Discussing Security & Updates With Francis

Who better to discuss the importance of your hosting plan’s integrity than the person that makes sure that our servers maintain high-level performance, are always available and are up to date on latest security protocols? We discuss security with Francis.

Let’s talk about Content Management System (CMS) security. The internet encountered an impressive wave of Joomla 1.5.x hacking in the past month. What explains this sudden new wave?

This type of surge occurs each time new security vulnerabilities are found, whether with Joomla, WordPress, Drupal, their additional modules or even their themes. The word spreads over the web rather quickly, and botnets start trying to find vulnerable installations in order to exploit them.

When it comes to the recent Joomla 1.5.26 exploitation wave, because it is an older version, whatever usually happens happened. As soon as you deal with older versions of a software, you have to expect that vulnerabilities come up more and more often, especially for versions that are no longer supported by the CMS developers in question, which is the case for Joomla 1.5.x. For that reason alone, it is primordial to maintain your CMS updated as soon as a new version is made available.

For more information on the Joomla 1.5.x problematic, the Sucuri.net blog put out a very interesting article that covers the issue well: http://blog.sucuri.net/2014/03/jce-joomla-extension-attacks-in-the-wild.html

You mention frequent updates. Is there a way for our customers to be made easily aware of recent available updates for their CMS?

I highly recommend using the One-Click (Softaculous) module offered with all our hosting plans. It allows the centralized management of 200 applications, and contains all updates for these softwares almost as soon as they come out.

If our customers made a manual installation of a CMS like Joomla or WordPress, they can import its management to Softaculous. We also have an online tutorial for new installations.

The person that manages their web hosting space is in most part responsible for the security of their website. But what is Funio’s contribution in that equation?

By putting the right security-oriented tools on our servers, we try (as much as possible) to limit the problems our customers can encounter. For example, mod_security filters http requests in order to eliminate most of the common request sequences attributed with hacking behaviours. CSF and Fail2Ban block IP addresses that try to make brute force attacks.

When a CMS is not kept up to date, that can create a lot of operations for us and for our customer. Here’s an example of a typical scenario.

A customer uses an old vulnerable version of Joomla for their website. Malicious code is injected into the site through a known vulnerability, and now it is being used to send out spam and host a phishing page. The customer will notice the problem because their site will be down; our IT team will receive notification of a mail server load due to the large abnormal amount of emails being sent from the server, or will receive abuse complaints.

To solve such a situation, you need to first make a backup restore. Even though Funio keeps over 7 days of backups for a site, it is the customer’s responsibility to have their own copy that can be submitted to us. After the restoration, the customer will have to update the software that was compromised as quickly as possible, or else the site remains at risk.

Regardless of all the effort put into accompanying and guiding our customers, a properly functioning website is still the responsibility of the person that has created or manages the site. Funio cannot be held responsible for the abusive use of a website.

“Heartbleed”: What is your opinion on this subject?

Heartbleed was a phenomena completely different than any other major problem that has been seen in the past. A major vulnerability was found in the OpenSSL library. The impact is significant because it is found everywhere, from media centres to routers, to smartphones and tablets: nothing was spared. People will have to be very attentive in order to keep all their gadgets updated and remain protected!

Here at Funio, we reacted rapidly when this vulnerability was made public. In less than 12 hours, all our servers were up to date and our SSL certificates reissued in less than 24 hours. All our tests did not reveal any intrusion either.

I believe that the Funio article that was put up in regards to Heartbleed summarizes my own opinion.

Closing Statement

I would like to thank Francis for taking the time to discuss security with us. If you have only one thing to remember from this discussion: keep your CMS up to date!

Published on at by in: Funio, Web Hosting

Funio Community

Funio on Google+