Title: Joomla! Web Security Language English  Paperback 248 pages [191mm x 235mm] Release date October 2008 Author(s) Tom Canavan Publisher Packt Publishing

With all the pluses Joomla! gets, there's however a big downside to it: the more third party modules and components you install, the more vulnerable it gets and the more time you have to spend checking it.

The Joomla! Web Security book that Packt Publishing released at the end of 2008 came in handy. It discusses the vulnerability and security part of Joomla! and teaches you how to ensure a solid CMS installation

What pleasantly struck me while reading it was the fact that the author brings light not only to various methods of patching your Joomla! installation but also to server prerequisites. For example, the book starts with advice on choosing a suitable host for your needs, on what to ask your hosting provider for and choosing between shared and dedicated hosting.

There's the usual .htaccess and Register Globals talk that you can find on any Joomla! forum and that every Joomla! administrator must know, but there's also a wide range of PHP variables the author suggests you can insert in your own php.ini for further hardening the security of the website. 

There's a lot of good advice in this chapter, but Tom Canavan takes things just a little bit out in the Twilight Zone when he suggests you could also ask you hosting provider if the staff has criminal records, if the company has a terrorism response plan or if the windows of the facillity are shatter-proof. I can't really imagine someone talking with the hosting company over the phone about these things and not getting at least three seconds of silence from a surprised operator.

Chapter two discusses testing and development and advises you to set up a secondary installation, a mirror image of the first one that you'll be using as a test server. I never thought this to be important as I always took the risk path in testing a new component, but after reading this chapter I must say the technique is worth the extra effort. It may save you countless hours of restoring from backup and fiddling with config files on the client's website.

There's a set of tools you can use to stress-test your Joomla! installation and they are all covered, complete with screenshots and recommended settings. From scanning server ports to checking third-party components, it's all there in the next chapter of the Joomla! Web Security book. There's even talk about Wireshark and packet sniffing.

Chapter four discusses vulnerabilities and how to fight them. From memory corruption to SQL injections to remote file inclusion techniques - each method is described and advice is given to stop an attack, should one happen. I found this part very interesting as I've had such problems in the past and it took a while to deal with them.

Chapter six deals with actual methods of breaking into a Joomla! site and gives countermeasures you can take to avoid a defacement. Disaster recovery is the part where most people make mistakes and restore their website from backup without actually dealing with the security holes that got them in that certain situation.

The next part of the book is dedicated to the php.ini and .htaccess files and further analyzes these two, giving example configurations. I learned a great deal of new stuff here. For example, the book teaches you how to block access to your website during specific hours of the day if your logs show you that during that time someone is trying to break in. 

Chapter eight deals with how to read log files and how to interpret PHP error messages and also describes a set of tools you could use to do this.

The last part of the book discusses the importance of SSL, how to obtain a certificate and what to do if, by any chance, your site gets broken into.
 

Conclusion

Technical books can be sometimes boring, especially when they talk about things you already know. This is not the case with Joomla! Web Security. I enjoyed Tom Canavan's detached writing style and I learned some interesting things that I applied to all my Joomla! websites. What I especially liked was the fact that the book discusses not only the Joomla! part of a website but also the server side and gives some nice hosting tips. If you're a junior or intermediate Joomla! user I would highly recommend it.