CMS Security Tips
Dear Sir/Madam,Thousands of WordPress and Joomla sites are currently under attack by a large brute-forcing passwords and Phishing mails. Administrators need to make sure they have strong passwords and unique usernames for their WordPress and Joomla installations. Over the past few days, perpetrators have significantly stepped up on brute-force, dictionary-based login attempts against WordPress blogs and Joomla sites,The attack looks for common account names, such as "admin," on the site and systematically tries common passwords in order to break into the account.Administrators don't want someone breaking in getting access to their sites, as that attacker could deface the site or embed malicious code to infect other people with malware.The attackers are using brute-force tactics to break into user accounts for WordPress and Joomla sites. The top five user names being targeted are "admin," "test," "administrator," "Admin," and "root." In a brute-force attack, the perpetrators systematically try out all possible combinations until they successfully login to the account. It is easier to guess and figure out simple passwords such as number sequences and dictionary words, and a application or a software automates the entire process. The top five passwords being attempted in this attack happen to be "admin," "123456," "111111," "666666," and "12345678." The other half of the puzzle: Passwords. The most recent spate of attacks was using some heavy password cracking tools, and they are hard to escape, but not impossible.One aspect of site security is neglected more often than any other is your CMS software not patched and up to date. We see this problem occur over and over again. Clients purchase websites with content management systems, and then once the application is developed they do not keep it patched. You must keep up with your website’s CMS software patches!A large number of Joomla Sites were recently compromised by an application or software that specifically searched for a very commonly-installed extension which had been the subject of a security patch. The hackers knew that many people would have failed to install the patch, so they look for unpatched versions of the extension as a doorway into the site. It worked very well; a number of sites fell victim.Your CMS software is no different than the software on your desktop, your notebook, and your smart phone: There will be patches and maintenance releases and you must install them to keep your site safe from attackers. Also, don’t forget, many times those patches also bring with them new functionality or improved performance, so if you fail to take advantage of the upgrades, you may be missing out on enhancements that also add value to your site.
Now you need to know how an attacker or cracker hack or exploit your site.They know about your security weakness points about your siteThey know about the important directories are open and accessibleThey know about the version of CMS has security issuesThey know what outdated unsecured plug-in you are using and they can take advantage of itThey brute force attacks your site login for random username and passwordThey know CMS uses "Admin" as the administrator name, so they keep generating passwords and keep trying
So how do you overcome these situations?Keep your CMS install and plug-in up to dateRename the administrative accountUse strong password: Craft a password that is VERY hard by creating it numbers, letters, and symbols. Using upper and lower case. And change them every 30 days. eg: y#$%6&!Change Admin, ftp, Database login details oftenDisable directory browsingFile permissions: Always set folders to 755 and Files to 644 and For config files 555Do not advertise the CMS version you are runningAvoid using Vulnerable themes and extensionsStay on top to Security Releases: Subscribe to the CMS Development blog for security patches and updates.Use Captcha whenever possibleLimit access to your wp-admin directoryRestrict access to your wp-config.phpXSS/SQL Injections: Check the extensions by Googling for extension name and vulnerabilities. and check respective CMS websites for up to date informationDatabase Security: Remember - a single SQL injection could result in the loss of your data.Change the default prefix of database (eg: jos_ or wp__)Add SSL to the site - and force Joomla and Wordpress into SSL mode for all logins. This will encrypt the traffic between the user login and the siteAlways take back up of your domainRestrict admin access for other IPs.Make sure that you deleted the installation file from your site.Maintain an .htaccess file inside the images folder that should allow only image extensions.Delete unnecessary files and folders from your web space path.Validate the Data. Check for the data type before saving the data.Strictly follow the CMS standard while creating extension or plugin.Avoid SQL injectionUse safe variables.Use “mysql_real_escape_string” function while passing value in Query.Work in error Maximum mode.Taking care of these things will help to keep you safe when others are getting hacked.