logo wide 2000x350

3 Security

This chapter is divided into four sections:

3.1 What is Real Website Security?

3.2 First Ten Steps to Website Security

3.3 Second Ten Steps to Website Security

3.4 Manage Your Website Security Over Time

In Section 3.1 What is real website security?, we explain why we as website owners need to radically change the way we think about website security.

In Section 3.2, First Ten Steps to Website Security, we outline the first ten essential steps for increasing the security of our website.

In Section 3,3, we describe the second ten steps for increasing the security of our website.

In Section 3.4, we provide a process for maintaining the security of websites over time including how to monitor and analyze attacks on your website.

00
In our final section on website security, we will review several important steps to take to protect our website from hackers on an ongoing basis. These steps include the following:

1. Keep your Joomla version up to date.

2. Keep your Joomla extensions up to date.

3. Review Joomla Error logs periodically.

4. Review hacking attempt logs periodically.

5. Scan your website(s) periodically with simple free scanning tools.

6. Set up a backup and recovery process.

7. Limit the email accounts associated with your website.

8. Keep learning about Joomla Website Security.

9. Join or create a Joomla User Group in your community.


We will briefly review each of these steps.

1. Keep your Joomla version up to date
Joomla versions change every few months. Sometimes these versions change to introduce new versions. But often they change in response to the discovery of a new hacker attack method. You will hopefully receive an email from Joomla alerting you to the security threat and advising you to update your Joomla version as quickly as possible. It is easy to update your website. Just log into your administrator panel and wait a few seconds. A notice will appear providing a link to the Joomla Update page.

01
Click on Update Now. Then click Install Update. If there is any problem with the update, you can do a search on the problem and how to fix it. Often, update problems can be solved simply by clearing your browser cache and your Joomla caches. These issues are typically addressed on the Joomla Community Forums. To reach the official Joomla forum, from your Joomla Admin panel, click on Help, Official Support Forum. Here is the direct link:
https://forum.joomla.org/


Why doesn’t Joomla update automatically?
The reason Joomla does not recommend automatic updates is because there is the possibility of the update creating one of several major problems for your website or website extensions. Each of these problems can be fixed. But each may require you taking certain manual steps. In addition, cron jobs in cPanel (which would be needed for automatic updates) are very complex. If you make a mistake in the script, you can wind up losing all of the data on your Joomla database. This is why Joomla recommends that updates be done manually under the direction of a real person.

2. Keep your Joomla extensions up to date
Joomla also offers a system for updating extensions. When you log into your Joomla backend, you may see the following notice.

02

Click on View Updates and then Install Updates. Then clear the caches and view the front end of your website to make sure everything still works after performing all of your updates. For this system to work well, you should plan on visiting the backend of your website at least once a week. The remaining tasks should be done about one per month.

3. Review Joomla Error logs periodically
Modern websites are extremely complex. With more than 4000 files and folders and more than two dozen extensions, it is common for errors and conflicts to occur. These errors are typically not displayed on the front end of our website. But they are recorded in error logs and include the exact lines in the code where the error is occurring. Error logs are also useful for determining the date, time and location of many common hacker attacks.

To reach your Joomla error logs, you could log into your Cpanel account and open the File Manager. But a quicker way is to install a File Manager to your Joomla backend so you can reach it without logging into cPanel. We will add a free tool called Profiles. Click on Help, Joomla Extensions. Then enter Profiles in the search box.

03
Here is a direct link to this extension:
https://extensions.joomla.org/extensions/extension/core-enhancements/file-management/profiles

Click Download. Then click Download again. Transfer this folder to your website extensions folder and install it with Extensions, Manage, Install. Then open it by going to Components, Profiles. Click on the File Manager tab. Then scroll down past the Joomla folders to the Joomla files. One of them will be called error_log. Click on it to select it. Then click Download to download it to your computer. Open it and read it. Here is an example of an error log.

[17-Dec-2016 12:10:42 America/Vancouver] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; plgSystembfstop has a deprecated constructor in /home/createnews/public_html/plugins/system/bfstop/bfstop.php on line 18


This is not a critical error and will hopefully be fixed in a future version of BF Stop. Once you have read all of the errors and determine that there are no hacks here, then delete the error log file from your downloads folder and delete the file from your Joomla file manager. The next time there is an error, the log file will reappear.

We should also look at the Joomla Administrator Error log while we are here. Click on the Administrator folder. Then click on the error_log file to select it. Then click Download to download it. Then read it. Then delete it and delete the file in the backend with your File Manager.

4. Review hacking attempt logs periodically
Hacking attempts will be sent to your secure email address on nearly a daily basis. You will be surprised at how often hackers are trying to get into your website. These emails should be viewed periodically. Here is one example caught by Marco Interceptor:

Local File Inclusion $_GET['files'] => ../../../../wp-config.php
* Local File Inclusion $_REQUEST['files'] => ../../../../wp-config.php
** PAGE / SERVER INFO
*REMOTE_ADDR : 62.210.111.127
*REQUEST_METHOD : GET
*QUERY_STRING : files=../../../../wp-config.php
** SUPERGLOBALS DUMP (sanitized)
*$_GET DUMP:


This was someone thinking my website was a Wordpress website and wanting to get the configuration file to begin an attack. Here is an email from BF Stop:


Blocked IP Address 5.254.97.99 because there were too many unsuccessful login attempts in a short time on http://. These are all the attempts from that address that were recorded:
Username                  IP-Address      Date and time        Origin
-------------------------------------------------------------------------------------------------
admin                     5.254.97.99     2016-12-06 18:28:44  Backend
admin                     5.254.97.99     2016-12-06 18:28:50  Backend
admin                     5.254.97.99     2016-12-06 18:28:54  Backend
admin                     5.254.97.99     2016-12-06 18:28:57  Backend
admin                     5.254.97.99     2016-12-06 18:29:00  Backend



This is a hacker trying a brute force attack assuming my administrator user name is admin. We could add the IP address to our blacklist. But these happen so often from so many IP addresses that it would be easier to block entire countries. To determine which country this IP address is associated with, go to the following site.
http://whatismyipaddress.com/ip-lookup

Then copy and paste the IP address from your email into the Lookup box.

04

This one comes from Romania but is it is really a proxy server for some other location. Click on Blacklist check and you will see that this site is not yet blacklisted. Each country has a two digit extension that you can determine by going to the following link:
http://www.webopedia.com/quick_ref/topleveldomains/countrycodeA-E.asp

The extension for Romania is RO. We will add this to our list of blocked countries with Spam Protect Factory.

05


5. Scan your website(s) periodically with simple free scanning tools.
There are several free simple website scanning tools that do not require that you register your site with them. The most popular free website security scanner is offered by Sucuri. You can do a quick test for Malware, Website blacklisting, Injected SPAM and Defacements just by entering your website URL in their scanner.
https://sitecheck.sucuri.net/?clickid=xsmTwgzAGyG-VNbxd83A2zfCUkkVSr0kExWZxk0


06
You can also scan your site at two other websites. However, be aware that these scans are not perfect. You site can be hacked and still get a clean bill of health at these scanning sites.
https://quttera.com/
https://app.webinspector.com/


6. Set up a backup and recovery process
As we have previously described, our preferred method of making backups is through the Cpanel Softaculous process. We can quickly make backups and download them to our computer. Just as important, we can reload the backup file and easily roll back our website to a previous date. I make a backup of each site after every major update. For some websites, this might be once a month. For others, it might be once a year. How often you back up your site thus depends on how much content you put on your site and how much it changes over time.

7. Limit the email accounts associated with your website
All email accounts are hosted through a website that is connected to a server. One of the factors that cost Hillary Clinton the election in 2016 was that she suffered not just one but two major email server security scandals. First, she had her State Department emails hosted on an extremely insecure Windows server located in her basement. Her home brew server was so insecure that it was easily broken into with all of its emails and other documents downloaded and then posted on Wikileaks.

Failing to learn from this lesson that website security must be taken seriously, her Presidential campaign was ran through insecure servers at the Democratic National Committee (DNC). More than 400 people had email accounts associated with the DNC server. One of them, John Podesta fell victim to a “phishing” attack which allowed the hackers access to the servers simply because he downloaded a hidden malware file to the server. This allowed hackers to download all of the extremely damaging emails confirming that the DNC had colluded with the Clinton campaign in a plot against Bernie Sanders. This revelation angered millions of Bernie supporters who refused to vote for Clinton costing her the election in swing states. (Wikileaks claims that it was not a hack but a leak as a DNC insider gave them the emails). Either way, allowing 400 people to have access to your website server is asking for trouble. It does not take a Russian government hacker to attack either Clinton’s private server or the DNC server. Any teenager can do learn how to do a phishing attack in less than one day.

As we explained earlier, servers and websites and anything connected to the Internet are attacked all the time. It is very likely that the DNC server was being subjected to hundreds of attacks from all kinds of people every day. The solution is not blaming the Russians. It is simply to take basic precautions.

A much better option for any organization with more than five members is to have all of these email accounts hosted by an encrypted email provider like ProtonMail. You can still have custom email addresses like This email address is being protected from spambots. You need JavaScript enabled to view it.. However, the actual emails are hosted on the ProtonMail servers and encrypted so that not even ProtonMail can read them. The cost of this service is only a few dollars a month. Given that Clinton spent about one billion dollars on her Presidential campaign, and given the widespread and well known prevalence of hacking attacks these days, it was extremely irresponsible not to take this basic safety precaution.

It is just as bad to use a Prism partner like Yahoo or Gmail for important email accounts. Yahoo had one billion accounts hacked. Gmail also has a tracking tool which reads all of your emails (and likely forwards all of them to the NSA). By contrast, ProtonMail does not read your emails. What every organization should learn from this disaster is to limit the number of email accounts on their servers and to put better firewalls between these accounts. Ultimately a fully encrypted solution on a well protected server like ProtonMail is the safest option.

8. Keep learning about Joomla Website Security
One of the best ways to keep up to date with Joomla security issues is to periodically read the Joomla Community Forum.
https://forum.joomla.org/

Scroll down to the section called Security in Joomla 3X.


07

There are a series of articles pinned to the top of this forum. Read all of them before posting.

9. Join or create a Joomla User Group in your community
This final point is the most important. Real website security is not a set of tools or even a process. Instead, it comes from building a community of friends interested in website security. Joomla has what it called Joomla User Groups all over the world. To find out if there is a group near you, go to

https://community.joomla.org/user-groups.html

08

As you can see, Joomla is very popular in Europe as it works well for multi-language websites. Also Europeans seem to care more about website security than folks in the US. Click on North America to see a more detailed map of Joomla User Groups in North America:

09

Clicking on one of these local buttons will allow you to contact the leader of your local group. If there is not a group near you, consider starting one! This completes our article on real Joomla Security. In the next article, we will describe some revolutionary new tools for customizing the appearance of your Joomla website.
In this section, we will describe ten more important steps for creating a secure Joomla website. Here is a list of these ten steps:

#1 Hide the Front End Log In Form

#2 Change Joomla Global Configurations

#3 Download and Install Free Joomla Encryption Tool (if not using Let’s Encrypt)

#4 Download and Install Brute Force Stop

#5 Download and Install Marco SQL Injection Monitor

#6 Download and Install Spam Protect Factory

#7 Download and Install Eyesite File Monitoring Tool

#8 Replace the Default Joomla Templates with the Sparky Template Framework

#9 Delete the Joomla Generator tag

#10 Create and Download a Site Backup in Cpanel

Below is a brief description of each of these steps.

#1 Hide the Front End Log In Form
We ended Section 3.2 by displaying the front end of our website with the Log In form displayed in the right side position. We will now hide this log in box to cut down on spammers and hackers. Log into the backend of our website with /administrator added to your website front end URL: https://ourinteractivewebsite.org/administrator

Then click Extensions, Modules in the top menu. Then select the Log In Form and click Unpublish. A red X will appear to the left of the Login Form.

01

Then click on the front end of the site again to verify that the log in module is now hidden. Here is what our site now looks like:

02


#2 Change Joomla Global Configurations
Our next task is to change the Global Configurations settings. In the Admin Panel, click on System, Global Configurations in the Top Menu. There are several changes we need to make here. First, change URL Rewriting from No to Yes. This will allow us to use Friendly URLs – but only do this if you have already enabled the HT Access file. You can also add any key words you want here. Next click on the System tab and increase the session lifetime from 15 minutes to 99 minutes. Then click on the Server tab. Change Force HTTPS from None to Entire Site. Then click Save and Close.

03


We are now ready to download and install several important free Joomla security tools.

#3 Install Free Joomla Encryption Tool (if not using Let’s Encrypt)
If your site does not have Let’s Encrypt (perhaps because you are using a web host that does not offer Let’s Encrypt), then the administrator log in page will be a huge security risk because it will not be encrypted. To encrypt your site log in pages, get a free encryption tool by clicking on Help, Joomla Extensions in the top menu. This will take us to the Joomla Extensions page.
https://extensions.joomla.org

Type encrypt configuration in the Search box. Then press Enter.

04

Then click on the Encrypt Configuration box.

05

Here is the direct link.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/encrypt-configuration


Click Download to go to the Download page. Then download the latest version which is currently Joomla 3. Transfer this extension from your Downloads folder to your website Extensions folder. Then in the Joomla Admin panel, click on Extensions, Manage, Install.

06
Click Choose Fiile. Then navigate to your website extensions folder and click on Encrypt configuration (com_encrypt) to select it. Then click Upload and Install. This free tool comes already configured. So we do not need to change any settings.

#4 Download and Install Brute Force Stop
From the Joomla Admin panel, click on Help Joomla Extensions again. This time enter Brute Force Stop in the Search Box. Then click on the Brute Force Stop box.

07
Here is the direct link to this free extension.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/brute-force-stop


Click on Download. This will download this free tool to your Downloads folder. Transfer it to your website extensions folder. Then install it by going to Extensions, Manage, Install. Click on Choose File. Then select bfstop. Then click Upload and Install.

Brute Force means attacking a website by systematically bombarding the login page with username and password combinations over and over again until a successful login occurs. It's very simple and extremely common. Even if you have a really good password, there is still the issue of all the extra traffic and bandwidth these attacks consume.

The Brute Force Stop (bfstop) tool monitors each failed login attempt, and logs it to the database. If the number of failed login attempts exceeds an amount given in the configuration, the tool will prevent any further access to Joomla! from this IP address - meaning the assumed attacker can not try to login anymore; he will be blocked from accessing your whole Joomla! installation, he only sees a (configurable) message that he has exceeded the number of allowed login attempts, and is therefore banned. The ban can be configured to be either permanent or to last a specified time. In addition, BF Stop will notify you by email whenever there is a Brute Force attack on your website and provide you with the IP address of the hackers so you can research who is attacking you and where the attacks are coming from.

To configure Brute Force Stop, go to Extensions, Plugins and scroll down to System - Brute Force Stop" in the list. You might have to scroll down in the list or go to one of the next pages to reach that entry. Most of the options can be left at their default value. The only thing that you must do to enable the plugin is to set it's status to Enabled. We will lower the threshold from 10 attempts to 5 attempts and shorten the duration from 1 day to 30 minutes.

08

Then click on the Notification tab. Type in your secure Proton Mail email address and/or select yourself in the Select a User box.


09
Click on the Advanced tab and raise Permanent After from 3 to 5. Then click Save and Close. To see a log of these failed attempts, click Components, Brute Force Stop:

10

Click Settings to send yourself a Test Notification to make sure this system is working.


#5 Download and Install Marco SQL Injection Monitor
Another common type of attack is hackers trying to inject code into your database. To stop this kind of attack and email you when it occurs, we will install another free Joomla tool called Marco SQL Injection. To download this free tool, click on Help, Joomla Extensions. Then enter Marco SQL Injection in the search box. Then click on the box to open it. Here is a direct link to this free tool.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/marco-s-sql-injection

11
Click Download. Then scroll down the page and click on the latest version to download it. Transfer this tool from your Downloads folder to your website extensions folder. Then install it by going to Extensions, Manage, Install and selecting this tool. Then click Upload and Install. To configure this tool, go to Extensions, Plugins and scroll down to Systems Marcos SQL Injection. Click on it to open it. Click Enable. Leave it set for Front End Only (or you may get locked out of your own site backend)! Change Send Alert Email from No to Yes and enter your secure email address in the next box. Also change Enable Temporary IP block from No to Yes. Then click Save and Close.

#6 Download and Install Spam Protect Factory
Blocking individual IP addresses used to work but not any more. Now hackers have access to hundreds of IP addresses. The solution is to block entire countries. We will next add a free tool to block the entire country of Ukraine. Click Help, Joomla Extensions. Then enter Spam Protect Factory in the search box. Then click on the box to open it.

12
Here is the direct link: https://extensions.joomla.org/extensions/extension/access-a-security/site-security/spam-protect-factory

Then click Download. Register. Then Log in. Click on Products. Scroll down to Spam Protect Factory. Then click Free Download. Transfer this tool to your website extensions folder. Then install it with Extensions, Manage, Install. This tool is configured as a component rather than a plug in. So to set the configuration, go to Components, Spam Protect Factory. Then click on the Dashboard.

13

Click on the link in the blue box to enable the plugin. Then return to the dashboard and click on Options in the upper right corner. Then click on the Filters tab. Change IP Filter to Yes and Country Filter to Yes. Each country has a two digit extension that you can determine by going to the following link:
http://www.webopedia.com/quick_ref/topleveldomains/countrycodeA-E.asp


The extension for Ukraine is UA.

14

Use country extensions not full country names. So for Ukraine type in UA.

15


Then click Save and Close.


#7 Download and Install Eyesite File Monitoring Tool
We will next install a file monitoring tool that will alert us by email if any files for our website are added, changed or deleted and tell us exactly which files were tampered with. To download this free security tool, click on Help, Joomla Extensions. Then type Eyesite in the search box. Click on the box to open it.


16

Here is a direct link to this tool.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/eyesite


Click Download. Then scroll down the page and download the User Guide and Component. There is a plugin which costs $8 but which we do not really need to do manual scanning.

17

Then transfer these folders from your Downloads folder to your website extensions folder. Install it with Extensions, Manage, install. Then go to Components, Eyesite.


18

Click Configure and enter your secure email address to send notices to. Then click on Status and click on Scan Now.

19

Then click Accept All. You can scan your site manually from the Joomla admin interface, or buy the plugin to scan your site automatically at regular intervals.




#8 Replace the Default Joomla Templates with the Sparky Template Framework
Joomla uses templates to control the appearance of our Joomla website the same way that Wordpress uses themes to control the appearance of Wordpress websites. We will discuss templates in greater detail in the next chapter. For now, it is important to know that the default templates for Joomla (and the default theme for Wordpress) is a security risk since hackers are very familiar with the file structure of these tools. Also the default templates are very limiting in terms of how content is displayed. Thankfully, there is a very simple and flexible free Joomla template framework called Sparky. We will review it in greater detail in the next chapter. For now, click on the following link to learn about and download Sparky:
https://www.hotjoomlatemplates.com/sparky-joomla

Transfer Sparky from your downloads folder to your website extensions folder. Then install it with Extensions, Manage, Install.

We will eventually create several different versions of Sparky. To do this, we will make a copy of Sparky. Go to Extensions, Templates, Templates. Then click on Sparky Framework Details and Files. Then click Copy Template. We will name our copy Sparky2.

20

Click Copy Template. Repeat this process to make a copy called Sparky3. Then click Close. Then click Styles in the upper left corner.

21


We now have five templates with the Protostar set as the default or active template. Click on the Sparky2 template to open it. Then click on the Layout tab. Change the template width from 960 pixels to 96%. Then click Add Row three times. Drag the gray header1 box to the first row. Drag the gray top1 box to the second row and the red Joomla Content to the third row. Drag the right edge of all three to the right to make them full width.

