Stephen Brandon writes "It used to be that to set up a database-backed web site required at least a server guy, a database administrator, a programmer, and a designer. Joomla! and other modern CMS systems have opened the door to allow non-administrators to be able to set up complete e-commerce or informational sites, using great free software and easy-to-find commercial hosting. What then of security? A new book by Tom Canavan, Joomla Web Security, aims to bridge the knowledge gap, introducing Joomla! admins to a set of security tools, and skills sometimes found lacking in the Joomla! community." Read on for the rest of Stephen's review.Joomla! Web Security is Packt Publishing’s eighth Joomla! title, and they are to be congratulated for providing much-needed documentation for Open Source projects. Written by Tom Canavan and published in October 2008, it can be found under ISBN 1847194885 and 978-1-847194-88-6.
According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.
Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.
Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.
Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.
Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.
Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.
Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.
The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.
It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?
On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.
If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).
Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.
Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.
While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.
Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.
Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.
Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."
You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.