Support

Admin Tools

#9763 More security or wasting money?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by user29671 on Thursday, 10 February 2011 03:17 CST

Thursday, 10 February 2011 02:00 CST

user29671
Before I got to know Admin Tools, I had planned to buy a site protection extension such as RSFirewall or Securelive.net.

Now I'm not so sure.

I'd like to know if now, after having installed Admin Tools PRO, it's still a good idea to get an extension like those I mentioned above.

Will any of them help to add security to my site, or will it be redundant and a waste of money and time?

If they wouldn't help at all, What else can we ordinary people do in order to secure our Joomla sites to the highest degree?

Thanks for any advice.
Edited by user29671 on 2011-02-10 02:02 CST

Thursday, 10 February 2011 02:13 CST

slaes
my 2cents, secure live is an absolute joke of a product, it's laughable how shit it is. Personally has not used rs firewall, it may PROBABLY conflict with ATP but you could probably get it working, not sure if its worth your time. ose is also a catastrophe of a product (however the support is good, just a real shitty product, heavy and cumbersome)

However, your server itself is another story. The default setup out of the box is terrible and not secure at all, i would lock that down HARD!, run ATP, keep joomla & extensions up to date, decient passwords and you should be good.

Server is the big one. I could name 100+ non secure aspect of a off the shelf default setup which no software would save you from. If i were u i would make sure running mod_security, csf, su EXEC, change ssh default port and create su user, make sure crap like magic quotes and globals is disable amongst other things, update kernels and everything else and on and on and on.

The rest, im sure Nicholas will take it away!

p.s. shared hosts are a joke, get your own BOX!

oh yeah and BACKUP, BACKUP and BACKUP online and LOCALLY
Edited by slaes on 2011-02-10 02:15 CST

Thursday, 10 February 2011 02:25 CST

nicholas
Well said. I would only like to add that, right now, RSFirewall deals with certain attacks which are not dealt with by ATP, namely direct file uploads, XSS, malicious user agnet strings and provides more protection over direct file inclusion attacks. I am working on ATP 2.0 which will address all of the above and then some. Ultimately, it's your money and I can't tell you what to do with it. If you have a non-mission-critical site, you can wait for 1-2 months until I release the new version of ATP. If you have a high profile site that has been hacked before you may want to invest in having two security products at the same time on the same site.

That said, the biggest security concerns on a site are:
- Insecure hosting. Most shared hosts are a disaster. The usual shared host setup allows me to buy a cheap site and hack all sites on the same server. Or, hack a vulnerable site and hack all sites on the same server.
- Out of date software. The Joomla! core, components, modules, plugins and templates must all be updated very frequently. Especially with templates, if they come from a low quality source or generated with earlier versions of Artisteer, they can be a time bomb. You need to update everything yesterday. If you have any extension which hasn't been updated for more than a year, uninstall it; the chances are it's no longer maintained and may pose a security risk.
- Unsafe practices. Some extensions require you to allow execution of PHP files from all over the place. For example, RokGZipper and other CSS/JS compressors demand that you allow the execution of PHP file from any directory of your site. Don't do that! If you allow execution of rogue PHP files it's very easy for an opportunistic hacker to find a vulnerable extension on your site, upload a C99 script and completely "own" your site.
- Unsafe permissions. This is a result of all of the above. You end up having to chmod 0777 certain directories on your server. These can be leveraged by hackers. Find a proper host which uses suPHP or mod_itk to ensure that this is not required.

That's pretty much all of it. I would go as far as to say show me a hacked Joomla! site and I'll show you an insecure host and outdated software. Everything else is just good precautions :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 10 February 2011 02:41 CST

slaes
Come on with 2.0 Nicholas, your the man, the world is waiting!!

with Suphp or su exec, your site will throw server 500 errors if any file/folder permissions are set below 755 and 644 however you lazy developers dont like that, now lets not stipulate on which part of the globe they are usually from :)

re host, can i make a recommendation. Yes i know this site and joomla.org use rochen which i have tried and yeah they were ok, however if you want someone to go stupidly above and beyond, liquidweb.com, and remember you get what you pay for.

Thursday, 10 February 2011 03:17 CST

user29671
Thanks both [email protected] and Nicholas, very helpful hints from you.

I guess my story is many other people's story. I needed a website, knew nothing at all about how to build one, and somehow one day found Joomla. Of course, a shared host was the first option because its low-cost; a dedicated server was (is) much more expensive, and when you have no experience at all, you can't tell how this decision will impact your site --or your life.

I think I was lucky enough for having chosen Dreamhost in the beginning, because I know there are some very really awful shared hosts out there. I think Dreamhost is ok, but of course you get what you pay for, as [email protected] say.

I've become aware of the risks of a shared host, but a dedicated host is out of most budgets including mine. So it's great news that ATPRO 2.0 will be coming out very soon, I'll be looking forward to it. And of course I'll go see what other hosts have to offer, like Rochen (liquidweb.com is too much for my budget, but thanks any way).

Regards
Edited by user29671 on 2011-02-10 03:18 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!