22

Click Save and Close. Then set Sparky2 as our default template. To see what this template looks like in the front end of our site, we will need to create a Welcome article for the Home page. Go to Content, Articles and click New. Call the article, Welcome to our Interactive Website! Type in a one sentence description and change Featured to Yes.

23


Then click Save and Close and view site.

24


To hide the author, category, published date and hits, go to Content, Articles, Options. In the next chapter, we will review how to add a header and menu as well as change the background colors of our Home page. We will eventually delete the two default Joomla templates. For now, we will keep them for educational purposes.


#9 Delete the Joomla Generator tag
Right click on our Home page. Then click View Page Source. You will see the following line:

<meta name="generator" content="Joomla! - Open Source Content Management" />

This Joomla generator tag is a security problem because we really do not want to make it so easy to let hackers know we are running a Joomla website. Thankfully, there is a free tool we can use to change this. The TJ Set Generator Tag allows you to change to default Joomla! generator meta tag to anything you like! With this plugin you do not have to modify neither template's nor Joomla!'s core files.Go to Help, Joomla Extensions and type in Set Generator Tag. Then click on the box to open it.

25

Here is a direct link to this free Joomla tool:
https://extensions.joomla.org/extensions/extension/site-management/seo-a-metadata/set-generator-tag


Click Download. Then Download. Then transfer the folder to your website extensions folder. Then install it with Extensions, Manage, Install. To configure this tool, go to Extensions, Plugins, and scroll down to the system plugins. Click on the TJ Set Generator plugin to open it. Enable the plugin and change the tag name to the name of your website.

26


Then click Save and Close and view site. Right click on the Home page to view the source code. Hopefully, this will help us avoid being caught in a mass attack against Joomle websites.


#10 Create and Download a Site Backup in Cpanel
The final step in protecting our site is taking a backup of our site and downloading the file to our home computer. This way, if our site is hacked, we can roll it back to how it was today. We will do this now. But I normally do it after completely building the website. To make a site backup with Cpanel, log out of your Joomla administrator pane. Then log into your Fullhost account. Then click on Services, Active. Then log into Cpanel. Scroll down to Softaculous Apps Installer and click on it. Then click on Joomla Overview.

27
Then click on the Backups icon to open the backups page. Use the default settings and click Backup Installation. This will back up both the data base and file folders.

28Then click on the backups link.

29

We want to download this file in case our Cpanel account is corrupted. Click on the Blue arrow. To download this folder. Then transfer the folder to a backups folder inside of our website root folder.

30


Then log out of Cpanel and log out of your Fullhost account. This completes our initial security steps. In the next section, we will review steps you should take to keep your website secure over time.
Now that we better understand the need for taking every possible precaution to protect our websites, we will provide a brief overview of the first ten essential steps for protecting our website. These steps are presented in the order that they are done – not the order of importance. All of the steps are important. Skipping any one of them will leave your website more open to attack. The NSA motto is “Collect Everything.” If we are going to have a secure website, our motto must be to “Protect Everything.”

01

Here is an overview of our first ten steps:

#1 Use a Secure Linux Computer to Build Your Website

#2 Use XNView to Batch Clean All of Your Images

#3 Use a Secure ProtonMail Email Address to Set Up your Hosting Account

#4 Use a Secure Canadian Linux Hosting Account such as Fullhost

#5 Use Strong Passwords for your Email Account, your Web Host account and your Joomla Login page.

#6 Change from PHP version from PHP 5.6 to PHP 7.1

#7 Encrypt your domain name even before installing Joomla

#8 Use your secure ProtonMail Email Address when you install Joomla

#9 Change your User Name and Password after your first log in to Joomla

#10 Log into your Joomla Control Panel and change your user name and password.

Let’s take a closer look at each of these ten steps:


#1 Use a Secure Linux Computer to Build Your Website
Let’s be very clear. It is not possible to build a secure website with a Windows or Apple computer. Both are NSA Prism partners and both allow the NSA access to all of your data. The same back doors used by the NSA can also be used by any knowledgeable hacker to access your Windows or Apple computer any time your computer is hooked up to the Internet. The only way to have a secure website is to use a secure Linux computer to create and load your website documents,

This is why Learn Linux and LibreOffice is our first course at College in the Clouds. It is because it is an essential first step in building a secure interactive website. With the help of our Learn Linux website, you can create and learn how to use a Linux computer in a matter of days. Best of all, buying an Acer C910 15 inch high resolution Chromebook and modifying it to be a fully functioning Linux computer costs less than $400 – about one quarter of the price of a less secure Windows or Apple computer.

After you have a Linux computer, you want to have a document with a table of all of your websites and all of the access information and passwords to all of your websites. Also keep a copy of this information on a thumb drive in a safe place in case you lose your Linux computer.

While the file and folder structure will eventually be transferred to your Cpanel File Manager using the Joomla Interface, the initial structure of your website should be built on your own secure Linux computer. We will provide more information on this file structure later. But your website structure begins by using your Linux File Manager to create a “root” folder for your website, such as MySite.com. In this folder, create folders for your articles, images, extensions and web articles. Here is what your website root folder will look like:

02

The web articles are simply copies of your articles with the images replaced by placeholder text and the images themselves moved to folders in your images folder. The articles themselves should be written in a free open source document creation tool called LibreWriter which comes with nearly all Linux Distributions by default. For more information on how to set up a Linux computer and use LibreWriter, see our website:
https://learnlinuxandlibreoffice.org/


#2 Use XNView to Batch Clean All of Your Images
It is important to compress every one of your images in your Libre Writer documents. This is done by right clicking on each image, selecting Compress then selecting OK. This should result in reducing the file size of the image to something less than 100KB. Failing to compress even a single image will greatly reduce the loading speed of your website. It is equally important to “clean” all of your images before posting them to the back end of your Joomla website as a common hacking trick is to hide malicious code in the properties section of images – which are then uploaded by you to your site if they are not cleaned. There is a free program called XNView which can batch clean hundreds of images in a matter of seconds. Simply open XNView. Then select the folder that has all of your website images. Then create an output folder for the clean images. Then Add the Action “Clean Metadata.” Then click Convert.

03


#3 Use a Secure ProtonMail Email Address to Set Up your Hosting Account
Major email providers like Google and Yahoo are also NSA Prism Partners. As sensitive security information will be sent to your email address, even before we set up our hosting account, we should get a secure ProtonMail email address and use this secure email address to set up a secure hosting account. We will use this same ProtonMail account when we install Joomla on our website. Here is the link to get your free account. https://protonmail.com/

04


#4 Use a Secure Canadian Linux Hosting Account such as Fullhost
As we explained in a previous chapter, it is no longer safe to put either your domain name or your website on any server located in the US. It is also not save to put your website on any Windows server regardless of where that server is located. We recommend a web host in Canada, Fullhost, that uses only Linux computers and takes several additional precautions (including giving us a Free Let’s Encrypt tool) to protect our website. Here is the link to Fullhost. https://www.fullhost.com/

05

Fullhost has a basic shared hosting option that is only $7 Canadian per month (about $5 US dollars per month). This allows you to set up several websites on a single Cpanel account. However, if a hacker manages to break into any one of your websites, they can destroy any other websites that are on the same Cpanel account.

