Author Topic: Protecting Your Joomla/Vmart Site  (Read 30886 times)

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Protecting Your Joomla/Vmart Site
« on: June 26, 2009, 16:52:35 pm »
As the Joomla/Virtuemart community grows larger, more hackers will attempt to comprimise one of our very own sites.

Virtuemart is built on Joomla. You MUST be aware of Joomla vulnerability problems as they arise.

Start Here with the Joomla Security Checklist
http://docs.joomla.org/Category:Security_Checklist

Be a Regular Reader Here
http://forum.joomla.org/viewforum.php?f=432

Subscribe to The Joomla Security Feed
http://feeds.joomla.org/JoomlaSecurityNews

Password Protect Your Administrator Folder via Cpanel/Htacess
This Adds 1 more layer of protection to your admin panel

Remember to test out modifications on a development site before your live site.


I have attached a zip file with a tutorial on using JoomlaPack to move, and restore your site

[attachment deleted by admin]
I do NOT do development work for hire.

MikeUK

  • Global Moderator
  • Full Member
  • *
  • Posts: 1344
Re: Protecting Your Joomla/Vmart Site
« Reply #1 on: September 16, 2009, 10:09:35 am »
I would just like to add something to this (great idea this thread, by the way). Three things that I have come across that I consider vital for good site security.

1) Hosting
The importance of this can not be over-stated. Many hosting companies will tell you that it is all about the scripts. But this is not the case. The hosts also have to make sure that their servers are secure AND that other problems on other accounts on the same server do not affect you. I strongly recommend using hosting companies that are very familiar with Joomla, and have sensible pricing (in other words, expect problems if the hosting company offers huge amounts of diskspace for $5 a month!).

2) Permissions
In my experience, a good host should enable your site to operate with 755 / 644 permissions, which allows for full use of Joomla / Virtuemart. Changing some files to 777 is sometimes required to do some things (like changing config). make sure it becomes routine to change these file permissions back to 644.

2) Passwords
I have worked with clients who have had Joomla administrator accounts with  username: admin, password: [companyname]. Don't do that!

The more we all make sure our security is good, the more hackers will not bother with Joomla sites.

Get answers faster:

I can build your online shop, setup or customize Virtuemart or help your existing shop maximize its potential. Email / PM for info

steve10001

  • Jr. Member
  • **
  • Posts: 90
Re: Protecting Your Joomla/Vmart Site
« Reply #2 on: October 19, 2009, 11:35:59 am »
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve
it was like that when i got here.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: Protecting Your Joomla/Vmart Site
« Reply #3 on: October 21, 2009, 17:54:58 pm »
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve

You can find this over at the joomla forum.
I do NOT do development work for hire.

MikeUK

  • Global Moderator
  • Full Member
  • *
  • Posts: 1344
Re: Protecting Your Joomla/Vmart Site
« Reply #4 on: October 22, 2009, 17:26:20 pm »
Thanx guys:-)

any chance of having some sort of "Best Host" list?
cheers

steve

You can find this over at the joomla forum.


Personally, I think that list is not very good, except for one or two.

Steve, first choose the country where you want the servers located, then do some googling or get a recommendation from someone you know (and trust) that knows Joomla. There are a lot of good and a lot of bad hosting companies around. With the big companies, make sure they have a forum with lots of positive replies from the customers (be wary of empty or 100% private forums), or some other way of knowing how there current customers feel. Also, search 'joomla' in their forum or on their site. For small companies, look for a good track record or find out who they resell for. There are some good Joomla resellers out there who are usually also web developers / designers and work with good hosting companies, but normally its good only to use resellers you actually know.

Most importantly, if it is cheap and with lots of space it will not be good. Good servers, quality diskspace and bandwidth, and welll maintained costs money.

Avoid any host that offers accounts with 'unlimited' disk space and / or bandwidth. They will be overselling and will likely have overloaded servers. Finally, take no notice of awards. Most hosting awards are 'sponsored'.
Get answers faster:

I can build your online shop, setup or customize Virtuemart or help your existing shop maximize its potential. Email / PM for info

steve10001

  • Jr. Member
  • **
  • Posts: 90
Re: Protecting Your Joomla/Vmart Site
« Reply #5 on: October 23, 2009, 09:15:23 am »
Avoid any host that offers accounts with 'unlimited' disk space and / or bandwidth. They will be overselling and will likely have overloaded servers. Finally, take no notice of awards. Most hosting awards are 'sponsored'.

