Events like websites being hacked, passwords and user data being stolen have become a daily feature in our news. While we hear mainly about major companies being hacked, there is a multitude of such incidents going on for any size organisation that has a website or public facing web application.

Why do people hack websites?

I'm often asked this question by business owners. Usually it silently assumes that hacking is the activity of a lone, young person in their free time. Nothing could be further from the truth. The vast majority of hack attacks are carried out by highly specialised participants in a "crimical value chain" of hacking, fraud, money laundering and associated activities. These activities are how people in this value chain make a living. Your website is a target for these people, because it can be used in a wide range of activities "promoting their business". If hacked, your customers loose trust, you loose money and everyone looses - apart from the criminals.

How do Joomla sites get attacked?

There are three groups of attack vectors:

The site itself

Joomla, like every Content Management System is a complex piece of software, which is not completely free of bugs. Some of these bugs constitute security issues, which can allow a third party for example

  • to manipulate content by sending a specific link to someone (Either by injection or XSS attack)
  • to modify or upload a file (Injection)
  • to gain privileges (for example through a CSRF attack)

Even if you apply security updates swiftly, the attack could have occured before the bug was fixed or even known.

Other sites on the same server

The same attack patterns can often be used on other websites on the same server, compromising your websites.

The server

Of course, if a hacker gains control of your server, your website is fully vulnerable as well.

So here are

7 steps to better Joomla security

1. Safe username, safe password

First of all, choose a good password. That is reasonably long, i.e. longer than 11 characters, containing special characters, upper, lowercase letters and numbers. Preferably use a random password and save it in your browser. The commercial hackers of today have fully automated their attacks and attacking the browser password storage is not on their agenda (yet). However they have dictionaries of all world languages to try on your passwords - and yes that includes Elvish and Klingon.

Further, do not use the default username "admin". Choose a different user name right from the start. While this constitutes much hated "security by obscurity", there is at least one major past Joomla security issue that was only exploited by using the "admin" username.

Its important to make these changes when you start setting the site up. Often at this point weak password are used, which then flow onto the website going live. Make the secure password choice right at the start when the site is installed on the development machine.

2. Keep extensions up to date

Of course, keep Joomla itself and all extensions up to date. Joomla has now a friendly reminder, an easy system to update extensions, so a lot of checking and reminder work is taken off you. However not all extensions follow it, so I recommend you have a process calendarised to check all extensions for updates at least every 3 months.

There are a multitude of reasons why extensions are not being updated:

  • You have more urgent work to do: Yes sure, we all are busy, but imagine how busy you will be once the site has been hacked.
  • The website doesn't need maintenance: I still hear this now and then, its an outright lie.
  • The extension update might cause it to crash: Thats actually a good reason. A good way to check for this is to have a staging website set up in parallel, so that each update can be tested thoroughly in advance. And of course -  imagine how "crashed" your website will be when it has been hacked.

3. Use Version control

Using version control systems to manage your website code is good practice. After all it is software like any other software. Version control software can help you with keeping up with extensions and versions as well as checking if a website's files have been changed. One would imagine that hackers could modify the version control tracking files as well, but in reality this is something "industrialised drive-by" hackers don't do, because the vast majority of websites are not managed with a version control system.

I have also heard the objection of how wasteful it would be to put the code of the full CMS such as Joomla with its 17000 files and 20MB of disk space into a version control system every time a website is built. Believe me, storage space is cheap as chips and the amounts we are talking about here are miniscule.

4. Secure folders against writing

Only folders that have files written to them in the process of operating the website should be writeable. All other folders should not be writeable. In the case of Joomla, this means only cache/ images/ logs/ and tmp/ should be writeable. There will be some exceptions, as there are some extensions not sticking to using these folders for writing files.

This also means that in the normal operation of the website, you cannot

  • install or uninstall extensions
  • modify the website configuration

While at first counter-intuitive, this is actually a good thing. Both changes should be well thought through, managed by the version control system and planned appropriately. Most probably you will try them on your staging website first.

To apply such changes to a website, I recommend to change access rights temporarily, make the change and then lock down access rights again.

5. Don't allow scripts in writeable folders

While we plan on not having our defences breached, this helps minimise the damage once they are breached. A common technique to hack your website is to upload script files to your public folders and then use them for other criminal activity, such as spam sending, bragging about the hacking and participating in denial of service attacks.

While your website may operate as normal, the hackers steal your bandwidth and destroy the trust in your website and Internet Service Provider, as organisations around the world will start blacklisting your domain, email addresses and server.

You can stop this by blocking execution of scripts in public folders. In the case of Joomla, no scripts should be executed in the cache/ and images/ folders.

6. Separate server access between websites

Many websites are hosted on shared servers, where websites of multiple clients reside. But even for clients with their own servers, they often have campaign or other older websites that reside on the same server. 

