Product Description

In Detail

Joomla! is one of the most powerful open-source content management systems used to build websites and other powerful online applications. While Joomla! itself is inherently safe, misconfigurations, vulnerable components, poorly configured hosts, and weak passwords can all contribute to the downfall of your site. So, you need to know how to secure your website from security threats.

Today every website needs to take security into consideration. Using the knowledge here, your Joomla! site can be ahead of the security threats so prevalent today.

This book will take you all the way from the most basic steps of preparation to the nuts and bolts of actual protection. It is packed full of relevant and real-world topics such as security tools, configuration suggestions, setting up your test and development environment, reading and interpreting log files, and techniques used by bad hackers on the Internet. In addition to this you will learn how to respond to a site emergency should one occur and how to collect the evidence needed to pursue law enforcement action. The book provides a concise overview of all the parts needed to construct a defence-in-depth strategy for your Joomla! site.

At the end of the book you will have a solid security foundation to take your Joomla! website to a higher level of security than the basic site setup.

What you will learn from this book?

This book covers:

• Implementing steps for successful Joomla! website architecture
• Setting up metrics to measure security
• Exploring the test and development environment; developing your test plan to make sure everything will work as planned
• Utilizing your test and development site for disaster recovery
• Measuring the performance of your software development projects using a software development management system
• Exploring several tools to help protect your website
• Diving into security vulnerabilities: why they exist; some typical counter measures
• Exploring SQL Injections - how they can hurt you and how to prevent them
• Mastering the two important security layers - php.ini and .htaccess
• Reading and analyzing logs relevant to protecting your Joomla! site
• Handling Security Incidents in a professional manner
• Blocking nuisance IP addresses

Approach

This book will give you a strong, hands-on approach to security. It starts out with the most basic of considerations such as choosing the right hosting sites then moves quickly into securing the Joomla! site and servers. This is a security handbook for Joomla! sites. It is an easy-to-use guide that will take you step by step into the world of secured websites.

Who this book is written for?

This book is a must-read for anyone seriously using Joomla! for any kind of business, ranging from small retailers to larger businesses. With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.

Prior knowledge of Joomla! is expected but no prior knowledge of securing websites is needed for this book. The reader will gain a moderate to strong level of knowledge on strengthening their sites against hackers.

---

Product Details

• Amazon Sales Rank: #120642 in Books
• Published on: 2008-10-15
• Original language: English
• Number of items: 1
• Binding: Paperback
• 264 pages

About the Author

Tom Canavan

A twenty-three year veteran of the Computer Business, and a Data Center Technology Consultant to Fortune-1000 Companies, Tom Canavan is a Certified Ethical Hacker and has a degree in Robotics and Numerical Control. He is author of the book Dodging the Bullets - A Disaster Preparation Guide for Joomla! Based Websites.

---

Customer Reviews

Joomla! Site Developers, this is a great book!
Sometimes, I think web developers who use Joomla! mistakenly believe that all security measures are built into the Joomla code. While perhaps partially true, adequate security is based actions of at least 3 different groups: The Joomla! development team, the web host, and the web developer who decides to use Joomla! and the decisions they make in setting up and using Joomla! This book does a really great job to educate the web developer about these roles and steps they can take, and really should make standard, in developing any/all Joomla! sites.

Joomla! Web Security is rich with tasks to organize and protect Joomla! sites. I found it very useful, and I am still learning from this book. While I have very good html/css skills and OK php skills, I knew little about server administration when I started reading this book, yet the author's writing style made learning these new skills very easy. He also frequently refers readers to valuable web sites that offer additional information.

The list of tasks and ideas from this book to apply to your Joomla! site(s) is too long to try to outline here, but I will tell you 5 things that I already have used to increase security of my site:

1. Confirmed that I do have the right web host for my Joomla! sites (and confirmed that I do not want to use my second host, ever, for Joomla! sites). This ALONE is worth the cost of the book! For those of us that don't want to learn all that much about servers ourselves ... the choice of your web host is CRITICAL.
2. Learned how to read my log files and ways to use my htaccess file to further protect my site.
3. Added an extra level of protection by password-protecting my administration folder.
4. Checked my extensions against joomla.org's Vulnerability List, and removed some/updated others. The current url for this is: docs.joomla.org/Vulnerable_Extensions_List
5. I now understand and follow advice to protect my website from CSFR. Aha!...if you don't know what this means, you need to read the book! (CSFR = Cross-Site Request Forgery). CSRF is a real threat to your Joomla! site, and knowing and using good practices will greatly reduce this threat.

The author provides a nice explanation as to how hackers exploit sites, which certainly explains the rationale for the many suggestions he provides for better security. He also gives very practical tips for testing/developing your site and having a useful disaster recovery plan.

