Joomla Tools Suite - Part 3 (Permissions Audit)

Joomla Tools Suite - Part 3 (Permissions Audit)

A critical part of Joomla security is file and directory permissions. By default Joomla does not enforce strict permissions, and these may lead to having permissions which are too weak, make it easy for your site to be compromised.

Permissions in Joomla are a weird and (wonderful?) animal. This is because each hosting server usually have their own configurations and defining a set of permissions which work on all hosts is practically impossible. Having said this, there are recommendations that one should follow, and certain permissions which one should defintely avoid. There is a very good Joomla permissions overview , which is highly recommended.

Just a brief cutting from the above article:

 

Owner (User) relates to username
The Owner (User) is normally you, these permissions will be enforced on your hosting account name.

Group relates to usergroup
The Group permissions will be enforced on other people that are in the same group as you, within a hosting environment, there is very rarely other people in the same group as you. This protects your files and directories from being made available to anybody else who may also have a hosting account on the same server as you.

Other relates to everyone else
The Other permissions, these will be enforced on anybody else on the server that is either not you or not in your group. So in a Web Serving environment, remembering that no-one else is normally in your group, then this is everybody else accessing the server except for you.

Joomla Recommended Permissions 

Joomla default recommends the following generic settings   

Files = 644  and   Directories = 755

These permissions would allow, for files;
   
     644 =   rw- r-- r--   = Owner has Read and Write
                                             Group has Read only
                                             Other has Read only

and for directories;
   
     755 =  rwx r-x r-x    = Owner has Read, Write and Execute
                                               Group has Read and Execute only
                                               Other has Read and Execute only

If you have setup your permissions to work with these permissions and Joomla complains that some folders are unwriteable, then you may have configured your permissions incorrectly, or you might have encountered a Joomla unfriendly host.

Permissions one should avoid at all costs is giving Other group any write permission on any file / directory. The biggest security sin one can commit is to change files / folders to 777 (everyone can do anything), and forget them like this! 

Joomla Tools Suite - Permissions Audit

Permissions Audit

So how does the Permissions Audit work, and what can it do for you? The permissions audit tool, goes through all files and directories and checks for any for file or directory which does not conform to the recommended permissions and which may thus post a threat to your site. Many times you may have uploaded templates, components, forums, or any other files which might have not had the correct permissions setup, and these misconfigurations will be found by the Permissions Audit tool.

It is very easy to go through and determine that a particular file or folder does not have the recommended settings, because the tool highlights any potential risks. What you would need to do then is, browse to the file / folder using FTP software, and change the permissions to correct permissions.

Part 4 - Removing unecessary files/ components and how unused components and / or files can make your site vulnerable.

One more thing...

Do you have friends or a Facebook group who you think would find this useful? Share this with them and then let me know what they think.

Want to supercharge your website?

 
Our website loads FAST ... just 1.29 seconds. We're hosted on FAST InMotion VPS servers We want YOUR website to be fast too, so we've gotten you an exclusive deal - 47% OFF for DART Creations friends + FREE domain! Check it out NOW!