Joomla! Web Security

Joomla! Web Security
eBook: $23.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 35%!
Print + free eBook + free PacktLib access to the book: $63.98    Print cover: $39.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Learn how to secure your Joomla! websites
  • Real-world tools to protect against hacks on your site
  • Implement disaster recovery features
  • Set up SSL on your site
  • Covers Joomla! 1.0 as well as 1.5

Book Details

Language : English
Paperback : 264 pages [ 235mm x 191mm ]
Release Date : October 2008
ISBN : 1847194885
ISBN 13 : 9781847194886
Author(s) : Tom Canavan
Topics and Technologies : All Books, CMS and eCommerce, Security and Testing, Joomla!, Open Source

Table of Contents

Chapter 1: Let's Get Started
Chapter 2: Test and Development
Chapter 3: Tools
Chapter 4: Vulnerabilities
Chapter 5: Anatomy of Attacks
Chapter 6: How the Bad Guys Do It
Chapter 7: php.ini and .htaccess
Chapter 8: Log Files
Chapter 9: SSL for Your Joomla! Site
Chapter 10: Incident Management
Appendix: Security Handbook
  • Chapter 1: Let's Get Started
    • Introduction
    • Common Terminology
    • Hosting—Selection and Unique Needs
      • What Is a Host?
      • Choosing a Host
      • Questions to Ask a Prospective Host
      • Facilities
      • Things to Ask Your Host about Facility Security
      • Environmental Questions about the Facility
      • Site Monitoring and Protection
      • Patching and Security
      • Shared Hosting
      • Dedicated Hosting
    • Architecting for a Successful Site
      • What Is the Purpose of Your Site?
      • Eleven Steps to Successful Site Architecture
    • Downloading Joomla!
      • Settings
    • .htaccess
    • Permissions
      • User Management
    • Common Trip Ups
      • Failure to Check Vulnerability List First
      • Register Globals, Again
      • Permissions
      • Poor Documentation
      • Got Backups?
  • Setting Up Security Metrics
  • Summary
  • Chapter 2: Test and Development
    • Welcome to the Laboratory!
      • Test and Development Environment
      • What Does This Have to Do with Security?
      • The Evil Hamster Wheel of Upgrades
        • Determine the Need for Upgrade
      • Developing Your Test Plan
        • Essential Parameters for a Successful Test
      • Using Your Test and Development Site for Disaster Planning
        • Updating Your Disaster Recovery Documentation
        • Make DR Testing a Part of Your Upgrade/Rollout Cycle
      • Crafting Good Documentation
      • Using a Software Development Management System
        • Tour of Lighthouse from Artifact Software
    • Reporting
    • Using the Ravenswood Joomla! Server
      • Roll-out
    • Summary
  • Chapter 3: Tools
    • Introduction
    • Tools, Tools, and More Tools
      • HISA
        • Installation Check
        • Web-Server Environment
        • Required Settings for Joomla!
        • Recommended Settings
      • Joomla Tools Suite with Services
      • How's Our Health?
      • NMAP—Network Mapping Tool from
      • Wireshark
      • Metasploit—The Penetration Testers Tool Set
      • Nessus Vulnerability Scanner
        • Why You Need Nessus
    • Summary
  • Chapter 4: Vulnerabilities
    • Introduction
    • Importance of Patching is Paramount
    • What is a Vulnerability?
      • Memory Corruption Vulnerabilities
      • SQL Injections
      • Command Injection Attacks
        • Attack Example
      • Why do Vulnerabilities Exist?
      • What Can be Done to Prevent Vulnerabilities?
        • Developers
        • Poor Testing and Planning
      • Forbidden
      • Improper Variable Sanitization and Dangerous Inputs
      • Not Testing in a Broad Enough Environment
      • Testing for Various Versions of SQL
      • Interactions with Other Third-Party Extensions
    • End Users
      • Social Engineering
      • Poor Patching and Updating
    • Summary
  • Chapter 5: Anatomy of Attacks
    • Introduction
    • SQL Injections
      • Testing for SQL Injections
      • A Few Methods to Prevent SQL Injections
      • And According to PHP.NET
    • Remote File Includes
      • The Most Basic Attempt
      • What Can We Do to Stop This?
      • Preventing RFI Attacks
    • Summary
  • Chapter 6: How the Bad Guys Do It
    • Laws on the Books
    • Acquiring Target
    • Sizing up the Target
    • Vulnerability Tools
      • Nessus
      • Nikto: An Open-Source Vulnerability Scanner
      • Acunetix
      • NMAP
      • Wireshark
      • Ping Sweep
      • Firewalk
      • Angry IP Scanner
      • Digital Graffiti versus Real Attacks
    • Finding Targets to Attack
    • What Do I Do Then?
    • Countermeasures
      • But What If My Host Won't Cooperate?
      • What If My Website Is Broken into and Defaced?
      • What If a Rootkit Has Been Placed on My Server?
    • Closing Words
    • Summary
  • Chapter 7: php.ini and .htaccess
    • .htaccess
      • Bandwidth Preservation
      • Disable the Server Signature
      • Prevent Access to .htaccess
      • Prevent Access to Any File
      • Prevent Access to Multiple File Types
      • Prevent Unauthorized Directory Browsing
      • Disguise Script Extensions
      • Limit Access to the Local Area Network (LAN)
      • Secure Directories by IP and/or Domain
      • Deny or Allow Domain Access for IP Range
      • Stop Hotlinking, Serve Alternate Content
      • Block Robots, Site Rippers, Offline Browsers, and Other Evils
        • More Stupid Blocking Tricks
      • Password-Protect Files, Directories, and More
        • Protecting Your Development Site until it's Ready
      • Activating SSL via .htaccess
      • Automatically CHMOD Various File Types
      • Limit File Size to Protect Against Denial-of-Service Attacks
      • Deploy Custom Error Pages
      • Provide a Universal Error Document
      • Prevent Access During Specified Time Periods
      • Redirect String Variations to a Specific Address
      • Disable magic_quotes_gpc for PHP-Enabled Servers
    • php.ini
      • But What is the php.ini File?
      • How php.ini is Read
    • Summary
  • Chapter 8: Log Files
    • What are Log Files, Exactly?
    • Learning to Read the Log
      • What about this?
      • Status Codes for HTTP 1.1
    • Log File Analysis
      • User Agent Strings
      • Blocking the IP Range of Countries
      • Where Did They Come From?
    • Care and Feeding of Your Log Files
      • Steps to Care of Your Log Files
    • Tools to Review Your Log Files
      • BSQ-SiteStats
      • JoomlaWatch
      • AWStats
    • Summary
  • Chapter 9: SSL for Your Joomla! Site
    • What is SSL/TLS?
      • Using SSL to Establish a Secret Session
        • Establishing an SSL Session
      • Certificates of Authenticity
      • Certificate Obtainment
    • Process Steps for SSL
      • Joomla! SSL
    • Performance Considerations
    • Other Resources
    • Summary
  • Chapter 10: Incident Management
    • Creating an Incident Response Policy
    • Developing Procedures Based on Policy to Respond to Incidents
      • Handling an Incident
      • Communicating with Outside Parties Regarding Incidents
      • Selecting a Team Structure
    • Summary
  • Appendix: Security Handbook
    • Security Handbook Reference
    • General Information
      • Preparing Your Tool Kit
      • Backup Tools
      • Assistance Checklist
      • Daily Operations
      • Basic Security Checklist
    • Tools
      • Nmap
      • Telnet
      • FTP
      • Virus Scanning
      • JCheck
      • Joomla! Tools Suite
      • Tools for Firefox Users
        • Netstat
        • Wireshark
        • Nessus
    • Ports
    • Logs
      • Apache Status Codes
      • Common Log Format
      • Country Information: Top-Level Domain Codes
    • List of Critical Settings
      • .htaccess
      • php. ini
        • References to Learn More about php.ini
    • General Apache Information
    • List of Ports
    • Summary