If you are being paid to develop Joomla! sites, then in my opinion do make sure you are knowledgeable about ways to secure the site for your clients. This book is a GREAT place to learn about Joomla! web security.

A must-read for all website administrators
As an administrator of Greece's biggest Joomla! forum over the past three years (forum.joomla.gr), I was always shocked to see how light-heartedly web security was deferred to the Greek Calends not only by young Joomla! enthusiasts who simply wanted to set up their own place on the web but also by website developers who had to get the job finished and delivered to their unaware clients as soon as possible. Then, some day a bug would be discovered in Joomla!'s core code or one of its extensions, sites would be defaced, data would be lost and a long list of messages starting with "HELP!" would appear on our forum. Once a fix was released, the sites were restored, and everything was back in order, interest in web security would drop back to nil until the next server was compromised.

No matter whether you are developing your own website, whether somebody else has developed your website for your, or whether you are a professional website administrator that has always been interested in but scared of web security concepts, it's high time you got out of this vicious circle. Tom Canavan's Joomla! Web Security is here to help you do just that: set up a security framework and a work cycle that will help you stand your ground on the web.

Actually, I find this book's title a bit misleading as it would make one think that it is all about Joomla! and that it would be completely irrelevant to anybody running a website that is based on Drupal, XOOP or any other of the PHP-based Content Management Systems that are available to the open source community. It is not! Only few of its pages contain information that could be relevant to Joomla! website implementations alone. Most of it is packed with sound advice, useful tips, and business strategies that can be applied to any website that uses PHP on an apache server, i.e. the most popular server configuration on the web today.

Joomla! Web Security starts with rudimentary issues such as the criteria you should have in mind when choosing a host for your website, the pros and cons of different hosting plans as far as security is concerned, and how to set up a secure Joomla! website with minimum fuss. If you thought that a test and development environment would only be of interest to PHP application developers, you will have to think again as Tom explains why you should realize that you need one and how you should go about setting it up locally. Once a website is up and running, any administrator with a certain amount of sense in him (or her) would need a set of tools to monitor and manage it. Chapter 3 presents a set of Joomla!-oriented and generic security tools such as JCheck and Nmap that help network and website administrators around the world safeguard their handiwork.

Since this book is all about protecting yourselves and the websites you run from outsiders and their eagerness to attack you, getting acquainted with their tricks and tactics is an asset any website administrator could not do without. Having that in mind, it is an advantage to have three chapters of Joomla! Web Security devoted to identifying vulnerabilities, attack analysis and hacking strategies based on real world incidents from the author's experience. Of course, the sixty pages covered by these three chapters can only scratch the surface of a huge topic on which volumes of books have been written. Nevertheless, they constitute a comprehensive though short introduction to the subject of exploits and hacking attacks and should be taken as pointers to further reading.

Chapters 7 and 8 tackle the dark arts of fine tuning your .htaccess and php.ini files as well as reading, understanding and acting upon the entries of your log files. It would have been nice if chapter 7, in particular, were a bit more extended as it moves too swiftly from simple notions to complex rules that could baffle the reader. Every .htaccess rule is exemplified satisfactorily but, in compliance with the general practice of publicizing such tricks on various hacking websites around the net, their analysis seems to aim mainly at allowing the reader to copy them successfully and use them in his/her website rather than thoroughly understand what s/he is doing and how s/he is accomplishing it.

Finally, the two last chapters cover SSL and its integration into Joomla! as well as how one should react if, despite his or her best efforts, his/her website is compromised. Though these last chapters might seem to be written with corporate working environments in mind, they contain excellent advice that could be adapted and implemented even by small companies or freelancers that want to be able to keep their composure even when they find themselves in dire straights. Joomla! Web Security ends with an appendix that summarizes and acts as a reference to a lot of the information found in the book.

All in all, Tom Canavan's Joomla! Web Security is a must-read for all Joomla! (and non-Joomla!) website administrators that are (or, rather, should be) concerned about the security of their website and the data stored therein. Those readers that had never before considered the security problems raised by their decision to publish a site on the web will find that the book offers them solid ground on which to start building their website defenses against intruders. On the other hand, experienced website administrators could use this book as a collection of security must-dos that they should go through each time they build or start managing a website.

Very helpful, comprehensive safeguards for Joomla sites
The author has done a very good job of discussing common exploits and prevention tactics. Going beyond php.ini and .htaccess safeguards (which he does in very solid detail, with many good tips even I wasn't aware of), he thankfully goes into detailed mysql injection exploits and how to prevent them at both code- and server-level.

Another thing I liked about this book was his references, he provides lots of links to open source scanners and other tools that can be used to check for exploits, open holes and how to patch them.

Very glad I got this, I'll sleep better at night knowing I've got better "locks on the doors" for my joomla based sites. Thanks for a very useful reference!

-Ken