Therefore, if you have more than three websites, a much more secure option is to get a Reseller Hosting account at Fullhost for $20 Canadian per month (about $15 US dollars per month). The reseller account will allow you to have up to 15 separate Cpanel accounts each with their own file manager. This will prevent hackers from bringing down more than one or two of your websites at a time. I currently have about 30 websites on 15 different cPanel accounts. The cost per website per month is about $1 US for the domain name and 50 cents US for the hosting for a total cost of $1.50 per month or $18 US per year per website.

#5 Use Strong Passwords for your Email Account, your Web Host account and your Joomla Login page.
First, avoid using default user names like "admin" or "administrator". Those are first in the list of words a potential attacker will try. Next, use a strong password. Many attackers try to brute-force your login details. This means that they use a list of commonly used passwords to guess yours.

As for the password itself, do not use common words like pass123 or admin123. Do not use your name in your password. Do not use a password generator because these can also be compromised. Instead use a strong password that is at least 9 characters long and include a combination of upper case and lower case letters, numbers and special characters such as # and $. The following is an example of a very strong password with 3 capital letters, 3 lower case letters, 3 numbers and 4 special characters: $Ea!275(Fv)Zx

Do not use this same password for any other account. This means that your website administrator password should be different from your hosting account password and different from your email service password. Each password should be unique. Keep a record of all of these passwords in a file on your hopefully secure computer.


#6 Change from PHP version from PHP 5.6 to PHP 7.1
PHP is the language your Joomla website uses to control the information on your website database. Nearly all Joomla and Wordpress websites use currently use PHP version 5. This is no longer a very secure version of PHP. A new version of PHP was introduced in 2016 called PHP 7 which is twice as fast as PHP 5 and much more secure. After getting your Fullhost Shared Hosting Account, log in to your Fullhost account using your ProtonMail email address and a secure password. Then click on the red Services button. Then click on the green Active button. Then click on Log into Cpanel. Scroll down to SOFTWARE. Then click on Select PHP version. Then select the latest version of PHP. Then click Set as Current.

06

Then click on Cpanel to return to the Home screen. Note that the latest version of PHP may cause excessive warnings to appear on our website. If this turns out to be the case, return to this screen and change the version from PHP 7.1 to PHP 7.0. As 98% of all Joomla and Wordpress websites still use PHP 5, taking this single step will make our website faster and more secure than 98% of all websites.

#7 Encrypt your domain name even before installing Joomla
Cpanel now comes with a free way to encrypt your domain name even before you add an application to it. Go to your Fullhost account, then click on My Services. Then click on the green Active button. Then click on Log into cPanel. Then scroll down to the SECURITY section. Then click on SSL/TLS. Here is what the screen will look like:

07
If you click on Generate Private Keys, you will see that a set of private keys has been generated automatically for you.

08

If you do not see any keys in the table, wait 24 hours for these keys to appear. Once the private keys are shown, click on the Browser back arrow. Next click on Generate, view, upload or delete SSL certificates. You should see that a free Let’s Encrypt Certificate has been automatically generated for your website domain name.

09
You can click on the Edit button and then click on Update Description to see the default information and add more information to it. But this is technically not needed. Instead, click on the back arrow. Then click Manage SSL sites. This is where you can add sub-domains, Add On Domains and Parked Domains. The certificate will be set to expire in about 90 days. Do not worry. The certificate will automatically renew itself. You do not need to take any further action after activating SSL on your Joomla site.

What is SSL and Why Do We Need It?
SSL (Secure Sockets Layer) is the standard encryption technology which establishes a secure connection between a web browser and the server. This ensures that all the data which passed during the connection remains private and encrypted. SSL is used by millions of websites to protect the sensitive information entered by visitors. Most people can spot a secure SSL site from a non-secure site by the presence of a green bar or lock in the URL box and the beginning prefix that includes an S after the initial HTTP.

10
As a website owner, you have a big responsibility of keeping the privacy of your visitors intact. Installing an SSL encryption on your website is a good start and prevents the interception of submitted information by hackers.SSL hides your vital information and your readers vital information from hackers. Failing to use SSL not only might cause your customers to be harmed, but it also increases the chances of your website being hacked using the customer’s log in credentials followed by a program that elevates their privileges. Using SSL not only increases the security of your website, and increases the trust of your readers, it also increases the Google Page Ranking because Google gives priority to sites using SSL.

11
What is Let’s Encrypt?
Let’s Encrypt is a Free Automated Open Source SSL certificate created to benefit the public. It allows you to get browser-trust certificates for your domains at no cost that renew automatically every 90 days. There are no difficult configurations, no validation emails and you can install multiple certificates on your hosting accounts, for each domain and subdomain you choose with Let's Encrypt Free SSL. All popular browsers support Let’s Encrypt Free SSL. Thanks in part to Let’s Encrypt Free SSL Certificates, 80% of all visited sites now use encryption.

12
Once we verify that our Let’s Encrypt cerificate is installed in Cpanel, we are ready to install Joomla to our domain name.


#8 Use your secure ProtonMail Email Address when you install Joomla
While we are in Cpanel, after verifying that our domain name has a Lets Encrypt certificate, we will next install Joomla. Scroll down to the Softaculous Apps Installer section. Then click on the Joomla icon. Then click on Install.

13
Delete the Joomla30 from the directory box in order to install Joomla in the root directory of our domain. Then type in your domain name and slogan.

14

Leave Import Sample Data set to None. Type in your initial User Name and password (we will change these later).

15
Then click Install. This will provide a link to our Joomla Administrator login page. However, before we click on this link, we should activate our HT Access file with the Cpanel file manager.

#9 Activate the HT Access File in Cpanel
The HT Access file can help to protect your website against a set of common exploits. But we need to enable it to get this protection. We enable it by renaming it. From the Softaculous Installer page, click on CP at the top of the page to go back to the Cpanel control panel. Then click on the file manager. Then click on the public_html folder to open it. Below a bunch of folders, you will see a file called htaccess.txt. Click on it to select it. Then right click and select Rename.

16

Delete the ,txt and put a dot before htaccess:

17


Then click Rename File. Sadly, this will hide the file. To see it, click on Settings in the upper right corner of the screen. Then click on Show Hidden Files. Then click Save.