Tom Canavan

Tom Canavan has been in the Computer and IT industry for 20+ years where he spent several years as a Systems Consultant to many Fortune 100 clients and other global companies.

Canavan is considered a top security and disaster recovery expert in the Joomla world. He is the author of the Packt Published book Joomla! Web Security.

He is a former CIO and is currently the co-founder of Canavan contributes articles on security and disaster recovery to several websites.

Code Downloads

Download the code and support files for this book.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


- 2 submitted: last submission 10 Sep 2012

Errata type: URL change | Page number: 14

The online searchable database link:
should be

Errata type: Language | Page number: 57

"In that role, I author worked closely with..."
should be
"In that role, I worked closely with..."


Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Joomla! Web Security +    Moodle 1.9 Multimedia =
50% Off
the second eBook
Price for both: $32.25

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

This book covers:

  • Implementing steps for successful Joomla! website architecture
  • Setting up metrics to measure security
  • Exploring the test and development environment; developing your test plan to make sure everything will work as planned
  • Utilizing your test and development site for disaster recovery
  • Measuring the performance of your software development projects using a software development management system
  • Exploring several tools to help protect your website
  • Diving into security vulnerabilities: why they exist; some typical counter measures
  • Exploring SQL Injections – how they can hurt you and how to prevent them
  • Mastering the two important security layers – php.ini and .htaccess
  • Reading and analyzing logs relevant to protecting your Joomla! site
  • Handling Security Incidents in a professional manner
  • Blocking nuisance IP addresses

Here is the brief summary of what each chapter talks about:

Introduction – This is an introduction to the concepts of security for your Joomla! site. In this section, we introduce the reader to concepts, tools, and ideas.

