Basic Security Practices for CMSs¶
Popular content management platforms, such as Wordpress, Joomla and Drupal, are often targeted by attackers, due to their widespread usage. You can avoid most attacks by following several simple rules.
First and foremost, you need to keep your CMS up-to-date. The knowledge of security vulnerabilities is shared between attackers and automated scripts quickly spring up to take advantage of them. Wordpress, Joomla, as well as Drupal, can be automatically updated. However, you need to carefully consider the risks, as an update-gone-wrong can take down your whole website.
It is important to pay the same attention to installed plugins and themes. You need to always keep them updated. Install only widely-used, trustworthy ones. If a plugin is no longer developed, look for an alternative.
Another important point are permissions on files and directories. For all three CMSs, the directories should have 755 permissions, while files should have 644. Furthermore, you should set permissions to 600 on wp-config.php if using Wordpress and 444 on configuration.php when using Joomla. With Drupal, you should deny access to authorize.php, cron.php, install.php and upgrade.php. Never set permissions to 777!
Do not use common usernames such as 'Admin' or 'Administrator'. These will be tried the first during a brute-force attack. Use a secure password. It should not include a common word and should contain lower and uppercase letter, numeral and a special character.
Securing your site with .htaccess¶
You can allowe access to sensitive parts of your CMS based on IP address.
Add the following block to the .htaccess file at the root of your application:
<Files wp-login.php> Order deny,allow Deny from all Allow from 188.8.131.52 Allow from 184.108.40.206 </Files>
You need to create an .htaccess file in the /administrator directory with the following contents.
Order deny,allow Deny from all Allow from 220.127.116.11 Allow from 18.104.22.168
Create an .htaccess with the following contents at the root of your website:
<Location "/user/login"> Order deny,allow Deny from all Allow from 22.214.171.124 Allow from 126.96.36.199 </Location>
Turn off PHP in certain directories.¶
Directories for uploading files, usually images, are not meant for PHP scripts. So, if you find one there, it has most probably been uploaded by an attacker. From the security standpoint, it is better to turn off PHP execution in these directories altogether. You need to create an .htaccess file with the following contents in the upload directories.
php_flag engine off <Files *.php> Order allow,deny Deny from all </Files>
In the case of Wordpress, you should create it in the following directories.
For Joomla, in: