The Joomla! Forum ™

Hi all,

Are there any articles that can help me to understand what functions need to enabled/disabled on php.ini to maximize my php security?

I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?

http://kb.siteground.com/article/Recomm ... urity.html

Please advise.

You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site

and pls dont take this as an advise! there are more than 4 settings when it comes to security and there where always more than 4!
So if you are the admin of your live server, my advise is to get a managed one

Put this into your .htaccess file. You can use this same method to prevent access to a file through the browser for any files on your hosting account.

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x

You just made my day

oohhh Trust The Doctor! Do you get that on TV in the US?

Thank you all

Yup, that's the most popular way of doing this.
It will show you a 403 message.

Another way of doing this is to make chmod 600 on that file.

I prefer a better way though:
I match it on a regex and show a 404:


This would also help if you got some copies in different places.
Some servers could create php.ini.bak/bkup files, from which the first method would not protect you

_________________
My laminine blog @ http://mlmvikings.com/

You also have one for php5.ini ?

Google Looks Down on 404 pages. 404 pages are not SEO friendly. I use "php 5.4 Single ini," which means I only have one php.ini file. I keep my web site data clean of extra garbage.

And I write perl scripts to help me with verify that all my php scripts are up to date, WordPress and Joomla. I love to write perl scripts

Best protection against getting hacked is to keep your websites up to date and don't use any plugin or component just because it has some fancy bells and whistles. Best to check out the Joomla vulnerability list before installing a particular component.
======
In answer to a previous question about DrWho. (Doctor who fan since the early 70's.)

Yes I get Doctor Who from Amazon.com on my HD TV

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x

This code you can use for any file you which to block access. The .htaccess file can be used in various methods to secure your website. However with the use of FTP (File Transfer Protocol) connections, you can access any file as the .htaccess file does not safe guard against ftp access.

Changing file permissions really doesn't do much of anything to protect yourself from hackers. You can set the file permissions to 000 - no rights at all. If I have access to the file system I can issue a chmod command to change the permissions to any setting I want, including 777 which is full rewrite and execute permissions.

The "deny all" .htaccess to deny access to a particular file has the same pitfall. If a hacker gains access to your file system. Then the hacker can access your files and can change the contents of the .htaccess file, change permissions and can destroy files, rewrite code and hack all your files.

The best protection -- Is to always keep your web content up to date. Be careful of which plugins and components you install and --- ALWAYS --- Backup your web content.

Never rely on your hosting provider to do your backups for you. Do your own backups and store them offline where you can restore a backup if needed.

http://docs.joomla.org/Security
http://docs.joomla.org/Category:Security_Checklist
http://docs.joomla.org/Vulnerable_Extensions_List

Do not use anything on the Joomla Vulnerability list that shows up as "Red". If you can, avoid adding too many components. If you can get by without a particular plugin, it is better than expanding your potential php vulnerability.

Check your back-end updates of Joomla, components and plugins. As well as any other php script on your hosting account.

One php vulnerability that grants access to the file system is all that is needed to get your site hacked.

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x

Even with access to the filesystem security still applies. So permissions are relevant. You can only do things you are allowed to. FTP doesn't give you access to everything. So, you can only change permissions when you are allowed to.

And yes, the best protection on your frontdoor is useless when you leave the door to the garden open!

Hello: Genaecology is stated in his signature and not gynaecology. ;-)

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---