Well i`ve been with bluehost for a few years now and have had no problems whatsoever and they offer unlimited space & bandwidth (now at least). Buth then i have a dedicated IP - do i get better performance with a dedicated ip?
i have no idea.

cheers
steve
it was like that when i got here.

MikeUK

  • Global Moderator
  • Full Member
  • *
  • Posts: 1344
Re: Protecting Your Joomla/Vmart Site
« Reply #6 on: October 24, 2009, 09:15:40 am »
Probably this bit of the discussion should be in a different thread, but it may be useful to someone. If you are happy with your host, great. Like many other cheaper hosts, your hosting company is probably selling more space than they actually have (overselling). Therefore, it is luck that decides whether you are on a server that becomes overloaded or not. I just don't think that is good when it comes to e-commerce. And you did ask about the best hosts.
Get answers faster:

I can build your online shop, setup or customize Virtuemart or help your existing shop maximize its potential. Email / PM for info

rowby

  • Jr. Member
  • **
  • Posts: 77
    • RowbyVille
Re: Protecting Your Joomla/Vmart Site
« Reply #7 on: December 11, 2009, 18:50:57 pm »
I use Hostgator for all my joomla sites. I like their support, cpanel, fantistico ability to install Joomla if desired, etc.

I do not care for 1and1 (no error logs available.  Do not care for Godaddy hosting (slow servers in my experience) -- don't care for Godaddy's control panel -- much prefer Cpanel as offered by Hostgator.

I also don't recommend web.com  (no easy access to htaccess file and generally not a hosting company for any serious websites, in my opinion.

...Rowby
Join me in Outer Space at:
http://www.rowbyville.com

sandhill

  • Beginner
  • *
  • Posts: 13
Re: Protecting Your Joomla/Vmart Site
« Reply #8 on: January 07, 2010, 04:01:17 am »
I agree I have been with them for 2 years and very happy with them. They on occasion will even help with site Joomla software issues.
I use Hostgator for all my joomla sites. I like their support, cpanel, fantistico ability to install Joomla if desired, etc.

I do not care for 1and1 (no error logs available.  Do not care for Godaddy hosting (slow servers in my experience) -- don't care for Godaddy's control panel -- much prefer Cpanel as offered by Hostgator.

I also don't recommend web.com  (no easy access to htaccess file and generally not a hosting company for any serious websites, in my opinion.

...Rowby

muddauber

  • Jr. Member
  • **
  • Posts: 68
Re: Protecting Your Joomla/Vmart Site
« Reply #9 on: January 20, 2011, 02:17:49 am »
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: Protecting Your Joomla/Vmart Site
« Reply #10 on: January 20, 2011, 03:07:07 am »
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.


delete shop.ask.tpl


I do NOT do development work for hire.

Forrest

  • Hero Member
  • *****
  • Posts: 1972
  • Me and my baby
    • Web Developer
Re: Protecting Your Joomla/Vmart Site
« Reply #11 on: February 14, 2011, 06:51:01 am »
Quote
I am getting attacks from the "Product enquiry for Product Name"
heading, which sounds like the ask.php module. I don't believe I
have that activated or linked anywhere.

Is there a way to disable ALL inquiries other than
just core Joomla inquiry? Seems like a leak that
should be able to be eliminated.

Or add captcha to the form should you wish to use this at some point.

to add to the security measures, one should consider captcha on all public forms, including login... and have login with SSL if you have one.

targetzero

  • Beginner
  • *
  • Posts: 2
Re: Protecting Your Joomla/Vmart Site
« Reply #12 on: June 13, 2011, 20:16:03 pm »
I didn't see anything on the forums about removing the INSTALL.php files in the following directory administrator/components/com_virtuemart.

Should I remove these files for security reasons:
install.copy.php
install.css
install.virtuemart.php
INSTALL.php.

Thanks.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10272
  • VirtueMart Version: 3+
Re: Protecting Your Joomla/Vmart Site
« Reply #13 on: June 13, 2011, 20:19:01 pm »
targetzero

the admin folder should be password protected.

Password Protect Your Administrator Folder via Cpanel/Htacess
This Adds 1 more layer of protection to your admin panel
I do NOT do development work for hire.

targetzero

  • Beginner
  • *
  • Posts: 2
Re: Protecting Your Joomla/Vmart Site
« Reply #14 on: June 13, 2011, 22:10:36 pm »
Thanks for the reply. I apologize for my ignorance on this, but is there a tutorial which shows me how to password protect the admin folder via htaccess?

Thanks.