Abstract: this post is being reviewed and updated, I'll try to improve it over time, leaving the date of first publication.
Yes, I know, has already left the 1.6 stable, but the migration process will be long (there are actually many sites still in 1.0) and presumably painless, especially for the template.
So, while not bad review, assemble and possibly complete in one post the checklist on the various requirements and minimum security procedures that a site in Joomla 1.5.x MUST have and implement.
Keep in mind that many of these settings can be obtained either version 1.5.x to version 1.6 on the loading excellent extension on the site for free (basic version) Akeeba , both in functionality that Back up Admin Tool
NB The admin tool also allows you to upgrade to the latest version of 1.5.x . In the case of the Italian version, akeeba can not do the upgrade as it points to the server Joomla.org.
If you want to use this feature of the tool you need and then you install the English version of Joomla.org and the package corresponding to the Italian language for the back end.
INSTALLATION
Try local
Always do a test on the local site to test their functionality. Install on your PC, LAMP / XAMPP or similar
Hosting
In the selection of web space, in the case of shared hosting, click hoster:
- not are too cheap;
- that provide space * nix server maintained by Red Hat / CentOS / Debian
- able to provide SFTP (secure FTP), that is, systems of data exchange between local and remote security conditions, in order to upload and download data in a more controlled
- who have set the directive PHP register_globals OFF: this in order to In order to use their own specific settings. htaccess and php.ini (NB php6 with this problem will not occur more);
- ensuring the availability of the last update of the operating systems and server side services (apache, php, mysql, etc.).
- truthfully report that security policies and events, even negative, regarding him, and acts rapidaente also problems that concern us and tell us they identified properly;
- allowing access to system logs, useful if you have problems with our site;
- who themselves manage the data center and ensure proper redundancy and backups;
- sure not to use hoster to make share space with too many sites, especially if they are spammers or porn sites with heavy traffic (check with http://www.robtex. com / dns / )
- that can offer dedicated server solutions at reasonable cost and high quality, useful in case of growth of the site and adjacent traffic;
Installing core
Always, where possible, the latest version Joomla and extensions / plugins you want to use additional
jos_ not be used as a tag database tables (feature Akeeba)
not use "jos_" as the prefix of tables. The area code is required during installation of Joomla, so just change it.
If you already have installed, follow these instructions:
If you already have installed, follow these instructions:
b) (browser) to enter into phpmyadmin -> select the database to edit -> select "Export" -> assign a specific name to the database (file name template) -> to "execute" -> the file. sql is saved in the folder selected
a) (browser) to enter the site as an administrator -> configuration -> server
In box "configuration database" to "database prefix" change the prefix with the one chosen (eg pippo_) and save. It will (obviously) an error reading the database
NB! attention to correctly reflect the new prefix in the next step!;
a) (browser) to enter the site as an administrator -> configuration -> server
In box "configuration database" to "database prefix" change the prefix with the one chosen (eg pippo_) and save. It will (obviously) an error reading the database
NB! attention to correctly reflect the new prefix in the next step!;
c) (window manager), select the file. sql saved and make a backup (you never know)
d) open the file. sql with gedit or similar -> select "Replace" -> enter in the "search" in the value jos_ and replace the new prefix (eg pippo_) -> write "replace" -> repeat the operation to verify that everything has actually been replaced -> exit from the "replace" -> save
d) open the file. sql with gedit or similar -> select "Replace" -> enter in the "search" in the value jos_ and replace the new prefix (eg pippo_) -> write "replace" -> repeat the operation to verify that everything has actually been replaced -> exit from the "replace" -> save
d) (browser) back into phpmyadmin -> select the original database -> select all tables -> select "delete" (drop) -> write "yes", at which point we will have an empty box, ie a database with no tables;
f) select Import -> select the file. Sql modified -> to "execute".
Here is a video describing the procedure
f) select Import -> select the file. Sql modified -> to "execute".
Here is a video describing the procedure
use usernames and passwords, complex database and website
user name and password of the database, and user name (default is admin, changed later) and password of the site must be as diverse and complex (non-intuitive sequence of upper and / or lower case and symbols and numbers) in order to make it more complicated attacks brute force
POST INSTALLATION
Use trusted extensions
not use extensions that are not trusted, or at least of which you can be assured of quality and safety requirements with which they were written, especially when coming from unofficial repository of Joomla.
