under  the directory show Horde errors.

cPanel FTP logs

File upload logs

  • /usr/local/apache/domlogs/ftp.[DOMAIN_NAME]-ftp_log

To find out which IP uploaded the files, under which user ownership, and status of upload.

MySQL log

MySQL error log

  • /var/lib/mysql/[HOSTNAME].err

Find out what caused a database server crash.

MySQL slow query log

  • /var/log/slowqueries

Find out which database and user has un-optimized queries.

cPanel web server logs

Web site and server error_log

  • /usr/local/apache/logs/error_log

Details of error returned in the web site.

Web site access logs

  • /usr/local/apache/domlogs/[YOURDOMAINNAME]

To find out which IP accessed the site at given time, and the status of access.

Mod Security error log

  • /usr/local/apache/logs/modsec_audit.log

Details of the mod_security deny error.

SuPHP audit log

  • /usr/local/apache/logs/suphp_log

Find out under which user ownership a script was executed.

Apache restarts through cPanel/WHM

  • /usr/local/cpanel/logs/safeapacherestart_log

Find out at what all times Apache was restarted through WHM.

SuPHP audit log

  • /usr/local/apache/logs/suphp_log

Find out under which user ownership a script was executed.

Apache restarts through cPanel/WHM

  • /usr/local/cpanel/logs/safeapacherestart_log

Find out at what all times Apache was restarted through WHM.

3rd party tools logs

Cron server log

  • /var/log/cron

To find out if a cron ran as per schedule.

Default system log file

  • /var/log/messages

Most system errors and events will be logged here.

LFD firewall log (if CSF/LFD is installed)

  • /var/log/lfd.log

To find out why an IP was blocked.

Maldetect logs (if LMD is installed)

  • /usr/local/maldetect/event_log

To find out what malware was detected, or why a file upload failed.

Server authentication logs

  • /var/log/secure

To find out who all tried to login to the server, and from which all IPs.

Server update log

  • /var/log/yum.log

To find out what all packages were updated, and when.

How to fix cPanel Domain already exists Error

Domain
Domain

You get this error sometimes, when you are hosted using the cPanel

I parked yourdomain.com which redirects automatically to yourdomain.org.

I deleted the domain from Parked Domains panel, and added it back via the Addon Domains panel.

Then the error “Already Exists”, even though it was not listed in the Addon Domains nor was it listed in the Parked Domains.

This is due to the domain name existing anywhere in the cPanel configuration and need to get removed / deleted.

Check whether zone exists or not

dig @server_ip yourdomain.com

If the zone file exists, it will show the A record of yourdomain.com.

If zone file exists, log into the server and make sure the domain doesn’t exist

 /scripts/whoowns yourdomain.com

If it does, you need to remove prior adding  the Addon domain.

Remove the zone file from the server

/scripts/killdns yourdomain.com

Now you have removed DNS zone and help you add the addon or parked domain.

There are old traces of the domain on the server

Log into the server where the customer is seeing problems adding the domain and confirm that the domain does not exist on the server.

/scripts/whoowns yourdomain.com

 Check cPanel files

grep domain.com /var/cpanel/users/*

grep -R domain.com /var/cpanel/userdata/*

Edit file/s that are found and remove domain name the customer is trying to add.

You also may need to remove the all the files related to domain name.

/var/cpanel/userdata/USERNAME/ directory

Rebuild user domains database

/scripts/updateuserdomains

Rebuild Apache to make sure all  entires of bad domain removed.

/scripts/rebuildhttpdconf

service httpd restart

This should have all entries left behind from when this domain name was removed in the past no longer conflict, when you try to add the domain again.

How to redirect non-www to www URLs

www-URL
www-URL

Which one should I choose?

Technically www and non-www URLs are different and that it could hurt your SEO if you keep both around.

For example, the domains http://non-prefix.com and http://www.prefix.com are technically different. (note the “www” in one but not the other)

However, if you check on either, they redirect to the same place, which is a good thing. It helps Google and other search engines to only index one and to not split results.

This article will help you how to redirect your non-www URLs to www, or vice-versa, using .htaccess.

You can add the following code to your .htaccess file, if you want to redirect all non-www requests to your site to the www version.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

This will redirect any requests to http://non-prefix.com and http://www.prefix.com.

There are several benefits from doing that:

  • To avoid duplicate content in Google
  • To avoid the possibility of split page rank  or split link popularity.
  • It’s nicer, and more consistent.

What is Shared and Dedicated IP Address

An IP (Internet Protocol) address is Completely separate from your website domain.

IP is a sequence of numbers assigned to every device that accesses the Internet.

ip-address1.1Your Domain is your website’s address, the location where it can be found on the Internet. Each domain name has a IP address assigned to it. Your Server’s IP address is a unique label that allows the Internet, websites, to identify your specific device when it accesses a website.

Additionally to computers and mobile devices, servers also have their own unique IP addresses.

Most Hosting and website providers offer variations on two different types of hosting; Shared Hosting and Dedicated Hosting.

With shared hosting, all of the resources are pooled together to host many sites without regard for who owns the site, how much traffic a site receives, etc.

With dedicated Server hosting, all of a server resources are still applied to a specific set of sites, but the way those resources are allocated is at the discretion of the person renting the server space.

Shared IP and Dedicated IP operate in the same way. While each hosting account has the same IP in a shared hosting scenario, a dedicated IP is an exclusive address that is unique to your hosted server. While a dedicated IP address is exclusively yours, you might choose to serve different sites from that IP address.

In case of shared hosting, there are often hundreds of sites that all hosted on the same server therefore, they all have the same IP address.

In the case of dedicated hosting, sites may share the same hosting provider, but do not all have the same IP address.

There is always quite a common controversial issue: Is it necessary to have a dedicated IP address for your website and why? as you can use shard one. Hosting Site on Shared Server.

Dedicated IP provides with certain crucial advantages, There are number of reasons why it is recommended to use Dedicated IP address for a website, hosted on a Shared server.

Dedicated IP will provide with ability to access server directly without changing DNS settings for the domain name, to check how website is going to look before pointing domain name to the server and launching your website on the web.

Your  website running over a Shared IP address may cause unpredictable difficulties and email service may also be affected in this case. Using dedicated IP, isolates your service from being affected by consequences of abuses made by others. There are some situations when some user, sharing the same IP address with you gets banned or blacklisted for spamming which may possibly affect your email service as well.

For online-store or e-commerce related website, it is quite necessary to grab SSL certificate and Dedicated IP address for the website, in order to provide security for your data. Customers feels more safe making transactions on the website which uses dedicated IP address and SSL Certificate.