Now we can see the file. Now click on the .htaccess file to select it. Then right click and click Edit to open this file. Then click Edit again. Then click Use Code Editor so we can see the line numbers.

At about line 62, you will see

# RewriteBase /

Delete the hash tag so the line looks like this:
RewriteBase /


This will allow us to use Search Engine Friendly URLs for our site which in turn will make our site harder for hackers to attack with automated programs by hiding typical Joomla URLs.

Next, copy and paste this code just after “RewriteEngine On” on about line 29 :

RewriteCond %{REQUEST_URI} ^/images/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/media/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/logs/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/tmp/

RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]

This code will block all attempts to run scripts outside the Joomla control. This tip is from the following URL

https://www.gavick.com/documentation/joomla/how-to-secure-your-joomla-3-1-site-against-hacker-attacks

Then click Save Changes. Then click Close. Also while we have the file manager open, click on the images folder to open it.

18


Even though we did not want the sample data, Joomla loaded the sample images anyway. We could delete these later with the Joomla Media Manager. But it is quicker to delete them with the Cpanel File Manager. Click on the Banners folder to select it. Then right click and select Delete. Check Skip the Trash and click Confirm. Repeat for the headers folder and the sample data folder and the joomla black file and the powered by file – leaving only the index.html file. Now close the file manager browser tab to close the file manager. This brings us back to the Cpanel control panel.

#10 Log into your Joomla Control Panel and change your user name and password.
In Cpanel, scroll down and click on the Joomla Icon. This will bring up our current installations. Click on the Admin icon to reach our Joomla Administrator log in page.

19


If you go to your Joomla admin page and it says "This webpage is not available." it is likely that the domain has not yet been directed to the Fullhost servers. Log into yor Fullhost account, click on Domains, then Manage NameServers and direct this domain to the Fullhost servers. They should be ns2.fullhost.com, ns3.fullhost.com and ns1.fullhost.com.

Then log into your new website admin page. The good news is that our Administrator page is fully encrypted as we can see from the green bar to the left of our URL at the top of the screen. Log in with your Initial User Name and Password.

20

Joomla wants to collect information. Click Never. Then click Read Messages and Hide all three messages. Our next task is to change our user name and password. When you create a new Joomla Site with the Cpanel one click install, an email may be sent to your email account with your Installation User Name and Password plus sensitive information about the name and password of your website database. If you have a ProtonMail account, this email may be encrypted. But if your email account has been compromised, this User Name and Password will also be compromised. To change your user name and password, click on Users, Manage. Then click on your name. Change your log in name and your password. This is especially important if you did not set up a Proton Mail account as there may be a record of your initial user name and password in an insecure email file. Then click Save and Close. Now view the front end of our site by clicking on the link in the upper right corner of our screen.

21

The front end of our site is also encrypted. But we will soon have problems with spammers and hackers if we continue to display the log in form on our Home page. In the next section, we will take ten more steps to secure our website – beginning with hiding the Front End Log In Form.
Imagine you have spent several years building a successful interactive business website with hundreds of thousands and even millions of visitors. Your entire business and family income depends on this website working correctly. Now imagine that site being taken down by hackers or by your competition. The only thing displayed on the front end of your website and the back end of your website is the white screen of death and perhaps a “500 error.” No way to log into the Joomla administrator panel. No way for you or your customers to view any page that you have created.

Even worse, you go to your hosting account to try to fix this mess with your Cpanel File Manager and Database manager only to discover that your hosting account has been hacked, your Cpanel account has been hacked and all of the back ups you have made for your websites have been deleted. There may still be ways to repair your websites – which we will discuss towards the end of this article. But an ounce of prevention is worth a pound of cure. We will therefore review what website security really means.

If there is even going to be a free and independent Internet in the future, we as website owners and builders need to radically change the way we think about website security. Gone are the days when hackers were just a few young kids getting their kicks by defacing and destroying a few websites. Today, hacking has become a big multibillion dollar business. Hackers now use highly complex programs to take over thousands of websites in a single attack. The hackers then either demand a “ransom” of thousands of dollars to restore your website (which you can never really trust again even if you do pay up and get it back). Or the hackers use the computing power and data of these hacked websites to attack and bring down even more websites.

01

This course, book and website, Create Your Own Interactive Website explains how to create a safe and secure Joomla website that you can use for any purpose. Our following books explain how to add to this foundational website to create an independent news website (Create Your Own News Website), how to create your own online network (Create Your Own Community Network) and how to create your own online business (Create Your Own Online Store) and how to create your own online course (Create Your Own Online Course). What all of these courses have in common is that they are increasing your power to communicate with others and organize with others. However, those that currently control our economic and political systems do not want us to communicate with each other.

Why New Interactive Websites are a Threat to the Status Quo

New online stores are a threat to the corporate monopoly of Amazon. Courses that teacher folks how to build their own Linux computers are a threat to the corporate monopoly of Microsoft. Independent news websites are a threat to the corporate controlled media. Bottom up community based social networks are a threat to the top down control of corrupt corporate funded political leaders. It is therefore natural that monopolies such as Microsoft, Facebook, Google and Amazon along with Wall Street bankers and even our own government have worked to create a system to keep the Internet in check and take down any websites that present a threat to the establishment.

Even if you do not plan to build a controversial website, your website will certainly will be caught in the cross fire in the billionaires war on the people. I have about 20 Joomla websites on various courses I teach. I have hacker monitoring tools attached to each of them. I therefore am able to say with confidence that each of them are attacked on a daily basis. So if you build either a Wordpress or Joomla website, you will certainly be attacked. It is not a question of if, but more a question of when. The answer to that question is that the attacks will likely start happening in the first 24 hours after you go online. Thus, it is essential to know what steps to take in the first few hours after starting your website.

In 2013, Edward Snowden revealed that the NSA has teams of tens of thousands of website hackers (about 30,000 working directly for the NSA). Some of the documents he revealed confirm that the NSA spends three dollars hiring outside corporate hackers for every dollar they spend in house (for example Edward Snowden worked for an NSA contractor called Booz Allen). This brings the hacker total to 120,000. Tens of thousands of young kids in the US military are also being trained as hackers by the NSA in what it calls its Cyber Warfare training program. This brings the total number of hackers being trained by our own government to more than 200,000. While our corporate media likes to blame Russia or China for Cyber Warfare, the truth is that the hacker training budget of the US government is ten times larger than the Cyber Warfare budget of the rest of the world combined. When your website is attacked, the odds are ten to one that it was attacked by someone trained by the NSA. Here is a 26 minute video showing the NSA “Red Cell” training other branches of the military how to hack websites:https://www.youtube.com/watch?v=HnnvVnsDCGw

02

Don’t get me wrong. I am sure that our websites could occasionally be attacked by Russians and the Chinese. But when the NSA trains tens of thousands of young Americans in the Army and Navy how to attack websites and then these young men cannot find jobs after they get out of the Army, we should expect at least some of them to form teams and use the skills they learned from the NSA to attack the easiest local targets – us.

