A Security Audit will help to identify and eliminate potential security issues that could exist in your website. These can include information or functionality issues, access to user data or system issues. This article will look at the different areas of the Joomla Security Audit.
To start with, there is a checklist for the user access on your website. This is important because it will highlight any areas where you need to address any problems with this process. The following information is documented and is used to look for problems with login screens and other areas that need to be reviewed. The areas that need to be reviewed include;
– Email Login – All users must have an email address to log into your website. Any changes to this system are a sign of a potential problem. If you cannot get users to provide their email addresses, then this is a red flag. Ensure that the email address they use is one that they trust.
– Login and Registration Options – Users must be able to log in, and therefore be able to change the password. It is possible for users to bypass this if they are provided with some form of false password. Also, make sure that users can change their passwords. Most systems today offer a form of choice, for example, ‘change password’ in the case of Windows XP. There should also be a secure area where users can enter their username and password.
– User Logon and Password Reset – The default login page and the ability to reset the password are two of the most common problems that come up in audits. You should also ensure that there is a place where users can change their password. It is also a good idea to include a link where users can change their password without logging in.
– Password Check – Passwords should be difficult to guess. Once they are guessed, users should not be able to access this information. The easiest way to get around this is to use a variety of character combinations. This is done using the crypt function within PHP, but it is recommended that you change this when using a more modern form of encryption.
– Session Management – Users should be able to logout when they wish. You should also check that users do not leave passwords in the clear. If a user needs to leave the site for any reason, they should be able to do so easily. There should also be some method for identifying the users that need to remain logged in.
– User desktops – All desktops should display user information correctly. A common issue that comes up during audits is the fact that users may have found a way to hide their desktops from the administrator. This is something that should be looked out for. Make sure that the user desktops are visible and accessible from the general view.
– Login pages – There should be no reason that a user would need to be asked for the admin password. Most systems will offer this as a check box, and there should be no reason why the user would need to enter it. In cases where a user is leaving the site, then this can cause problems. Also, the password reset feature in the site should offer an option for the user to update their password if necessary.
– Updates management systems – These are used to allow users to update the website content. While this is an important part of any website, there should be no reason why a user would need to enter the admin password.
This is just a basic list of the areas that should be looked at during an auditof Joomla. Ensure that you keep these points in mind as you work through the various parts of the audit.
So, keeping these points in mind during the audit of your Joomla site is important for many reasons. These are only a couple of the areas that should be considered when you go through the entire audit.