Setting up a website with both Magento as Joomla!, can not only be more than a days job - it can also introduce new security risks. Primarily, the risks in one application (MagentoTM or Joomla!) could endanger the application. Here we discuss which security measures could (or should) be taken in both Joomla!TM as Magento to secure the lot.
Seperating Joomla! and Magento
Our advise is that every risk should be managed separately: Joomla! and Magento should be installed in separate spaces, thus allowing you to optimize the security for each application as much as possible. Our advise is to install both applications into their own subdomain within their own Virtual Host.
More importantly: The PHP-setting "open_basedir" should be active and should prevent file-level access from Joomla! to Magento and vice versa. If you do not have a "open_basedir" value set, this means you are not protected.
It's also recommended to seperate the applications on UNIX-level through user-permissions. By using a different UNIX-user for the Magento website than for the Joomla! website, things become more secure. To facilitate this with Apache, solutions like SuPHP, mod_ruid or suexec need to be in place.
Filter hack attacks
Joomla! 1.5 ships with a .htaccess file which blocks common attacks to Joomla! sites. Though some of these attacks were only targeted at Joomla! 1.0 sites, it is still recommended to block any of these attacks in an early stage. At the moment, such filters are not available for Magento (needed or not).
The same filtering (done by .htaccess) could be accomplished on the hosting level as well by installing Apache mod_security. We do not recommend implementing the full set of filters as they are available from the mod_security project, but recommend reviewing all rules carefully before putting them to use.
Generic PHP-settings
The following PHP-settings need to be reviewed for increased security (but perhaps decreased functionality):
- safe_mode: PHP Safe Mode is outdated and should be turned off
- expose_php: This displays sensitive details about PHP-versions and should be turned off
- display_errors: We recommend setting Error Reporting within the Joomla! Global Configuration to "None", which overrides this setting. This setting in Magento is by default turned off.
- register_globals: This setting is outdated and should be turned off in all cases
- file_uploads|allow_url_fopen: Regarding security it would be better to turn off these settings, but looking at functionality it's best to leave these settings enabled.
Do NOT disable Magento session validation
In Magento 1.3, a new feature was introduced to secure sessions (cookies) a bit more. Magento added checks for the remote IP-address, the refererer and the browser-type. While there are discussions on the Internet that doubt the effectiveness of these methods, if you are not a security expert willing to take this risk, do not disable these settings!
On SSL-usage
A good webshop can not exist without SSL. However, a default MageBridgeTM setup will require SSL-certificates for both Joomla! as Magento. More information about SSL can be found in a seperate guide.
Tutorials on MageBridge administration
- Performance tuning with MageBridge
- MageBridge SEO Guide
- MageBridge scenarios
- Authentication guide for MageBridge
- Using MageBridge modules
- Step-by-step: Activating MageBridge plugins
- Upgrading Magento, Joomla! and MageBridge
- Configuring payment methods in MageBridge
- Step-by-step: Creating a MageBridge Menu-Item
- Step-by-step: Create a Magento API user
- API permissions with MageBridge
- How to use URL-suffices with MageBridge?
- Using MageBridge stores to load a different Magento theme
- Step-by-step: Adding a custom Magento block
- Managing MageBridge extensions
- Using the MageBridge Content Plugin
- Enabling SSL for MageBridge
- Prevent direct access to Magento
- Switching stores with MageBridge
- Migrating users between Joomla! and Magento
- Using MageBridge Product Connectors
- Best practices with MageBridge
- Using the MageBridgeLinks/JCE-plugin
- Moving a MageBridge site
- Importing and exporting users
- Two VirtualHosts but one domain
- Removing MageBridge
- Disabling user synchronization in MageBridge
- Questions to ask your hosting provider
- MageBridge caching
- Setting the MageBridge URLs in Magento
Tutorials on MageBridge integrations
- Language configuration in MageBridge
- Integrating MageBridge with other Joomla! extensions
- Step-by-step: Configuring sh404SEF
- Integrating JomSocial and MageBridge
- JomSocial profile-synchronization
- Overriding the JomSocial-connector configuration
- Working with JomSocial events
- Related products with the Joomla! Tags component
- Using Layered Navigation Pro with MageBridge
- Using HM_FeaturedProducts with MageBridge