These websites should be run under different usernames, with the ability of one website reading and writing to other website's folders removed. If the website are not separated, then all websites will be as much at risk as the website with the weakest security footprint. This may be an outdated campaign website with no budget for upgrade, but which cannot be removed either.

7. Secure your server

Of course your server needs to be secure. We will expand this into its own article at some point, but here are some key pointers to keeping your server secure

  • Use password less access to server
  • Secure passwords wherever possible
  • Keep passwords separate, don't reuse
  • Only install necessary services, why use FTP when you have SFTP through SSH
  • Remove all files, code and sites that are not active
  • Keep server packages up to date
  • Run automated intrusion tests
  • Have a tested and recent backup

If you have any questions, comments or need help, please contact us

Case Studies

  • Automated Quote and Import System - Streat Control

    Streat Control - an importer of electrical engineering goods - has a distributed operation in Auckland, Wellington and Christchurch, serving the local waterworks, refineries, breweries and others with instruments for liquid and gas monitoring and control. With these clients, everything is about accuracy. Their goods are five figures plus per unit and are custom manufactured to order and shipped to New Zealand. As this process is lengthy and costly, mistakes are very expensive.

    streatcontrol-case-study-smallWe provided a custom build and web based importing and tracking system, which also covers some areas of the Customer Relationship Management and the complete process of quoting, ordering and delivery. Through our development process we have replaced 7 MS Word templates, several disparate Outlook address books and thousands of uncoordinated emails between staff.

    The new sales management system leads the sales and support staff through a well defined process, which ensures the necessary information is gathered and stored consistently. The main focus in this project was on minimising the need for double data entry. This is achieved by storing all customer details in a flexible information model that even allows to track the same person with several roles with different companies.

    Quotes and sales documents are produced automatically by the system as PDF documents – this format has been chosen due to its compatibility with a large number of computer systems. The system also keeps track of all past quote information, which is accessible for reports. Reports, which have previously been done by copying information into shared Excel sheets is now available to staff in real time.

    The equipment that Streat Control imports is extremely complex and requires hours to days for the construction of quotes. They further deal with heavy weights such as NZ Steel, Auckland City Council or DB Breweries, who will tender out every job, but sometimes it is known in advance that Streat Control will not get a job. This situation allowed for the system to provide return of investment by reducing the amount and scale of repetitive unnecessary work.

    Once ordered, the equipment is then manufactured overseas and usually ready for shipping within 6 weeks. A mistake in this period will lead to a delay of a further 6 weeks, as manufacturers will “re queue” the order. Once shipped, a mistake can mean that you have a 500kg/ $30000 instrument in New Zealand that is hard to get rid of and unsellable.

    Copy and Paste mistakes were wide spread and frustrated sales staff, causing unnecessary follow up communication and searching of email archives.

  • Mental Health Service Database - Mind and Body Consultants

    Mind and Body provide Mental Health Peer Support - a support service that they have pioneered themselves and that is currently delivered in Central and West Auckland as well as Christchurch. They were looking for an integrated management system for their peer support workers. Initially this was triggered through the government requirements to deliver billing data electronically under the PRIMHD standard. At the same time, Mind and Body wanted to "own and control" the solution, so they are not dependent on a specific vendor.

    mindandbody-casestudy-smallWe provided a custom built database management system that tracks patients/peers through their year long engagement and collects all relevant time sheet and costing information along the way. This was built as a web based secure system, so that it could be easier extended with mobile phone travel expense tracking at a later date.

    We were also involved in training and delivery of the software, which was based on a "train the trainer" model. The choice for this was made to create maximum engagement of staff with the introduction of the software, so as to minimise any resistance that might otherwise to be expected.

    Finally with our help Mind and Body became PRIMHD compliant within 1 month after launch - the accepted minimum time frame typical for this was 6 month, with implementations ranging up to 2 years in terms of turnaround time.

    "Eileen informed me today that we are now officially PRIMHD compliant. That is a huge feat in the time that we have been sending off reports to the ministry. Quite frankly I am astounded (in a very good way) that we have done this in such short order. The expectation out there with other organisations is that it takes at least 6 months. Jochen and Eileen have managed it in about 1 month. Well done to the both of you and thanks."

    Rodger Jack - Mind and Body Consultants

     

     

  • Multi-National Multi-Lingual Website - Philips Selecon

    Philips Selecon - formerly Selecon New Zealand - designs, manufactures and exports theatre and architectural lighting systems to the world. Having been their Content Management System (CMS) provider for the past 9 years, we were charged in 2008 with building a 2nd generation corporate website, which included dealing with over 5000 products, over 1000 detail pages such as news, case studies and support material as well as E-Commerce facilities.

