CMS Security Tips

Dear Sir/Madam,
 
Thousands of WordPress and Joomla sites are currently under attack by a large brute-forcing passwords and Phishing mails. Administrators need to make sure they have strong passwords and unique usernames for their WordPress and Joomla installations. Over the past few days, perpetrators have significantly stepped up on brute-force, dictionary-based login attempts against WordPress blogs and Joomla sites,
 
The attack looks for common account names, such as "admin," on the site and systematically tries common passwords in order to break into the account.
 
Administrators don't want someone breaking in getting access to their sites, as that attacker could deface the site or embed malicious code to infect other people with malware.
 
The attackers are using brute-force tactics to break into user accounts for WordPress and Joomla sites. The top five user names being targeted are "admin," "test," "administrator," "Admin," and "root." In a brute-force attack, the perpetrators systematically try out all possible combinations until they successfully login to the account. It is easier to guess and figure out simple passwords such as number sequences and dictionary words, and a application or a software automates the entire process. The top five passwords being attempted in this attack happen to be "admin," "123456," "111111," "666666," and "12345678." The other half of the puzzle: Passwords. The most recent spate of attacks was using some heavy password cracking tools, and they are hard to escape, but not impossible.
 
One aspect of site security is neglected more often than any other is your CMS software not patched and up to date. We see this problem occur over and over again. Clients purchase websites with content management systems, and then once the application is developed they do not keep it patched. You must keep up with your website’s CMS software patches!
 
 
 
A large number of Joomla Sites were recently compromised by an application or software that specifically searched for a very commonly-installed extension which had been the subject of a security patch. The hackers knew that many people would have failed to install the patch, so they look for unpatched versions of the extension as a doorway into the site. It worked very well; a number of sites fell victim.
 
 
 
Your CMS software is no different than the software on your desktop, your notebook, and your smart phone: There will be patches and maintenance releases and you must install them to keep your site safe from attackers. Also, don’t forget, many times those patches also bring with them new functionality or improved performance, so if you fail to take advantage of the upgrades, you may be missing out on enhancements that also add value to your site.



Now you need to know how an attacker or cracker hack or exploit your site.
 
 They know about your security weakness points about your site 
 
 They know about the important directories are open and accessible 
 
 They know about the version of CMS has security issues 
 
 They know what outdated unsecured plug-in you are using and they can take advantage of it 
 
 They brute force attacks your site login for random username and password 
 
       They know CMS uses "Admin" as the administrator name, so they keep generating passwords and keep trying 


So how do you overcome these situations?
 
Keep your CMS install and plug-in up to date 
 
Rename the administrative account 
 
Use strong password: Craft a password that is VERY hard by creating it numbers, letters, and symbols. Using upper and lower case. And change them every 30 days. eg: y#$%6&! 
 
Change Admin, ftp, Database login details often 
 
Disable directory browsing 
 
File permissions: Always set folders to 755 and Files to 644 and For config files 555 
 
Do not advertise the CMS version you are running 
 
Avoid using Vulnerable themes and extensions 
 
Stay on top to Security Releases: Subscribe to the CMS Development blog for security patches and updates. 
 
Use Captcha whenever possible 
 
Limit access to your wp-admin directory 
 
 Restrict access to your wp-config.php 
 
XSS/SQL Injections: Check the extensions by Googling for extension name and vulnerabilities. and check respective CMS websites for up to date information 
 
Database Security: Remember - a single SQL injection could result in the loss of your data. 
 
Change the default prefix of database (eg: jos_ or wp__) 
 
Add SSL to the site - and force Joomla and Wordpress into SSL mode for all logins. This will encrypt the traffic between the user login and the site 
 
Always take back up of your domain 
 
Restrict admin access for other IPs. 
 
Make sure that you deleted the installation file from your site. 
 
Maintain an .htaccess file inside the images folder that should allow only image extensions. 
 
Delete unnecessary files and folders from your web space path. 
 
Validate the Data. Check for the data type before saving the data. 
 
Strictly follow the CMS standard while creating extension or plugin. 
 
Avoid SQL injection 
 
Use safe variables. 
 
Use “mysql_real_escape_string” function while passing value in Query. 
 
Work in error Maximum mode. 
 
 
Taking care of these things will help to keep you safe when others are getting hacked.
 
 

Esta resposta lhe foi útil?

 Imprimir este Artigo

Veja também