Site Security

One of the major disadvantages to using a popular CMS like Joomla or WordPress is that the popularity of the platform means that it is also a popular target for black hat hackers. Until recently I was using Joomla to manage all the content on my website during this 5+ year time period my site was hacked twice. The first time the site was defaced by an attacker who used an SQL injection attack against the Joomla password reset page to deface the site. This was far from a targeted attack against my site rather the attacker seems to had a script that searched for any site running Joomla and attacked it. My site fell to this attack a mere 14hrs after Joomla published an updated to close the hole. The second time my site was hacked it was also done via a non targeted attack. This time it was a worm which had been infecting WordPress sites and Joomla sites. I am not sure what vulnerability the worm used to get into my site, but once in it injected every php file in the user account that the site was running under. The following are things which I learned from both attacks to help prevent and make cleaning up a future attack easier

  • Change the username of the admin account.
    While this does little to prevent a targeted attack, it does help to prevent your site from falling to generic scripted attack.
  • One site per user account.
    This one is important, by running multiple web applications under one user account you are making it more difficult to asses the damage inflicted by an attack and making it more difficult to cleanup afterwards. By running only one application per user account you are putting in place a sand-boxing of sorts. It helps to ensure if your WordPress site is hacked, your svn repository is likely unaffected.
  • Permission your sites files correctly.
    It maybe easy to get your site working by giving every file permissions of 777 but this is a very bad idea. Every so often go through your site and check to make sure only users who absolutely need access have access to files. (will update with bash script to do this after I install a syntax highlighter plugin)

    #Finds all files/folders writable by everyone
    find -perm -o+w
  • Do not put your downloads under the same user account as your site.
    This is like the one site per user rule. If you don’t do this you will have to check every download for infection/modification after your site gets hacked. Beside the benefits when it comes to clean up post attack it also makes managing your sites easier because your downloads remain all in one place. (Mixing data and executable code just creates a mess)
  • Update ASAP.
    The best way to keep your site safe is to stay up to date. The best way to do this is go with a hosting provider that automatically updates your CMS system for you. (But check to make sure they are, I told Dreamhost to auto update my Joomla install, and it seems that they didn’t). Remember to update your plugins. A vulnerable plugin makes for a vulnerable website.
  • Uninstall any plugins you do not need.
    Again a vulnerable plugin makes for a vulnerable website.
Previous Post
  • In my case I couldn’t change the name of the built in admin account, but I was able to create a second admin account.

    Then I modified the original admin account and gave it the role of “no role on this site” and a very complex password.

  • Jmaxxz

    The following command can to used to generate a sha256 hash for every file on your site. find -type f -exec sha256sum {} + | awk ‘{print $2,$1}’ | sort

    The output of this command can be then compared in a diffing tool in the future.