16

I'm going to create a new website with Joomla! 3.

Potentially, this site will get me some money through ads but I'm a little worried about what could be done to attack it. I say a little because I'm not hoping in huge revenues and I don't think someone will try to bribe me into giving them control of my site (like it happened to the owner of the @N twitter account), but when dealing with black hats you never know.

I do not need to provide public authentication or to have people other than me input data on this website (I might accept inputs via mail and copy-paste them by hand after checking their content, since I want the writing quality to be good and consistent with the resto of the site).

I will use free Joomla! themes - the basic ones included with the standard installation might do fine.

Is there any threat that I, as a security noob who understands a little about how the Internet works (let's say just enough to understand Heartbleed), absolutely need to protect from?

Should I hire a professional developer for my project, or are there just a few things I should do to protect my site reasonably (making hacking not worth the effort) that I could learn about in, say, under a month of an 8/5 worker's free time?

Zachiel
  • 443
  • 1
  • 4
  • 9
  • 4
    How is the website hosted? What services does the host provide w.r.t. security? – Taemyr Mar 02 '16 at 11:44
  • @Taemyr where anc I fetch this list of services? It's Altervista, anyway. – Zachiel Mar 02 '16 at 11:55
  • 2
    "I do not need to provide public authentication or to have people other than me input data on this website." This is poorly phrased. You *do* need authentication to keep other people from being able to modify the website; you just don't want any accounts than your own. From a security perspective, how you implement that shouldn't be fundamentally different than implementing authentication for hundreds of users. (Or at the least, there is almost certainly no value in using something tailored to a single user when we already have readily available systems for multiple users.) – jpmc26 Mar 02 '16 at 19:07
  • 3
    "someone will try to bribe me into giving them control of my site" -- startups usually refer to this as an "exit strategy", more specifically a "private sale" ;-) – Steve Jessop Mar 03 '16 at 10:30
  • 1
    Please note that it's usually the _developers_ who put the threats into your software [1]. [1] Dijkstra, E. – Pavel Mar 03 '16 at 13:43

2 Answers2

35

The most important thing to do when you use 3rd party applications like Joomla! is to always keep them up-to-date. Most attacks are targeting vulnerabilities which were patched long ago and only hit those people who neglect updating. So create a regular reminder in your calendar to check if an update is available for Joomla (as well as any themes and plugins you are running) and install it. Updating Joomla is very simple, because it can be done from within the administration interface. You don't need any advanced IT skills to do that. But it is very important to do this regularly!

Be wary of any plugins, themes, extensions and other addons which did not release any update for a long time. It means that either that addon is perfect and has no security problems, or that the developer simply doesn't care to release any more updates to fix security vulnerabilities. But the latter case is much, much more likely. You should also check the Vulnerable Extension List regularly and avoid everything listed there.

For more information, consult the security and performance FAQ on the Joomla wiki.

This actually applies not just to an application like Joomla but to your whole software stack, from operating system to webserver to PHP to MYSQL. OS and webserver also need to be configured securely. But when you use a hosted solution, then the provider will likely take care of everything except the applications you install yourself, so you likely don't have to worry about that.

But it's a different thing when you rent a virtual server which provides you with a naked operating system (or not even that) and expects you to set up everything on your own. In that case you are responsible for updating everything. When you require this for your project, you should consider hiring someone who knows how to harden a server properly, who knows which components need to be updated and how this is done. But the person you are looking for is not a software developer. It's a system administrator.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • 1
    I'd also suggest in addition to the above, to use one of the major (some free) CDNs available, like CloudFlare, as that will stand in front of your site and protect you from many known threats and attackers. – i-CONICA Mar 02 '16 at 15:07
  • 6
    *So create a regular reminder in your calendar* I would suggest to register to the announcements mailing list instead (if it exists), then you can forget it and you will receive alerts by emails when an update is available. – A.L Mar 02 '16 at 17:31
  • 1
    Great advice. If you don't need a system administrator, I would still hire a security specialist over a developer. Although developers are passingly familiar with security, they often don't know a great deal about the detailed nuts and bolts unless it's their specialty. I should know: I am one, and I learn an awful lot of stuff here! – Bob Tway Mar 03 '16 at 12:09
4

This is very subjective and the answer is a question, how much do you value your site? having a professional develop your site does not mean it is safe, professionals develop sites which have had massive breaches as well.

As a developer I would say a developer would be better if you're looking for quality, and yes, security might be better as well but there are plenty of steps you can take when developing a site to ensure the website is secure.

If you follow the OWASP top 10 most common vulnerabilities and stop them you are doing better then a lot of smaller websites on the internet, most of your issues will be related to SSL and injections such as (but not limited to):

  1. Heart bleed (SSL)
  2. DROWN (SSL)
  3. XSS (injection)
  4. SQL (injection)
  5. Execution of code / arbitrary data (injection)

These 5 are in my opinion any web applications WORST nightmare but also easy to not let happen!

Summary

Do you need a security expert? It would help and if you think its worth it then yes you do, if you don't think its worth it, then no, you do not.

Do you need a professional developer? No, though for quality and reasonable assurance yes.

Can you protect yourself? Yes of course, at least to some extent.

Can you learn enough within your time constraints? No problem.

Obviously this is all related to the web application ONLY and not the server it is hosted on.

Kevin
  • 1,653
  • 10
  • 20
TheHidden
  • 4,315
  • 3
  • 22
  • 40
  • If I'm not allowing users (other than me) to input anything, do I still risk injection? – Zachiel Mar 02 '16 at 11:57
  • OP states that his site need not accept input from the public. That should make it trivial to protect against most injection attacks. – Taemyr Mar 02 '16 at 11:58
  • @Zachiel you still need to look in to XSS and if there is an admin version of the site then becarful, you need to secure the pages for admins as well (application privilege escalation). ALSO to mention if you have nothing for uses to input then you should need SSL either. no inputs means no users right? so you shouldn't be overly worried other than minimal XSS. the next level to secure is the server.... how are you hosting your work? – TheHidden Mar 02 '16 at 12:05
  • No inputs means that there is no login (in the public site, the administrator part has one and no, it's not going to be called sitename/administrator) and there are no input forms. (Guest) users can browse the pages and look at them to read their content. Maybe some internal search engine will be added later. – Zachiel Mar 02 '16 at 15:17
  • @Zachiel you should never assume that just because you're not hosting the administrator part of the site at *sitename/admin* (or whatever variation) that it's unknown to everyone else. This means that you should make sure that there is a strong password for the adminstrator account (nothing easy to brute force). I am not familiar with *Joomla* to speak to its SQL injection prevention however I would be willing to bet that it's already implemented. As others have suggested just keep it up-to-date and a strong password should be all you need (since you've indicated no user input on this site) – d0nut Mar 02 '16 at 15:31
  • @iismathwizard I just wanted to say "don't suggest me changing the name because I already know that trick". I also know it's not perfect but hey, low effort on my part. – Zachiel Mar 03 '16 at 19:34
  • @Zachiel sure! I'm not saying you shouldn't do it. Obfuscation isn't a bad thing at all but it certainly shouldn't be relied on :) – d0nut Mar 03 '16 at 20:22