VirtueMart Forum

VirtueMart 1.1.x [ Old version - no longer supported ] => Security (https) / Performance / SEO/ SEF issues VM 1.1 => Topic started by: PRO on June 26, 2009, 16:52:35 pm

Title: Protecting Your Joomla/Vmart Site
Post by: PRO on June 26, 2009, 16:52:35 pm
As the Joomla/Virtuemart community grows larger, more hackers will attempt to comprimise one of our very own sites.

Virtuemart is built on Joomla. You MUST be aware of Joomla vulnerability problems as they arise.

Start Here with the Joomla Security Checklist
http://docs.joomla.org/Category:Security_Checklist (http://docs.joomla.org/Category:Security_Checklist)

Be a Regular Reader Here
http://forum.joomla.org/viewforum.php?f=432

Subscribe to The Joomla Security Feed
http://feeds.joomla.org/JoomlaSecurityNews (http://feeds.joomla.org/JoomlaSecurityNews)

Password Protect Your Administrator Folder via Cpanel/Htacess
This Adds 1 more layer of protection to your admin panel

Remember to test out modifications on a development site before your live site.


I have attached a zip file with a tutorial on using JoomlaPack to move, and restore your site

[attachment deleted by admin]
Title: Re: Protecting Your Joomla/Vmart Site
Post by: MikeUK on September 16, 2009, 10:09:35 am
I would just like to add something to this (great idea this thread, by the way). Three things that I have come across that I consider vital for good site security.

1) Hosting
The importance of this can not be over-stated. Many hosting companies will tell you that it is all about the scripts. But this is not the case. The hosts also have to make sure that their servers are secure AND that other problems on other accounts on the same server do not affect you. I strongly recommend using hosting companies that are very familiar with Joomla, and have sensible pricing (in other words, expect problems if the hosting company offers huge amounts of diskspace for $5 a month!).

2) Permissions
In my experience, a good host should enable your site to operate with 755 / 644 permissions, which allows for full use of Joomla / Virtuemart. Changing some files to 777 is sometimes required to do some things (like changing config). make sure it becomes routine to change these file permissions back to 644.

2) Passwords
I have worked with clients who have had Joomla administrator accounts with  username: admin, password: [companyname]. Don't do that!

The more we all make sure our security is good, the more hackers will not bother with Joomla sites.

Title: Re: Protecting Your Joomla/Vmart Site
Post by: steve10001 on October 19, 2009, 11:35:59 am
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve
Title: Re: Protecting Your Joomla/Vmart Site
Post by: PRO on October 21, 2009, 17:54:58 pm
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve

You can find this over at the joomla forum.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: MikeUK on October 22, 2009, 17:26:20 pm
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve

You can find this over at the joomla forum.


Personally, I think that list is not very good, except for one or two.

Steve, first choose the country where you want the servers located, then do some googling or get a recommendation from someone you know (and trust) that knows Joomla. There are a lot of good and a lot of bad hosting companies around. With the big companies, make sure they have a forum with lots of positive replies from the customers (be wary of empty or 100% private forums), or some other way of knowing how there current customers feel. Also, search 'joomla' in their forum or on their site. For small companies, look for a good track record or find out who they resell for. There are some good Joomla resellers out there who are usually also web developers / designers and work with good hosting companies, but normally its good only to use resellers you actually know.

Most importantly, if it is cheap and with lots of space it will not be good. Good servers, quality diskspace and bandwidth, and welll maintained costs money.

Avoid any host that offers accounts with 'unlimited' disk space and / or bandwidth. They will be overselling and will likely have overloaded servers. Finally, take no notice of awards. Most hosting awards are 'sponsored'.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: steve10001 on October 23, 2009, 09:15:23 am
Avoid any host that offers accounts with 'unlimited' disk space and / or bandwidth. They will be overselling and will likely have overloaded servers. Finally, take no notice of awards. Most hosting awards are 'sponsored'.

Well i`ve been with bluehost for a few years now and have had no problems whatsoever and they offer unlimited space & bandwidth (now at least). Buth then i have a dedicated IP - do i get better performance with a dedicated ip?
i have no idea.

cheers
steve
Title: Re: Protecting Your Joomla/Vmart Site
Post by: MikeUK on October 24, 2009, 09:15:40 am
Probably this bit of the discussion should be in a different thread, but it may be useful to someone. If you are happy with your host, great. Like many other cheaper hosts, your hosting company is probably selling more space than they actually have (overselling). Therefore, it is luck that decides whether you are on a server that becomes overloaded or not. I just don't think that is good when it comes to e-commerce. And you did ask about the best hosts.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: rowby on December 11, 2009, 18:50:57 pm
I use Hostgator for all my joomla sites. I like their support, cpanel, fantistico ability to install Joomla if desired, etc.

I do not care for 1and1 (no error logs available.  Do not care for Godaddy hosting (slow servers in my experience) -- don't care for Godaddy's control panel -- much prefer Cpanel as offered by Hostgator.

