any recommendations for locking down php.ini for joomla 3+?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Tue Oct 16, 2012 11:07 pm
any recommendations for locking down php.ini for joomla 3+?
Hi all,
Are there any articles that can help me to understand what functions need to enabled/disabled on php.ini to maximize my php security?
I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?
http://kb.siteground.com/article/Recomm ... urity.html
Please advise.
Are there any articles that can help me to understand what functions need to enabled/disabled on php.ini to maximize my php security?
I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?
http://kb.siteground.com/article/Recomm ... urity.html
Please advise.
Last edited by imanickam on Tue Nov 06, 2012 2:47 am, edited 1 time in total.
Reason: Moved topic » from General Questions/New to Joomla! 3.0 to Security in Joomla! 3.0
Reason: Moved topic » from General Questions/New to Joomla! 3.0 to Security in Joomla! 3.0
-
- Joomla! Ace
- Posts: 1460
- Joined: Sat Jan 21, 2006 8:42 pm
Re: any recommendations for locking down php.ini for joomla
You should notmikeali wrote:I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site
and pls dont take this as an advise! there are more than 4 settings when it comes to security and there where always more than 4!
So if you are the admin of your live server, my advise is to get a managed one
- jdbdrwho
- Joomla! Intern
- Posts: 55
- Joined: Wed Jun 20, 2012 5:47 am
- Location: Goshen, Utah, USA
- Contact:
Re: any recommendations for locking down php.ini for joomla
Put this into your .htaccess file. You can use this same method to prevent access to a file through the browser for any files on your hosting account.
Code: Select all
<Files php.ini>
order allow,deny
deny from all
</Files>
-
- Joomla! Ace
- Posts: 1460
- Joined: Sat Jan 21, 2006 8:42 pm
Re: any recommendations for locking down php.ini for joomla
You just made my day
- HannahCornwall
- Joomla! Apprentice
- Posts: 7
- Joined: Tue Nov 20, 2012 9:03 pm
- Location: Swindon, Wiltshire, UK
Re: any recommendations for locking down php.ini for joomla
oohhh Trust The Doctor! Do you get that on TV in the US?jdbdrwho wrote:Put this into your .htaccess file
-
- Joomla! Apprentice
- Posts: 10
- Joined: Tue Oct 16, 2012 11:07 pm
- Davv
- Joomla! Apprentice
- Posts: 9
- Joined: Sat Nov 10, 2012 6:17 pm
- Location: Sampaloc
Re: any recommendations for locking down php.ini for joomla
Yup, that's the most popular way of doing this.<Files php.ini>
order allow,deny
deny from all
</Files>
It will show you a 403 message.
Another way of doing this is to make chmod 600 on that file.
I prefer a better way though:
I match it on a regex and show a 404:
Code: Select all
RedirectMatch 404 .*php\.ini
Some servers could create php.ini.bak/bkup files, from which the first method would not protect you
My laminine blog @ http://mlmvikings.com/
-
- Joomla! Exemplar
- Posts: 8808
- Joined: Sat Oct 01, 2011 7:06 pm
Re: any recommendations for locking down php.ini for joomla
You also have one for php5.ini ?
Issue with migrating? Include logs/joomla_update.php in your report!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!
- jdbdrwho
- Joomla! Intern
- Posts: 55
- Joined: Wed Jun 20, 2012 5:47 am
- Location: Goshen, Utah, USA
- Contact:
Re: any recommendations for locking down php.ini for joomla
Google Looks Down on 404 pages. 404 pages are not SEO friendly. I use "php 5.4 Single ini," which means I only have one php.ini file. I keep my web site data clean of extra garbage.Davv wrote:<Files php.ini>
order allow,deny
deny from all
</Files>Code: Select all
RedirectMatch 404 .*php\.ini
And I write perl scripts to help me with verify that all my php scripts are up to date, WordPress and Joomla. I love to write perl scripts
Best protection against getting hacked is to keep your websites up to date and don't use any plugin or component just because it has some fancy bells and whistles. Best to check out the Joomla vulnerability list before installing a particular component.
======
In answer to a previous question about DrWho. (Doctor who fan since the early 70's.)
Yes I get Doctor Who from Amazon.com on my HD TV
- jdbdrwho
- Joomla! Intern
- Posts: 55
- Joined: Wed Jun 20, 2012 5:47 am
- Location: Goshen, Utah, USA
- Contact:
Re: any recommendations for locking down php.ini for joomla
sovainfo wrote:You also have one for php5.ini ?
