KEEPING YOUR JOOMLA! INSTALLATION SAFER AGAINST HACKS AND EXPLOITS
Over the last couple of weeks we’ve seen quite a few components abused to hack or deface sites. A lot of those exploits could have been avoided if these servers were running register_globals off. (Read carefully, i’m not talking about all hacks, but a lot of them)
A lot of information about what register globals actually is, can be found on the php.net site.
Now, to turn register globals off:
1) locate your php.ini configuration file
2) look for this line: register_globals = On
3) change it to: register_globals = Off
4) safe the file and restart apache
That is all to keep you a bit safer.
Now, if you don’t have access to your php.ini file, you can try to use a .htaccess file to change this configuration value. Add the following code anywhere in your .htaccess file:
php_value register_globals off
Then save the file.
And last, open globals.php
Change: define( ‘RG_EMULATION’, 1 );
To: define( ‘RG_EMULATION’, 0 );
And save the file.
SECURING YOUR ADMINISTRATOR DIRECTORY USING .HTACCESS FILES
To protect your administrator panel a bit more against hacking attempts, you can protect your administrator directory using htaccess files.
There are a few options available: restrict access by ip address and password protection
Restrict access by IP Address
If you are in the possession of a static IP Address it might be a wise idea to only allow access to the Joomla! administrator panel from that address. This can be easily done in the following way. Create an empty .htaccess file in your administrator directory. Put the following in it:
Deny from all
Allow from 10.0.0.150
Change 10.0.0.150 in your static internet ip address. You can also use partial IP Addresses: 10.0.0
When you visit the admin panel from any other address than the one in here, you will see a 403 Forbidden error.
You can add multiple address by separating them by comma’s: 10.0.0.150,10.0.0.151
Password protection
You can also create an extra barrier by adding password protection to your administrator directory. Some admin panels like webmin and cpanel support the creation of password protected directories through their admin panel. For others, these are the steps to follow:
Create an empty file .htaccess in your Joomla! administrator directory. Put the following in it:
AuthType Basic
AuthName “Joomla Administrator”
AuthUserFile /full/path/to/joomla/administrator/.htpasswd
Modify the /full/path/to/joomla to match where your site is.
Then create an empty file .htpasswd in the same directory. You will have to enter the user name and encrypted password in that file. An easy tool to create this line is: www.flash.net/cgi-bin/pw.pl. Enter the user name and password and click encrypt.
On the next page you will see the user name and password that will have to be put in the .htpasswd file:
admin:1M8rRxU7VA6Ic
Copy and past that line in your .htpasswd file and things should work. To add another user, encrypt the user name and password and put them on the line below the first one.
Recent Comments