One way you can determine who is attacking you is by installing free Joomla tools that tell you the IP address of the server each attack is coming from. You can then look up the City and State where the server is located. Lately, the largest number of attacks on my websites have been coming from thousands of servers in Ukraine. But here is the problem. Each server is an actual computer that costs thousands of dollars. Who in Ukraine has the millions of dollars needed to buy all of these computers? Why would anyone in Ukraine want to attack massive numbers of websites in the US? It is not merely the cost of the servers, but also the cost of buildings to house the servers, staff to maintain the servers and electricity to run the servers. Then there is the cost to pay programmers to write the malicious code.

Who has this kind of money to pay for hundreds of attacks on my little websites? The one cyber warfare group with an unlimited amount of money to spend on servers is the US military cyber warfare group – also known as the NSA. They either have an entire server farm in central Ukraine (which maybe they do). Or more likely, the servers are in the US and the NSA is somehow bouncing signals off of satellites to fool people into thinking they are being attacked by thousands of Ukrainians. Either way, we as website owners are being attacked by the largest best trained cyber warfare teams in the world.

Downdetector.com.monitors the attacks and downed servers of major corporations in real time. Each day more than 20 major corporations experience major attacks.

http://downdetector.com/archive/

03

This website also provides maps of where these attacks occur. Here is a map of the attacks on October 21 2016.

http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html?_r=0

04

A 2015 RAND Report found that 80 percent of all cyber attacks are committed by “highly organized crime rings” - not individuals. Cyber crime rings are not manned by youngsters; they employ highly experienced developers with deep knowledge that allows them to bring constant innovation into malware and attack tactics. Thus, according to the RAND report, the average age of a cybercriminal is 35 years old. Additionally, 80 percent of black-hat hackers are affiliated with organized crime, working as part of closed groups. Below is a diagram of the structure of these cyber crime rings.

http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf

05
On February 16 2015, one of the world’s leading security firms, Kaspersky released a report on what it called the “Death Star of the Malware Galaxy”

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

It described a group it called the Equation group which was infecting computers and websites all over the planet. The report noted that the techniques being used were linked to techniques and malware programs previously developed and used by the NSA including the Flame and Stutnex viruses which the US used to attack Iranian computers.

“All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. The malware callbacks are consistent with the DOUBLEFANTASY schema, which normally injects into the system browser (for instance, Internet Explorer on Windows)… The Equation group uses a vast infrastructure that includes more than 300 domains and more than 100 servers.”

Meanwhile, on December 14 2016, Yahoo admitted that the data from one billion accounts was stolen in August 2013.
https://threatpost.com/yahoo-discloses-data-from-1-billion-accounts-stolen-in-2013/122520/

06


Yahoo blamed sophisticated “state actors” of which the largest in the world by far is the NSA. The state actor was able to use forged Yahoo cookies to access the accounts as if the state actor was Yahoo.

One of the documents exposed by Snowden was a 2007 NSA job posting document in which the NSA actively solicited hackers to go to work for the NSA. The trainees will be taught how to “develop an attackers mindset.”
http://www.spiegel.de/media/media-35661.pdf

07
We as single website owners have no chance - working only on our own - to fight off these well trained, highly paid teams of thousands of hackers. We therefore need to stop thinking of our goal as merely protecting our individual websites and instead start acting to protect ALL of our websites. Instead of seeing ourselves as individuals, we need to build a community that has long term SECURITY FOR ALL as a higher goal than short term corporate profit. It is significant that the term “Joomla” means “All Together.” We need community not just to create our websites but also to protect them.

This is no different than what happened during the US Revolutionary War. Individual colonists were being attacked by a wealthy king, a corporate monopoly and the largest army in the world. The colonists banded together to defend the rights of ALL Americans and eventually overcame great odds to defeat the British king and establish our Constitution and Bill of Rights. We are in a similar war today – but the weapons are much more complex and therefore harder to see. I will use the Linux community and the Joomla community to illustrate how safety comes from working together and building a community.

Linux versus Microsoft Windows
In my website, Learn Linux and Libre Office, I explain that any computer running the Windows operating system is not secure and can never be made secure. For those who do not have time to read the entire book, there are basically three design flaws of the Windows operating system. First, to make sure that the computer can “call home” whenever Microsoft wants, they place the web browser inside of the core of the operating system. Second, to maintain control over the computer even if someone tries to replace the Windows operating system, they add a kill switch Start Up program called UEFI. Third, to make sure the public cannot see how their Windows computers are controlled by Microsoft, they encrypt all of the programming to hide it from the public. All of this is done in the name of corporate control to maintain hundreds of billions of dollars in Microsoft profits.

By contrast, Linux is not a for profit corporation but a community of computer users who want safe dependable computers. Because there is no need to maintain control, there is no need to place the web browser inside of the operating system. There is also no need to encrypt the code. In fact, allowing everyone to see the code helps confirm that the code has no malicious features. As an alternative to UEFI, the Linux community developed the free open source Coreboot program. You can read more about the safety benefits of this program on our website Learn Linux and Libre Office. But the bottom line is that when you build a website, you should do it with a Linux computer using the Coreboot Start up program. Using Windows will leave your website open to attack. Even using an Apple computer will leave your website open to attack because they are also a corporate partner of the NSA Prism program as confirmed by the following slide leaked by Edward Snowden. The following slide confirms that Microsoft joined the NSA Data Collection Program in 2007 and Apple joined in 2012.

08

These nine corporate Prism Partners are paid hundreds of millions of dollars to assist the NSA (along with hundreds of other for-profit corporations). Note that Linux is not on this list. The NSA did try to recruit the leaders of Linux. But the bottom up community driven rather than profit driven structure of Linux protected it and protects all of us who use Linux computers. Sadly, billions of people still use Windows and Apple computers. They do this because it is more convenient than taking the time to learn how to build and use a Linux computer. They are placing short term convenience above long term freedom and mutual security. The good news is that using Linux is now much easier than it was in the past – in many ways much easier than using Windows or Apple. As more people discover this, we will someday reach a tipping point where everyone will insist on using Linux – not just for building websites – but for everything they need to do on their computer.

09


Joomla versus Wordpress
There are about 30 million active Joomla websites and three times that many active Wordpress websites. As with Microsoft computers, people use Wordpress because it is “easier.” This is despite the fact that Joomla has many benefits over Wordpress. We describe these benefits in the following article.
https://createyourowninteractivewebsite.com/1-start-here/1-1-why-joomla-is-better-than-wordpress

However, the biggest benefit of Joomla over Wordpress is that it is much more secure. During the past four years, Wordpress has had many more major security problems than Joomla. In 2016, Wordpress had five times more security problems than Joomla.

