While setting up your own Joomla! site, it's good to think about its security. Joomla! itself is rather save, but you can always be hacked. This is mainly the reason of mis-configurations, vulnerable 3rd party extensions and weak passwords. To help you securing your Joomla! site, reading the book Joomla! Web Security is a good start. This book, written by Tom Canavan, has 248 pages and has been published in October 2008. The book covers both Joomla! 1.0.x and 1.5.x. In this review you can read more about the book.
The author divided the book into 10 chapters, and included a very useful Appendix at the end of the book. The first chapter is so called Let's get started. It discusses how to choose the correct hosting company, how server settings should be set to get the best securing environment for your Joomla! site, and many more other subjects. It coveres lots of different topics, a bit too much in my opinion. Most of the topics will come back more detailed later on. It would have been better to include a larger topic on which version (1.0 or 1.5) to choose, relating to security issues. For a book published in September 2008, eight months after the 1.5.0 stable release, it's a pity that important security improvements in 1.5.x are not mentioned and explained. For example the new FTP layer has an enormous security advantage. The website owner does not have to deal with CHMOD rights anymore with the FTP layer activated. All files can be set to unwritable, and you will still be able to install extensions and upload media.
The next chapter tells the reader how to set up a testing and development environment. This is really business based. For the largest group of Joomla! users a labour rate, downtime costs per hour and terms like MTTF (Mean Time To Fix) do not make any sense. Always good to know how the 'big guys' do it, but not really necessary to apply it to your own situation. Which does not mean that a testing environment is not needed for your site, how small it may be!
In Chapter 3 you can read about very powerful and useful diagnostic tools. These are all explained very clear and thoroughly. It's a pity that they are all 1.0.x based (although Joomla Tools Suite can work in 1.5 legacy mode), and no specific 1.5.x native tools are discussed, for example JoomSuite Defender.
The fourth chapter explains what vulnerabilities are, why they exist and what can be done to prevent them. Although not everything can be explained in one chapter, the author made a good choice in what to discuss and what not. It is a good descriptions with clear examples explaining the most important part of what needs to be know about vulnerabilities.
Chapter five explains two types of attacks that can occur to your Joomla! site: SQL Injections and Remote File Includes. The SQL injections are explained really, really well, with concrete and clear examples. The Remote File Includes part does not have really clear examples. I fully agree that no site or code could be 100% save at the 1.5.x not save part. However, if you keep up-to-date with the newest version, and upgrade immediately after a patch has been made available (especially if there is a security hole solved), there is only a very, very small risk of being hacked because of the Joomla! core. According to my experiences as a Joomla! Bug Squad Member, I noticed that most of the sites that are attacked because of a security hole in Joomla! core, are attacked áfter a (security) patch was made available to the community.
How the bad guys do it, chapter 6, learns the reader how the 'bad guys' can gather information or even break into your site. It's very useful to know, and nearly frightening how much info crackers can get from your site.
The chapter that I thought was the most useful, was the one about php.ini and .htaccess, chapter 7. The examples of both .htaccess and php.ini are very clear. They can be useful for every (PHP) website, no matter if it is a Joomla! site or not.
Chapter 8 learns you mostly how to read Log files. Very handy to have this skill. The status codes for HTTP 1.1 are also useful. At the end of the chapter some tools to analize the log files. Again, it's a pity that no tools for 1.5 are discussed.
SSL for your Joomla! site, chapter 9, explains how to set up SSL for your site. It's a short chapter, and is only a starting point for the ones who really want to use SSL. Very good decision of the author: nearly no-one will use SSL for their normal Joomla! site, and the ones who are interested can go through the interesting links given and find there (and at there hosting company) more information about setting up SSL for their website.
The last chapter is about incident management. It is actually a follow-up on chapter 2, where the testing and development environment is discussed. The chapter is especially useful for larger companies.
The appendix, or so called 'Security Handbook' is very, very useful to have. A large part of the book is put together here, including all handy checklists, daily operations, useful codes and tools. One suggestion: I would add the new security feed of Joomla! to the daily operations list, http://feeds.joomla.org/JoomlaSecurityNews.
To conclude, this book is very useful to read through and keep as a reference. I expected much more of it about version 1.5.x. It seems like the book was initially created for 1.0.x, and later on a bit information about 1.5.x was added. Or the author of the book is not really familiar with 1.5.x, and likes to 'stick' at the 'good old' version.
If you are a large company, who wants to secure there site, I would really suggest them buying this book. For one-man website owners interested in security it's useful as well, although they have to keep in mind that some parts of the book are not useful to know in their situation.
You can purchase the book at http://www.packtpub.com/joomla-web-security-guide/book for £22.49.
