Brian's Blog Homepage
thumb print
thumb print

Is your admin interface in joomla secure?

Could you make it more secure?

Could Joomla itself force some extra security?

Obviously the first stage in securing your web site is to ensure that you are using a strong password. Ideally this should be a mixture of both upper and lower case characters and include a few numbers for good measure, not forgetting not to make it a real word.

Those naughty hackers aren’t stupid and are well aware that people may use the number 3 to replace the letter e in a password. It’s also extremely important that you don’t use the same password on multiple sites, you only need one of those sites to be hacked for all your sites to be vulnerable. See this blog entry for a typo3 horror story.

Unfortunately people are lazy and often re-use passwords or chose ones that appear strong to them but are in fact pretty weak and vulnerable to brute force attacks, and this is where the problem currently lies in Joomla.

Every Joomla site creates a super-administrator user by default with exactly the same name - “admin”. As you can see from the screenshot there is no option to rename this super-administrator account during the installation.

create password

Perhaps this could be changed in Joomla 1.6 so that you have to select an admin name as well as a password. At the same time if a password strength test was included some of the more idiotic passwords could be detected.

So what does this mean? For a hacker it’s a dream scenario as without doing anything you have given them 50% of the credentials they need to break into your site and do as they wish with all your precious work.

In the long term the solution is for Joomla itself to be updated to allow you to chose the default super-administrator username as well as the password. There are however several steps you can undertake right now.

As soon as you have installed Joomla and logged in for the first time go to the user-manager and create a brand new super-administrator with a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user.

(You have to do it this way as Joomla does not allow you to delete a super-administrator.)

If you’re wondering why I didn’t suggest just changing the username of the “admin” user rather than creating a new one that’s because the “admin” user always has the same userid of “62″ which potentially is another piece of useful information for a hacker or script-kiddie.

Again perhaps this could be changed in Joomla 1.6 so that the default (or first created admin) has a random userid.

 

The first version of this post was published at blog.phil-taylor.com

J o o m l a !

Brian Teeman

Brian Teeman

Who is Brian?

As a co-founder of Joomla! and OpenSourceMatters Inc I've never been known to be lacking an opinion or being too afraid to express it.

Despite what some people might think I'm a shy and modest man who doesn't like to blow his own trumpet or boast about achievements.

Where is Brian?