Chapter 1: Let's Get Started
– This foundational chapter gets the reader ready by reviewing terminology, understanding hosting companies and how to select. Learning to architect Joomla correctly at the first, where to download Joomla, its important settings, permissions and trip ups and lastly setting up metrics for security.

Chapter 2: Setting up a Test and Development Environment – Once you have your site planned, setting up a test and development environment allows you to make sure each extension will work together as planned. This chapter gives the reader a methodology to effectively set up and use a test/dev environment, with a review of a great tool, Lighthouse™, for software development project management.

Chapter 3: Tools sets to protect – There are a few key tools every Joomla administrator should have in their security arsenal. This chapter covers the tools used to protect your site.

Chapter 4: Introduction to Vulnerabilities – What is a vulnerability? It is anything that can be used against you to hurt your site. This chapter introduces some common vulnerabilities and how they work.

Chapter 5: Anatomy of Attacks – Specific attacks such as SQL Injections are discussed here, with live examples of code used to attack sites, kiddie-scripts, and other more advanced attacks.

Chapter 6: How the Bad Guys Do It – Do you ever wonder what tools the bad guys use? This chapter covers some of the commonly available tools, and how they are used against you.

Chapter 7: PHP.INI and .HTACCESS – This chapter details out the two important safeguards to your infrastructure. It offers a detailed view with code samples of each of these critical files.

Chapter 8: Log Files – Without a doubt, log files are the first, best indication of a coming attack, yet many administrators do no know how to interpret these critical files, or worse yet, ignore them. This chapter will teach the reader how to read log files and take care of them for forensic purposes.

Chapter 9: SSL – SSL is the guardian of e-commerce on the Internet. In this chapter you will learn how SSL works, where to obtain a certificate, and how to implement it in your Joomla! site.

Chapter 10: Best Practices for Incident Management – Even the best laid plans go astray. If a site is actually hit, you have an incident to handle; this chapter will educate you on some best practices for handling the incident in an effective manner.

Chapter 11: Security Administrators' Reference – Looking for that one bit of information? This chapter is a concise reference to highly important items of security information that will be important to your daily efforts in protecting your site.

In Detail

Joomla! is one of the most powerful open-source content management systems used to build websites and other powerful online applications. While Joomla! itself is inherently safe, misconfigurations, vulnerable components, poorly configured hosts, and weak passwords can all contribute to the downfall of your site. So, you need to know how to secure your website from security threats.

Today every website needs to take security into consideration. Using the knowledge here, your Joomla! site can be ahead of the security threats so prevalent today.

This book will take you all the way from the most basic steps of preparation to the nuts and bolts of actual protection. It is packed full of relevant and real-world topics such as security tools, configuration suggestions, setting up your test and development environment, reading and interpreting log files, and techniques used by bad hackers on the Internet. In addition to this you will learn how to respond to a site emergency should one occur and how to collect the evidence needed to pursue law enforcement action. This book covers Joomla! 1.0.x as well as 1.5.x.

The book provides a concise overview of all the parts needed to construct a defence-in-depth strategy for your Joomla! site. At the end of the book you will have a solid security foundation to take your Joomla! website to a higher level of security than the basic site setup.

Are you concerned about the security of your Joomla! website and you don't know what to do? – read this easy-to-use practical guide and learn how to implement strong security measures.

Book Reviews

Slashdot: "There is a ton of good information here and I recommend the book." "Technical books can be sometimes boring, especially when they talk about things you already know. This is not the case with Joomla! Web Security. I enjoyed Tom Canavan's detached writing style and I learned some interesting things that I applied to all my Joomla! websites. What I especially liked was the fact that the book discusses not only the Joomla! part of a website but also the server side and gives some nice hosting tips. If you're a junior or intermediate Joomla! user I would highly recommend it."

JoomlaNYC: "This is “a must” read book for all people that care about the security of a website. The book offers an excellent primer on basic web-security. It is written for the person who has not yet mastered the skills needed to properly secure a website."


This book will give you a strong, hands-on approach to security. It starts out with the most basic of considerations such as choosing the right hosting sites then moves quickly into securing the Joomla! site and servers. This is a security handbook for Joomla! sites. It is an easy-to-use guide that will take you step by step into the world of secured websites.

Who this book is for

This book is a must-read for anyone seriously using Joomla! for any kind of business, ranging from small retailers to larger businesses. With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.

Prior knowledge of Joomla! is expected but no prior knowledge of securing websites is needed for this book. The reader will gain a moderate to strong level of knowledge on strengthening their sites against hackers.

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software