We have discussed suPHP in a previous post, and explained why it should be avoided on Joomla websites because Apache must have full permissions on all files pertaining to Joomla (including core files), leading to major security issues in case there’s a tiny loophole in the Joomla instance.
In that post, we stated that you must use an alternative that is more secure – but we weren’t specific. In this post, we will be revealing that alternative, which is DSO…
DSO (which stands for Dynamically Shared Objects) is (in our humble opinion), the best alternative to suPHP. Here’s why:
- It gives the system administrator the flexibility for choosing which files can be written by Apache, and which files can’t.
-
The webserver will not return a 500 error message if Apache is not the owner of the file. Instead, real permissions are applied. For example, if Apache has only read permission to a file, then it’ll only be able to read it. If Apache has write permissions to a file, then it can (yes, you’ve guessed it) write to that file. In short, Apache doesn’t need to be the owner of a file in order to use it (read, write, or execute it).
-
A corollary to the previous point is that Apache cannot change the permissions of the files to give itself the necessary permissions to hack the Joomla website (e.g. write access) because it simply isn’t the owner of these files.
So, in order to make your Joomla website hacker proof, here’s what you need to do:
- Switch to DSO. You can switch to DSO in WHM if you have a WHM based VPS or you can ask your host to do that for you. Please note that some hosts (especially very large ones) may refuse to do that for you particularly if you are using a cheap shared hosting plan.
-
Change ownership of all the files under your Joomla website to root. You can easily do that by logging in as root, and then issuing the following command:
chown -R root /absolute_directory_to_your_joomla_website
-
Change group ownership of all the files under your Joomla websites to root. Again, this can be easily done with the following (similar to the above) command:
chgrp -R root /absolute_directory_to_your_joomla_website
-
Change permissions of all the files under your Joomla website to 444. This can be done by issuing the following command at the shell:
find . -type f -exec chmod 0444 {} \;
-
Change permissions of all the directories under your Joomla website to 755. This can be done by issuing the following command at the shell:
find . -type d -exec chmod 0755 {} \;
Give Apache write permissions to the some directories. These directories are:
- cache
- images
- logs
- tmp
Once you apply the above, you will have a secure website that cannot be hacked, but, unfortunately, there’s a tradeoff for security, which is functionality (yes, there’s no such thing as a complete panacea in any web environment). You will soon realize that you will no longer be able to install extensions, because extensions are installed in the backend of your Joomla website, which uses the apache user, but the apache user doesn’t have write access to any directory that will host the extension that you’re trying to install, including, but not limited to, the following directories:
- /administrator/components
- /administrator/modules
- /administrator/language
- /administrator/templates
- /components
- /modules
- /language
- /plugins
- /templates
So, how can you overcome this problem?
Well, the only solution is to have 2 Joomla instances, one for development (where the user apache has all permissions to all directories), and another one that is for production, where the user apache has limited access (as described above). If you want to install an extension, then you install it on the development website, you test it, and then you sync the database and the filesystem of the production website with that of the development. We consider this process to be the best to ensure that your Joomla website is always secure and clean.
We do recognize, however, that implementing the above process is not that easy, especially if your production website receives a lot of updates, and that’s where we can help! All you need to do is to contact us, and you can rest assured that we’ll help you make your Joomla website a very secure and stable website. Shoot us an email or give us a call, we’re fast, we’re professional, we’re highly experienced in Joomla, and we don’t charge much!
[…] should be 444, and the folders’ permissions (also across the board) should be 555. Note that the production website must use DSO and not suPHP. This’ll take care of the filesystem and ensures that no filesystem updates are possible by […]