MageBridge Security Guide
Setting up a website with both Magento as Joomla!, can not only be more than a days job - it can also introduce new security risks. Primarily, the risks in one application (Magento or Joomla!) could endanger the application. Here we discuss which security measures could (or should) be taken in both Joomla! as Magento to secure the lot.
Separating Joomla! and Magento
Our advise is that every risk should be managed separately: Joomla! and Magento should be installed in separate spaces, thus allowing you to optimize the security for each application as much as possible. Our advise is to install both applications into their own subdomain within their own Virtual Host.
More importantly: The PHP-setting "open_basedir" should be active and should prevent file-level access from Joomla! to Magento and vice versa. If you do not have a "open_basedir" value set, this means you are not protected.
It's also recommended to separate the applications on UNIX-level through user-permissions. By using a different UNIX-user for the Magento website than for the Joomla! website, things become more secure. To facilitate this with Apache, solutions like SuPHP, mod_ruid or suexec need to be in place.
Filter hack attacks
Joomla! 1.5 ships with a .htaccess file which blocks common attacks to Joomla! sites. Though some of these attacks were only targeted at Joomla! 1.0 sites, it is still recommended to block any of these attacks in an early stage. At the moment, such filters are not available for Magento (needed or not).
The same filtering (done by .htaccess) could be accomplished on the hosting level as well by installing Apache mod_security. We do not recommend implementing the full set of filters as they are available from the mod_security project, but recommend reviewing all rules carefully before putting them to use.
Generic PHP-settings
The following PHP-settings need to be reviewed for increased security (but perhaps decreased functionality):
- safe_mode: PHP Safe Mode is outdated and should be turned off
- expose_php: This displays sensitive details about PHP-versions and should be turned off
- display_errors: We recommend setting Error Reporting within the Joomla! Global Configuration to "None", which overrides this setting. This setting in Magento is by default turned off.
- register_globals: This setting is outdated and should be turned off in all cases
- file_uploads|allow_url_fopen: Regarding security it would be better to turn off these settings, but looking at functionality it's best to leave these settings enabled.
Do NOT disable Magento session validation
In Magento 1.3, a new feature was introduced to secure sessions (cookies) a bit more. Magento added checks for the remote IP-address, the referrerer and the browser-type. While there are discussions on the Internet that doubt the effectiveness of these methods, if you are not a security expert willing to take this risk, do not disable these settings!
On SSL-usage
A good webshop can not exist without SSL. However, a default MageBridge setup will require SSL-certificates for both Joomla! as Magento. More information about SSL can be found in a separate guide.
Created on Wednesday, 12 August 2009Modified on Wednesday, 22 December 2010
More tutorials in this section
- MageBridge caching
- Two VirtualHosts but one domain
- Moving a MageBridge site
- File permissions for MageBridge
- Questions to ask your hosting provider
- Switching stores with MageBridge
- Prevent direct access to Magento using htaccess
- Enabling SSL for MageBridge
- MageBridge Security Guide
- Upgrading Magento, Joomla! and MageBridge
- MageBridge scenarios
- Performance tuning with MageBridge
- Finding a good hosting provider
- Using MageBridge in TurnKey appliances
- Using the MageBridge-optimized TurnKey image
- Benchmarking MageBridge performance