How to Secure an Outdated Web Application in 5 Minutes
I've had the following challenge yesterday. A friend of mine had an old Joomla 2.5 with a bunch of customization - additional components installed, custom theme, etc. It was hosted somewhere and had to be transferred away for some reasons. But before being transferred to a hosting which I am responsible for, it had to be secured. The last thing I want is to have my account suspended.
I haven't dealt with Joomla for the last 5-6 years, nor with PHP as a matter of fact. So I am very far from an expert in Joomla and I don't intend to become one (not again).
A fast check showed that Joomla 2.5 is quite old in fact. There were instructions for a straight forward upgrade to a newer version but as one might imagine, these instructions wouldn't work because of all the customizations.
It happened so that my friend needed the site but not enough to hire a developer to update it and secure it. So he wanted me to find a fast and easy solution.
Now, this will sound like one of those paid articles in which someone finds by accident a great product, etc. I wish that was the case because I really like CloudFlare and I also like being paid (but I am not for any of my articles) :)
So yes, I decided to use CloudFlare to protect my friend's totally outdated Joomla. It's free, or to be more precise - I use the free plan. It also takes just a few minutes to get started.
Cloudflare is something like a security proxy that stops intruders in case you haven't heard of it.
So I've come up with the following 5-minutes / $0 budget security strategy - to block as many potential threats as possible while minimizing possible harm.
In the following I'll describe the exact settings I've applied in CloudFlare. To do something similar you'll need first to set up your site and you can check these instructions if you need help.
Step 1. Enable all security settings to the MAX:
A simple check with my browser showed that the site still works after enabling all of these. In most cases that's enough. Though, if you use some kind of automation scripts and APIs it's quite possible that they'll be blocked or challenged.
Here are the most important from above:
- Security Level - High - Challenges all visitors that have exhibited threatening behavior within the last 14 days
- Bot Fight Mode - Challenge requests matching patterns of known bots before they can access your site.
- Browser Integrity Check - Evaluate HTTP headers from your visitors browser for threats.
Step 2. Challenge bad countries
This may sound a bit drastic but I see no harm in it. My friends site is for a local business and I don't think he cares much about visitors from Ukraine, China, etc. After all, those visitors will just have to fill in a captcha correctly in order to continue to the site.
So I searched Google for "top countries from where web attacks originate" and added a few of my favorite ones to the list. Then I've created the following rule:
If you want to use the expression listing all the countries here it is:
(ip.geoip.country in {"UA" "AL" "BY" "BR" "BD" "MD" "TR" "RU" "IN" "CN" "RO" "PL" "NG" "VN" "ID" "KR"})
For SEO reasons I've skipped adding the United States to the list above because most probably the Google crawler won't be able to fill in the captcha.
So what does that accomplish? All web attacks nowadays are run by bots and the above countries are known for hosting such bots for various reasons. These bots won't be able to pass the captcha and will be blocked.
It's important to note that if any hacker with any experience decides to compromise my 5 minutes / $0 defense, the above 2 steps won't be able to stop him. Though, I doubt my friend and his peaceful site for photography will attract any such interest. Bots on the contrary have no feelings and must be stopped.
I must say though that if any world class hacker decides to hack my friends site, I might be willing to dedicate some more that 5 minutes and we'll see then :)
Also, in case you have more than 5 minutes you could also:
- Sacrifice any additional extensions, themes, etc on your Joomla. Remove them and make your Joomla as standard / clean as possible. Then attempt a upgrade to the latest version again. That's the best way to security but I understand people prefer good looks and additional functionality to security.
- Hire a professional to secure the site or look for some readily available extensions. Long ago there was such an extension for Joomla 1.5. Don't ask me how I know about it.
- Go 'cowboy' security. I can think of a few funny things (and we've done them back in the wild days of security) such as making your files immutable, removing any other privileges than READ for your Joomla database user, restricting the access to your administration login page with .htaccess, etc... Needless to say, this will have a lot of drawbacks for your Joomla and make it hardly usable.
- Extend my Honeypot blocker to make 301 redirects to CIA's site for anyone who tries visiting a few popular urls for scanners such as phpmyadmin, admin or even the administrator page. Let's see how much fun they'll have then :)
The above instructions could be applied not only to an outdated Joomla but also to any other outdated web platform which you want to secure fast, easy and without paying anything. Good luck!