Code: Select all
<Files php5.ini>
order allow,deny
deny from all
</Files>
Changing file permissions really doesn't do much of anything to protect yourself from hackers. You can set the file permissions to 000 - no rights at all. If I have access to the file system I can issue a chmod command to change the permissions to any setting I want, including 777 which is full rewrite and execute permissions.
The "deny all" .htaccess to deny access to a particular file has the same pitfall. If a hacker gains access to your file system. Then the hacker can access your files and can change the contents of the .htaccess file, change permissions and can destroy files, rewrite code and hack all your files.
The best protection -- Is to always keep your web content up to date. Be careful of which plugins and components you install and --- ALWAYS --- Backup your web content.
Never rely on your hosting provider to do your backups for you. Do your own backups and store them offline where you can restore a backup if needed.
http://docs.joomla.org/Security
http://docs.joomla.org/Category:Security_Checklist
http://docs.joomla.org/Vulnerable_Extensions_List
Do not use anything on the Joomla Vulnerability list that shows up as "Red". If you can, avoid adding too many components. If you can get by without a particular plugin, it is better than expanding your potential php vulnerability.
Check your back-end updates of Joomla, components and plugins. As well as any other php script on your hosting account.
One php vulnerability that grants access to the file system is all that is needed to get your site hacked.
-
- Joomla! Exemplar
- Posts: 8808
- Joined: Sat Oct 01, 2011 7:06 pm
Re: any recommendations for locking down php.ini for joomla
Even with access to the filesystem security still applies. So permissions are relevant. You can only do things you are allowed to. FTP doesn't give you access to everything. So, you can only change permissions when you are allowed to.
And yes, the best protection on your frontdoor is useless when you leave the door to the garden open!
And yes, the best protection on your frontdoor is useless when you leave the door to the garden open!
Issue with migrating? Include logs/joomla_update.php in your report!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: any recommendations for locking down php.ini for joomla
Hello: Genaecology is stated in his signature and not gynaecology. ;-)HannahCornwall wrote:oohhh Trust The Doctor! Do you get that on TV in the US?
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Apprentice
- Posts: 7
- Joined: Thu Aug 15, 2013 12:06 pm
Re: any recommendations for locking down php.ini for joomla
RedEye wrote:You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site
And dont forget to disable remote file execution. An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors.
-
- Joomla! Ace
- Posts: 1460
- Joined: Sat Jan 21, 2006 8:42 pm
Re: any recommendations for locking down php.ini for joomla
Hi harry, what is the name of the config var I have to set for this?harry888 wrote:And dont forget to disable remote file execution.
-
- Joomla! Apprentice
- Posts: 7
- Joined: Thu Aug 15, 2013 12:06 pm
Re: any recommendations for locking down php.ini for joomla
allow_url_include = 'off'
This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html
This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html
-
- Joomla! Apprentice
- Posts: 7
- Joined: Thu Oct 10, 2013 11:01 am
Re: any recommendations for locking down php.ini for joomla
This option is disabled by default usually.
-
- Joomla! Apprentice
- Posts: 7
- Joined: Thu Aug 15, 2013 12:06 pm
Re: any recommendations for locking down php.ini for joomla
erfahrungen wrote:This option is disabled by default usually.
Thats right, but don`t forget that most attacks are only possible because of outdated scripts and extensions and misconfigured servers.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: any recommendations for locking down php.ini for joomla
allow_url_include = 'off'
Is not available anymore in since cPanel distro's 11.34.xx
Leo
Is not available anymore in since cPanel distro's 11.34.xx
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Ace
- Posts: 1460
- Joined: Sat Jan 21, 2006 8:42 pm
Re: any recommendations for locking down php.ini for joomla
Uh some new replies on this funny thread, I should enable notification here again^^
Is there a post somewhere how this is now handled in cPanel, or did they just cut it out without the ability to enable it? Didn't used cPanel for a long time now.
Thx for taking the time to answer this, even if you already quoted this config var from my post.harry888 wrote:allow_url_include = 'off'
This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html
You can strip that "usually"erfahrungen wrote:This option is disabled by default usually.
Finally a useful information here, thx Leoleolam wrote:allow_url_include = 'off'
Is not available anymore in since cPanel distro's 11.34.xx
Is there a post somewhere how this is now handled in cPanel, or did they just cut it out without the ability to enable it? Didn't used cPanel for a long time now.