• Articles •
• Contact •
• Projects •
• People •
• References •
• Scripts •
• Services

Joomla! Videos - Adding Security to Joomla!

2007 February 3
Dan Entous

I recently started to work with Joomla! and came across an issue that concerned me while running it on a Linux webserver. It looks like Joomla! requires that all files and folders be installed with the webserver being the owner of them and the configuration file with the database username and password, the Joomla! secret word and other key information is being installed in the public_html folder - both of these situations can create a security risk:

• Allowing the webserver to own the files and folders can open your website up to cross-webserver attacks. The possibility exists for someone else, on the same webserver, to "attack" your files because their scripts run as the same owner that owns your files and folders - the webserver.
• Storing the configuration.php file in the public_html folder leaves it open to a potential Internet attack.

These default Joomla! set-up choices do not guarantee an attack but do leave the files more open to attack than necessary.

If you understand a bit about PHP, FTP and file/folder structure/permissions on a Linux webserver then the set-up described in these videos may help you overcome these potential security threats. I have not had time to fully test the set-up described but thus far it has worked without issue. I am able to create content and upload templates via ftp rather than via the Joomla! Template install method and both functions work.

Videos

These videos require Adobe Flash in order to view them. If you don't have it you can download and install it from their website. I've used Macromedia DreamWeaver 8 while working on the files but you can also use any other code editor and ftp program to accomplish this set-up.
Install Joomla
Turn Registered Globals Emulation Off
Move the configuration.php file

Moving/Renaming the Configuration File

Moving/Renaming the configuration.php file can help protect your configuration but it does pose a few issues:

1. Files that require configuration.php need to reference the new location and new name if you change it. The following files have been found with such references:
• index.php
• index2.php
• administrator\index.php
• administrator\index2.php
• administrator\index3.php
• administrator\components\com_admin\admin.admin.html.php
• administrator\components\com_config\admin.config.html.php
• administrator\components\com_config\admin.config.php
• administrator\components\com_config\config.class.php
• administrator\components\com_languages\admin.languages.php
• administrator\includes\auth.php
• includes\database.mysql5.php
• includes\database.mysql.php
• includes\database.php
2. You will need to manually edit the configuration.php file and upload it via FTP rather than editing it via the Joomla! Administrator Control Panel - Global Configuration.