7 tips to optimize Joomla! security and prevent getting hacked http://www.marcofolio.net Sat, 21 Nov 2009 07:47:06 +0100 FeedCreator 1.7.2 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2176 Thanks for the tips. However point 6 of \'Change the default database prefix (mf_)\' isn\'t so clear: [i]- When done, select all code and copy it to notepad (or any other text editor)[/i] What code should I select? Do I have to open the dumped .sql file with notepad? :dry: Thanks. Enrico Sat, 14 Jun 2008 17:40:53 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2177 block bad user agents http://it.dennyhalim.com/2008/06/ultimate-htaccess-blacklist.html dennyhalim.com Sun, 15 Jun 2008 02:11:52 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2181 By default, the export compression of phpMyAdmin is set to \"none\". When doing this, you get the SQL dump shown on the website instead of a .sql file. If you can\'t view the SQL code dump, you can indeed retrieve your .sql file and open / change it with notepad. Good luck! Marco Sun, 15 Jun 2008 15:44:13 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2182 Hi Denny, Thanks for your input! I checked out the list and it really looks amazing. There\'s just one reason I\'m not adding it to the list: The htaccess is for [b]all[/b] websites, and these tips are purely based for Joomla! only. Great share anyway! Greetings,,, Marco Sun, 15 Jun 2008 15:46:32 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2183 You can also protect the administrator folder; [url=http://www.hackjoom.web.id/hackarticles/Miscellaneous-Hack/Protecting-Joomla-Administrator-Folder-with-Password-Protect-Directories-in-cPanel.html]here is a tutorial for cpanel.[/url] Friso Mon, 16 Jun 2008 09:38:54 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2184 Tnx Marco for the tips :cheer: Kleine Smurf Sun, 15 Jun 2008 21:44:23 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2638 Hi. I want to change my database prefix but after saving database prefix I got this error. .jtablesession::store failed DB function failed with error number 1146 Table \'tabs.tab_session\' doesn\'t exist SQL=INSERT INTO tab_session ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( \'6b6282a706bb72ccbabf2adf59f1af18\',\'1219647789\',\'\',\'0\',\'1\',\'1\' ) what can I do? Thanks. bahareh Mon, 25 Aug 2008 08:12:01 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2687 Hi again Marco, today I\'ve decided to apply the \'change mf_ prefix\" tip. However, when I paste mysql code, it starts the process but after some minutes I have this message displayed: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'INSERT INTO `NEPREFIX_content` (`id`, `title`, `title_alias`, `introtext`, `fullt\' at line 2 Any help, please? Thanks Enrico Sun, 31 Aug 2008 10:02:51 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2690 What [b]exactly[/b] did you do? Shouldn\'t the NEPREFIX_content be \"NE[b]W[/b]PREFIX_content\"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,, Marco Sun, 31 Aug 2008 15:23:21 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2691 [quote=Marco]What [b]exactly[/b] did you do? Shouldn\'t the NEPREFIX_content be "NE[b]W[/b]PREFIX_content"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,,[/quote] Nothing special. I\'ve simply followed the steps: downloaded sql, changed prefix, but when I paste the \'new\' sql code and click start....after some minutes (\'cause my sql is 40mb big) I got that message displayed. Yew, neprefix is just an example. I didn\'t write here the real new prefix. ;-) Enrico Sun, 31 Aug 2008 16:36:53 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2692 Hmhm, that\'s pretty strange indeed. I\'ve checked your SQL code and it doesn\'t contain any errors. Could you check if your phpMyAdmin allows to import such big scripts (40 MB)? You can also try copy-pasting the create / insert for each table seperately. Good luck! Greetings,,, Marco Sun, 31 Aug 2008 20:09:57 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2740 Joomla 1.0.x Extension! :idea: [url=http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1277/Itemid,35/]Change default(and custom!) table prefix[/url] . Anyone with a J!1.5 version? :?: CU Maik Kaune Sun, 07 Sep 2008 13:03:30 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2756 Just recently my Joomla website got hacked, thanks for the tips mate, I\'ll put them in good use. Sunlust Designs Tue, 09 Sep 2008 15:02:20 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc2886 very useful information . thank you! :cheer: shiva Sat, 27 Sep 2008 11:19:14 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc3325 Excellent tutorial for joomla security. Mark Fri, 21 Nov 2008 07:47:30 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc3654 Nice to know all those things especially the CHMOD thing. thanks Jamp Mark Sat, 10 Jan 