Hey guys-
Can we have some official word from the Joomla development staff on the best & easiest ways to secure our Joomla sites?  I've done a ton of searching here, spent hours reading posts- everyone's got a different theory, and NONE of it makes any sense to me. I don't know who to trust as to what works, how to do it, etc etc.  Can we have an official post from you guys on securing our sites, both with php.ini and .htaccess?  Personally, my host tells me to throw a php.ini in the root of my site. I'm not sure if that will work, or even how to create a php.ini if it DID work.

Also- the best way to turn off register_globals

Us newbies would certainly appreciate this!

http://forum.joomla.org/index.php/topic,81058.0.html and http://forum.joomla.org/index.php/topic,75376.0.html

If your host won't turn off register globals serverwide, you better find a new host Disabling on your domain will not protect you.

Oh man- just reading this stresses me out!  This would take me WEEKS to complete all these steps! Isn't there an easier way?
Thanks

Pay someone to help you? Get a good host?

ok- let me ask you this.  Will changing hosts to one of the ones listed on that site take care of most of these steps? Is there say, 2 or 3 things I can do that will give me the maximum protection? I'm not re-creating google here, just want to protect my little site before I throw it out to the masses. What's the best things i can do easily? Will changing hosts take care of most of these steps alone?
Thanks bud- I really appreciate it...

Probably a good host is a start, also keeping up to date with Joomla as well as 3rd party extesions is important.

But don't fret, just make sure your host and yourself take regular backups and if the worst does happen, you can still recover.

Maybe I'm being a little paranoid here. I agree- making backups is key, and since my site won't change too drastically much week to week, I'll only have to back it up when I make changes to it. Otherwise, it all stays the same (well, except for the user database for new people signing up).

How often do people get hacked?  I read the forums, and it seems like the world is ending when it comes to Joomla hacks- every other post is about getting hacked, or so it seems. Am I being paranoid?

Finally- is there an 'automated' backup system out there?  Mainly for the database, since, my ftp files will already be backed up locally. Maybe something that will email me my SQL db once a week or something?
Thanks for all the help bud- I really appreciate it!

You are being a little paranoid

Automated backups, surely your host has explained to you how you might do this? It all depends on the hosting platform, however take a look at the Extensions site, there are a few that can be used to backup and email your database to you periodically.

Awesome- Im feeling better now.    So, I am using 1.0.11, just turned on SEO for the first time, and changed my htaccess.txt to .htaccess- I made no changes to the .htaccess file, just left it as is. My site seems to be functioning fine now. Is that all I need to do here?

I will be changing my username out of 'admin', and complicating my password somewhat. I MAY look into password protecting the admin folder/login page again- but- who knows when that'll happen. 

The last problem I see is the register_globals is set to 'ON'. My host says that they can not turn this off- and I can place a php.ini file in my root to correct this. Is this something I need to worry about? Again- what's the easiest fix for this, besides putting a new file into over 700 directories manually?

Thanks a ton!!!

The last problem I see is the register_globals is set to 'ON'. My host says that they can not turn this off- and I can place a php.ini file in my root to correct this. Is this something I need to worry about? Again- what's the easiest fix for this, besides putting a new file into over 700 directories manually?

Don't bother if your host won't disable server-wide. No point, any other user on the server could possibly compromise your account, so not much point in you securing just your own domain when 100's of others on the server are insecure.

register_globals:

brad wrote:Don't bother if your host won't disable server-wide. No point, any other user on the server could possibly compromise your account, so not much point in you securing just your own domain when 100's of others on the server are insecure.

This info should be added to the security recommandations, so people don't waste their time worrying about this.
Could you expand on how someone from another account jeopardizes mine if register_globals is On?

the range of potential exploits that can happen on a server are large but it is perfectly possible that if one account on a server is compromised then the hacker can then gain access to the enitre server.

Usualy on a shared server a user cannot access files outside their own userspace. However certain hacks will allow the hacker to break out of the hacked userspace and trawl the entire server.

So if there is one week account on your shared server then all accounts on that server are POTENTIALLY vulnerbale.

Please note that globals are not the only way to hack a server, but disabling them is just one of the many things that can/should be done.

This is the general problem every user faces wen they used a shared server. You can never know (and nor can the hosts) what software is installed on other accounts and how secure it is.

eyezberg wrote:This info should be added to the security recommendations, so people don't waste their time worrying about this.

It is quite clearly stated here: http://forum.joomla.org/index.php/topic,81058.0.html

If a host does not understand the implications, and why it is now set since php 4.2.0 to 'off' they should not be in the hosting business. It's elementary shared server security as Brian says.

Read more here: http://www.zend.com/manual/security.globals.php