Aggornamenti periodic
Keep up to date version of Joomla you are using and those add-ins used, and used, and make upgrades as they become available.
Cancel superadmin userid 62 and rename the admin user (feature Akeeba)
Go to Site -> User Management
Create a new user with his name, his user name and your password (remember everything will be the new administrator login) using unusual words and can not be identified (eg do not use admin:-D), enter your email administration, selected Super Administrator, put on the block user NO to YES and get the mail system .
-> (NOTE: If by chance you need to use the same old mail administrator, the system will prevent you from inserting it here to save because of the presence of the same parameter in the user already exists.
At this You must now return to the user menu, select administrator (the one currently logged) and change the parameters (just add a letter at random from those in this admin) that interests you bring in the new administration, so that they may not equal). Then create the new user with the parameters you are interested \u0026lt;-
At this point you have two super administrator, but you see only one, that is one with which you have logged. Date
exit to return to the login and log in with the new parameters that you set (new user name and password)
Go to Site -> Manage users and you will see your administrator (the one with which you have logged in) with user id 63 and the previous one, which currently has administrator privileges and not super administrator, with the user id 62.
You can then delete the old administrator or reduce privileges to those of simple user interface.
repeating the procedure you will get an administrator with user id 64, 65 and so on.
-> (NOTE: If by chance you need to use the same old mail administrator, the system will prevent you from inserting it here to save because of the presence of the same parameter in the user already exists.
At this You must now return to the user menu, select administrator (the one currently logged) and change the parameters (just add a letter at random from those in this admin) that interests you bring in the new administration, so that they may not equal). Then create the new user with the parameters you are interested \u0026lt;-
At this point you have two super administrator, but you see only one, that is one with which you have logged. Date
exit to return to the login and log in with the new parameters that you set (new user name and password)
Go to Site -> Manage users and you will see your administrator (the one with which you have logged in) with user id 63 and the previous one, which currently has administrator privileges and not super administrator, with the user id 62.
You can then delete the old administrator or reduce privileges to those of simple user interface.
repeating the procedure you will get an administrator with user id 64, 65 and so on.
Permits (feature Akeeba)
Set the correct file and folder permissions in order to improve safety and usually are: file = 644 and 755 directory
Disable unnecessary components
Control Panel -> Extension Manager -> Disable
Back up site and database (feature Akeeba)
Make back-up site and database of systematic and conserve subversion!
Install the extension and akeebabackup akeeba site admin
Enable htaccess
Enter the site folder with privileges AUTHORITIES and rename htaccess.txt to. Htaccess
sure that there are permissions for the web server (apache or www-data)
(browser) to enter the site as Administrator -> Configuration -> Site Configuration and Module SEO select "Use mod_rewrite"
Delete template position (tp = 1) Insert in
. htaccess:
# Start? tp prevention = 1 #
RewriteCond% {QUERY_STRING} tp =(.*)
RewriteRule ^(.*)$ index.php [F, L] # End
? tp = 1 #
prevention
? tp = 1 #
prevention
Disable search images from the robots file
If you do not exist, create the root directory a file called "robots.txt"
...
User-agent: *
Disallow: / administrator /
Disallow: / cache /
Disallow: / components /
Disallow: / images /
Disallow: / includes /
Disallow: / installation /
Disallow: / language /
... "
Remove tag Generation
templates / name-template/index.php :
return header
return header
\u0026lt;?
php / / Remove the meta tag generator
php / / Remove the meta tag generator
$ this-> setGenerator (null);
?>
?>
or, more fun (but be aware of possible conflicts) :-)
\u0026lt;? php
\u0026lt;? php
/ / Remove the meta generator tag
$ this-> setGenerator (Drupal),
?>
Hide the version
In . Htaccess file to insert:
\u0026lt;Files ~ "\\.xml$">
Order allow ,
deny Deny from all Satisfy All
\u0026lt;/ Files>
E 'likely that these lines are already present within the file under the heading:
# # Deny access to xml extension files (uncomment out to activate)
Just then delete the initial # uncomment and make them active
E 'likely that these lines are already present within the file under the heading:
# # Deny access to xml extension files (uncomment out to activate)
Just then delete the initial # uncomment and make them active
settings and Joomla Php (feature Akeeba)
Set the parameters of the site in order to maximize the safety
total reconstruction in case of hacking or other defacing
Check the system logs, change password, remove the entire directory and rebuild the entire site from a backup "clean"
0 comments:
Post a Comment