2009 13:31:15 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc3670 Really Good Stuff to be Secure Durga Prasad Mon, 12 Jan 2009 05:37:43 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc4111 bad link URL greta Fri, 20 Feb 2009 02:52:09 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc5197 These are not really \"security\" tips. Using a non-default database prefix doesnt mean much, as, if there is an exploit that gives them sql access, they can issue a query that can tell them the names of the tables in the database. Changing the version string (now using version 1.1 of Docman) for instance may be a feature that allows you to not catch the eye of a little hacker bastard who is visiting your site so he wont go \"hey! I got an exploit for the version he\'s using, yippee!\" In that case, you better of removing the \"Docman\" part of it as well! Since people through the exploits at any/every thing, to see what sticks - and that is where the real part of security comes in. Determining and detecting if your site is being probed bay a hacker, looking for exploits or loop holes. With Jquery and the like, our sites are WAAAAAAY more prone to Cross-site scripting and other dangers than EVER before. exploits that were once impossible ( \"as there is nothing you can really do in 300 bytes of javascript\" are now possible if the target is running Jquery. Also, with a tool like firebug, a hacker may do something is this scenario. \"Ajax and PHP based Filebrowser. // Javascript has some init variables. ... Var basdir =\'/home/dev/mysite/uploads\' ..... Now when the page for the script loads, the user can fireup FireBug, and, and the javascript console say basdir =\'/home/dev/security\' Now when the user continues the execution, the Ajax passes the parameter to the php code on the server and browsing is starting from the ....SECURITY folder Tomorrow I will go into this in more detail and how you can secure apps against this additional vector` mark Mon, 13 Apr 2009 06:26:33 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc5224 Hi Mark, Thanks for your comment. You\'re right about the fact that real hackers can do a lot to take your website down. The \"changing database prefix\" tip is to prevent SQL Injections - they\'ll need to know the database name. If there is an exploit in any extension, they can retrieve the database password etc., so it\'ll still be dangerous. Anyway, thank you for sharing your thoughts! Marco Thu, 16 Apr 2009 07:48:36 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc5278 http://www.ajitweekly.com/index.php?option=com_content&task=view&id=6227&Itemid=1 when we click its open some other site :shock: goldy Sat, 18 Apr 2009 21:36:32 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc7125 Thank you for the information on securing Joomla websites. Auto scanners on the Internet are always looking for website loopholes to hack them. Since Joomla is a largely used web management system, and hackers know how its built they know where and how to attack. Changing Table names in the database, securing htaccess file and turning register globals and allow URL fopen gives you great deal of security. Additionally we are working to setup a private firewall on our websites to track and monitor every request at our website. I think its time to close website entrance for everyone and strictly monitor who is coming at our websites and why! Genex Business Solutions Sat, 06 Jun 2009 11:44:31 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc12781 Hello, I saw a plugin called \'Secure Login Plugin\'. Developer says that it encrypts username/password before sending over internet and make both front and back end login safe. I am really keen on security. Is it something important to buy? I don\'t have SSL. Thanks. Abdul Mannan Sun, 01 Nov 2009 23:44:14 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc12782 By the way, here is the link if someone need to see http://codingmall.com/products-mainmenu-8/37-secure-login-plugin-without-ssl Abdul Mannan Sun, 01 Nov 2009 23:45:45 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc12795 Hi, Something didn\'t work for me. The query part is not clear. When I select \"SQL\" the query window comes up as one open box. Then I past all my code there and click \"Go\". Then I get an error message: Error SQL query: -- -- Database: `information_schema` -- CREATE DATABASE `information_schema` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; MySQL said: Documentation #1044 - Access denied for user \'manajoomla2\'@\'%\' to database \'information_schema\' Can you tell me what I may have done wrong? Akanke Mon, 02 Nov 2009 10:40:00 +0100 http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html#josc13151 Thank you for the information. It seems that someone is trying to access my website. Chris Wed, 11 Nov 2009 14:54:23 +0100