I also don't recommend web.com  (no easy access to htaccess file and generally not a hosting company for any serious websites, in my opinion.

...Rowby
Title: Re: Protecting Your Joomla/Vmart Site
Post by: sandhill on January 07, 2010, 04:01:17 am
I agree I have been with them for 2 years and very happy with them. They on occasion will even help with site Joomla software issues.
I use Hostgator for all my joomla sites. I like their support, cpanel, fantistico ability to install Joomla if desired, etc.

I do not care for 1and1 (no error logs available.  Do not care for Godaddy hosting (slow servers in my experience) -- don't care for Godaddy's control panel -- much prefer Cpanel as offered by Hostgator.

I also don't recommend web.com  (no easy access to htaccess file and generally not a hosting company for any serious websites, in my opinion.

...Rowby
Title: Re: Protecting Your Joomla/Vmart Site
Post by: muddauber on January 20, 2011, 02:17:49 am
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: PRO on January 20, 2011, 03:07:07 am
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.


delete shop.ask.tpl


Title: Re: Protecting Your Joomla/Vmart Site
Post by: Forrest on February 14, 2011, 06:51:01 am
Quote
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.

Or add captcha to the form should you wish to use this at some point.

to add to the security measures, one should consider captcha on all public forms, including login... and have login with SSL if you have one.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: targetzero on June 13, 2011, 20:16:03 pm
I didn't see anything on the forums about removing the INSTALL.php files in the following directory administrator/components/com_virtuemart.

Should I remove these files for security reasons:
install.copy.php
install.css
install.virtuemart.php
INSTALL.php.

Thanks.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: PRO on June 13, 2011, 20:19:01 pm
targetzero

the admin folder should be password protected.

Password Protect Your Administrator Folder via Cpanel/Htacess
This Adds 1 more layer of protection to your admin panel
Title: Re: Protecting Your Joomla/Vmart Site
Post by: targetzero on June 13, 2011, 22:10:36 pm
Thanks for the reply. I apologize for my ignorance on this, but is there a tutorial which shows me how to password protect the admin folder via htaccess?

Thanks.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: jenkinhill on June 13, 2011, 23:20:49 pm
You can usually add password protection .htaccess through the server control panel (cPanel, Plesk or whatever). To do it manually this old tutorial is still good: http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
Title: Re: Protecting Your Joomla/Vmart Site
Post by: grisam on June 14, 2011, 23:08:23 pm
Thanks for the reply. I apologize for my ignorance on this, but is there a tutorial which shows me how to password protect the admin folder via htaccess?

Thanks.

Here is one of many tutorials for this: http://www.sitedeveloper.ws/tutorials/htaccess.htm
Title: Re: Protecting Your Joomla/Vmart Site
Post by: kenquad on October 13, 2011, 19:43:35 pm
Or add captcha to the form should you wish to use this at some point.

Is there an easy way to do that with a module or something?  I've got a client who's receiving a ton of spam through that form, and he's getting irritated by it.
Title: Re: Protecting Your Joomla/Vmart Site
Post by: PRO on October 13, 2011, 19:58:38 pm
Or add captcha to the form should you wish to use this at some point.

Is there an easy way to do that with a module or something?  I've got a client who's receiving a ton of spam through that form, and he's getting irritated by it.

templates/pages/shop.ask.tpl
I did a few things for mine.
1st I changed the name and email text to pictures. So that bots do not know where to put where.

Then I added a 2 + 2 math question. Thats also a picture, and validated it with the same script the form already uses.

<label for="ziptie"><img style="vertical-align:middle" src="images/spampre.png"></label>
   <input type="text" name="ziptie" id="ziptie" size="10" class="inputbox" value="<?php echo $ziptie ?>"><br /><br />

else if ( ( document.emailForm.ziptie.value.search("4") ==-1 ) || ( document.emailForm.ziptie.value.search("4") ==-1 ) || ( document.emailForm.ziptie.value.search("4") ==-1 ) ) {
         alert( "Make sure the spam prevention question is correct" );
Title: Re: Protecting Your Joomla/Vmart Site
Post by: kenquad on October 14, 2011, 21:44:41 pm
Thank you so much for the detailed reply!  This code plugged in just dandy, and should stop those aut-spammers cold.  Thanks again for your time. :)
Title: Re: Protecting Your Joomla/Vmart Site
Post by: AndrewBucklin on February 08, 2012, 00:03:24 am
Just wanted to add some information as an extra measure that will help protect the site from hackers and annoying spammers... Very easy, and doesn't require any core hacks.

It's called GeoBlocker.  It allows you to grant to deny access to the website based on countries, states / provinces, regions, zip codes / postal codes, and/or area codes.

http://extensions.joomla.org/extensions/access-a-security/site-access/ip-blocking/19441

http://xn--r1a3b.net/portfolio/GeoBlocker