    Philips Selecon's products are market leaders or well presented in many major world wide markets, because of this the website Content Management System (CMS) had to manage multiple translations of the content as well as content that is only available in some markets or is hidden from some markets. We achieved this by

    • providing a language translation platform that can be selectively applied to content with an automatic fall back to British English as the default language. This includes facilities to detect changes to the original, so that translations can be refreshed. Languages in use are British English, US English, German, French, Russian and Spanish.
    • providing a facility to hide a complete US supplier portfolio from markets outside New Zealand, as this would otherwise lead to conflicts in the supplier relationship
    • providing a facility to easily hide key products from markets with 110V power current, as some products are technically not compatible with it. This has proven much more successful that marking these products with additional information. Our approach also allows to mark such products once, even though there may be references at 8+ areas in the website.
    • providing a facility to show country specific welcome messages in some areas of the website.

    To showcase Philips Selecon's work, a large number of case studies were reworked and produced. We extended the CMS to provide a simple keyword manager, so that these case studies can be easily categorised by country, type of use and various other keywords. Furthermore, the products use are linked to the case study.
    Based on this powerful information model, we are able to randomly retrieve select case studies in nearly all areas of the website - by relating the products used and keywords to the content of the core functionality of the page.

    To allow easy shopping for repeat users of the website, it also features a store area, where all key products and accessories are listed in 5 sections. While the core products have various support documentation and feature lists associated with them, we also had the challenge to present 5500 imported colour filters - basically coloured plastic sheets and gobos - metal frames to create different patterns on stage.

    We firstly proceeded to create a screen scraping program as to retrieve the information from the suppliers website, because they were not able and motivated to provide this information in a structured format.

    As a second step we created structured product pages for these products. As a third and final step, we created categorised shopping pages for groups of these products. This was done to present the products in a more concise fashion and also because a user would typically buy a number of colour sheets or related patterns in different sizes for a stage production. For this reason our presentation saves time for the user as well.

    Selecon New Zealand was acquired by Philips corporation on 1 Apr 2009. Since then www.seleconlight.com has continued to be the by far most sophisticated, detailed and extensive website in the stable of Philips lighting technology subsidiaries.

    As a result of this, we have also proceeded to integrate the products, case studies and support material of a US based sister operation of Philips into the website system. The fully integrated manner in how these 2 websites operate allows Philips to position themselves as a full service operator. At the same time, we are able to retain all existing links and domain names, as these remain unchanged.

  • Large Joomla Website - The Parenting Place

    The Parenting Place is a non-profit organisation specialising in parenting education. Having educated 15000+ parents in courses and sold over 20000 books and education resources, all largely through their website they were faced with a number of challenges.

    • The website needed a facelift to keep up with branding changes and an expansion of the services and approach of the organisation to parenting education. At the same time they wanted to use their excellent in-house graphic design resources to maximise brand cohesion and cost effectiveness.

    • It became difficult to extend the existing website and provide security updates. This was because it contained a lot of custom developed modules and complex extensions to existing modules.

    • Email marketing is a major activity for The Parenting Place, but it was hard to assess how many emails reached recipients due to emails being sent directly from the web server and being likely a target of spam filters.

    Facelift

    theparentingplace-case-study-2-smallFor the changes to look and feel, we worked closely with the Parenting Place in-house team to develop a new brand expression for the website. Once this was complete, we took over and developed website code and the associated Joomla templates.

    One of the key drivers was to implement a solution that would work well on many mobile browsers and as a result responsive web design solution techniques were chosen to allow for a cost effective coverage of desktop, IPad, IPhone and other mobile browsers.

    Website Upgrade

    To upgrade this website to a current Joomla version we used a combination of techniques:

    • Complex extensions, such as product and country specific promotional codes in Joomla's Virtuemart E-Commerce module were upgraded to the newest version using best practice software development techniques. This allowed us to re-use previously invested effort and kept specification changes to a minimum

    • Simpler extensions, such as webinar management were simply upgraded and audited for security and concerns for code complexity.

    • Fairly simple modules, based on complex off-the-shelf Joomla components, such as the event calendar were replaced with newly written components based on the popular Symfony framework.

    Email Marketing

    To increase effectiveness of the email marketing, the delivery platform had to be moved away from the web server and onto a dedicated platform.

    We chose Mailchimp for this, due to its ease of use, ability to target emails to different audiences and options to automate integration of email list management.

    As a result, email subscription preferences are still tightly integrated between The Parenting Place website and the email marketing platform and at the same time, we enjoy excellent delivery rates and the features and statistics of a major email marketing platform.

Welcome

jochen-daum-automatem

Welcome to Automatem Ltd.

I'm the owner/ operator, Jochen Daum with over 15 years of experience in Website and Web Application Development. Please contact me if there is anything I can help with.