Example of pre Joomla! 1.5.6 security issue is the
Joomla "token" Password Change Vulnerability where the admin password could be reset easily. Users can then install the Joomla explorer component, and upload malicious scripts.
Following are some precautions on installation of Joomla!
- Patch the OS and its other software
- Open only needed ports (HTTP, HTTPS)
- Patch the software
- Configure the software in a secure manner
- Verify that Joomla! is from the official site http://www.joomla.org
- During installation - Do not use the default MySQL tables prefix as jos_
- Change the default administrator name (default is admin)
- Remove all files as instructed by Joomla! And other unneeded files or directories
- Ensure files and directories have the proper permissions. Below are for Linux based systems.
- PHP files: 644
- Config files: 666
- Other folders: 755
- Password protect sensitive directories with .htaccess
- Move the configuration.php file to outside of the web directory if possible. Make it non-writable.
- Use a search engine friendly (SEF) URLs
- Establish a security plan and ensure the relevant parties know about it.
- Remove unused extensions and themes. Existing extensions and themes should have their version removed from the end user view.
- Subscribe to Joomla! and the extensions/themes sites for continuous updates. Additional sites that can help with updates:
- Subscribe to security sites such as http://www.ictsecurity.gov.my/
- Carryout routine backup of Joomla! Site and its database.
One good reason to use Apache web server is the availability of a benchmarking tool. There are some constrains that you should know in using this data. Read the documentations. Install Apache and execute as below:
ab -n7500 -c100 http://server.com
-n option is the number of request for benchmark
-c is the number of concurrent page request
Document Path: /
Document Length: 36649 bytes
Concurrency Level: 100
Time taken for tests: 183.819035 seconds
Complete requests: 500
Failed requests: 383
(Connect: 0, Length: 383, Exceptions: 0)
Write errors: 0
Total transferred: 6472586 bytes
HTML transferred: 6260026 bytes
Requests per second: 2.72 [#/sec] (mean)
Time per request: 36763.806 [ms] (mean)
Time per request: 367.638 [ms] (mean, across all concurrent requests)
Transfer rate: 34.38 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1446 4324.4 0 21000
Processing: 47 23707 49002.2 1897 175812
Waiting: 47 21936 45081.7 1897 173650
Total: 47 25153 49793.2 2214 183816
Percentage of the requests served within a certain time (ms)
100% 183816 (longest request)
=== END ====
For discussion on application security see https://nvd.nist.gov/cwe.cfm#NVD-CWE-DesignError.
My advice to those considering other CMS is this;
All CMS will have their weak points. However Joomla! have thus far been prompt with security notices and updates. Hackers tend to crawl the webs on Friday to Sundays, when systems are unattended. As the care taker of the Joomla! you need to be proactive, it goes the same for any other CMS. Finally, Joomla! is easy to use for end-users and provides lots of features for beautifications.