10


Sources:

http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337
https://www.cvedetails.com/vendor/3496/Joomla.html


A more recent and detailed study confirmed that Wordpress actually had 122 major security problems in 2015. Wordpress version 4.1 had 30 problems, version 4.2 had 40 problems and version 4.3 had 52 major problems for a total of 122 major security problems just in 2015 – or about ten times the number of Joomla security problems. Compiled from the following data:

https://wpvulndb.com/
https://www.keycdn.com/blog/wordpress-security/


Wordpress also fails to use random prefixes on their database names making them easier for hackers to attack. By contrast, Joomla has been using random prefixes for more than 6 years.Wordpress also does not allow us to change our Usernames without accessing the database. Joomla allows us to easily change our user name in the dashboard – which is important for security reasons we will explain in more detail later. In addition to problems with the Wordpress core, many of its most popular plugins were found to have major security problems including Jetpack, Yoast and WP E Commerce.

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

While most of these security problems can be fixed by updating Wordpress and its plugins, the majority of Wordpress site owners never update their sites which is why over 73% of all Wordpress websites are not secure – making them easy targets for hackers.

https://www.wpwhitesecurity.com/wordpress-security-news-updates/statistics-70-percent-wordpress-installations-vulnerable/

As a result, millions of Wordpress sites are attacked and successfully hacked every year. As just one example, in December 2014, the security team at Sucuri discovered hundreds of thousands of WordPress sites were hit with the SoakSoak.ru malware virus, resulting in more than 11,000 domains being blacklisted by Google.

https://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

The people harmed are not merely the website owners. Also in 2014, supposedly Russian hackers stole account information of 800,000 customers from 5 leading US banks. The following article went into detail about how the hackers got the account information from so many people: “First, they compromise a large number of websites that run the WordPress, and install malicious code. When a user visits one of the compromised WordPress sites, that code exploit vulnerabilities in their browser to install the attacker's malware. The malware can be used to steal data stored on the PC, intercept online banking credentials, install more malware, and turn the PC into a proxy server for attackers. The entire operation is highly automated, beginning with hacking into servers that run WordPress.”

http://www.databreachtoday.com/hackers-grab-800000-banking-credentials-a-7416?webSyncID=9b470078-8bdc-5680-b9c0-a66b69564b83&sessionGUID=70da133e-6096-822a-c99e-811036285c82

Put in plain English, not only do people running Wordpress sites risk having their websites hacked, they also risk having anyone who visits their site having their computer hacked (especially if it is a Windows computer).

In 2015, millions of Wordpress websites were attacked through a vulnerability in their Comments plugin. Here is a quote: “They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate administrators can perform… The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn't automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

2016 was also a very bad year for Wordpress. On June 2, 2016, more than 10,000 Wordpress websites were infected through a plugin called Wordpress Mobile Detector.

11

Then in December 2016, a Wordpress Security firm called Wordfence posted an article describing a free tool available on the Internet that was designed specifically to attack Wordpress websites.
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack


The authors easily obtained the PHP script from this download link:
http://profexer.name/pas/download.php

12

The latest version of this hacking program, which is intended to hack Wordpress websites, is version 4.1.1. Here is what the control panel of this hacking program looks like:

13

This free and handy open source hacking program includes a file browser, a file search function, a database to download the contents of a hacked Wordpress website database, a scanner, a tool to view server configuration files and a tool to brute force attack passwords.

Here is a quote from the article: “We found a total of 385 active IP addresses during the last 60 days that were attacking our Wordpress websites. These IP addresses have launched a total of 21,095,492 database attacks during that 60 day period that were blocked by the Wordfence firewall. We also logged a total of 14,463,133 brute force attacks from these same IP addresses during the same 60 day period.  A brute force attack is a login guessing attack.”

Put in plain English, there were a total of 35 million attacks on Wordpress websites served by Wordfence in the past 60 days. The Wordfence Home page notes that 22 million people have downloaded Wordfence. This is about 20 percent of total Wordpress downloads. So if we multiple 35 million times 5 we get 175 million attacks on Wordpress websites every 60 days. Divide 175 million by 60 and we estimate there are 3 million attacks on Wordpress websites every day! While Wordfence has a free version, to get country blocking you need to pay them $99 per year. Or you could build a Joomla website and just add the free tools we recommend in the next section.

Top Down Corporate Structure versus Bottom Up Communities
The biggest security advantage of Joomla over Wordpress is that Joomla is a bottom up community while Wordpress is really a billion dollar top down for profit corporation called Automattic which is run and controlled by a small group of people. Automattic has been given more than $300 million by various investors. This puts Wordpress in the same league has Microsoft, Google, Facebook and Amazon who also received hundreds of millions in financing.
https://en.wikipedia.org/wiki/Automattic

By contrast, Joomla is a true bottom up community that is lead by a non-profit elected group called Open Source Matters. Their key values are freedom, equality, trust, community, collaboration and usability. While the community has millions of members and thousands of developers, the Open Source Matters leadership team has an annual budget of less than $500,000. The leadership team is elected by the community members and consists of the community members.
http://opensourcematters.org/about/organization/mission-vision-and-values.html

The Linux and Joomla communities have proven that they are more likely to catch and correct coding errors than top down profit driven corporations. But equally important, they both include safety features that simply do not exist in the corporate alternatives. A good example is the Joomla Access Control System. This allows you as the website owner to create your own custom groups and then decide which members of your community are allowed to access various parts of the front end and/or back end of your website. This is one of a dozen important safety features that are completely missing in Wordpress.

14


Things are about to get much worse
More than 317 million new computer viruses were created in 2014. Since then, the number of new attacks have gone up, meaning that more than one million new threats are released every day.
http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/

But as bad as the website security problem is now, things are about to get much worse. Here’s why: In 2013, the NSA/CIA gave Amazon, owned by Jeff Bezos, a $600 million “cloud computing contract” - as if the NSA and CIA do not have enough computers of their own. Snowden documents revealed that the NSA spends at least $60 billion per year.
http://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/


IBM held up the deal for a year protesting to government regulators that they could have provided the Cloud computing for much less. Given all the security problems that the Amazon Cloud has had, one has to question the sanity of the NSA/CIA – unless $600 million was really for something much more sinister.

Then in late 2013, Bezos announced buying the Washington Post for $250 million – despite the fact that the Washington Post had suffered from declining readership and had been losing money for years. Even Amazon only made $7 million in profit the previous year. So where did Bezos get the $250 million and why did he want to buy the Washington Post?

Flash forward to November 24 2016. The Washington Post published a shocking story concocted by the anonymous CIA sources that Russian hackers were responsible for the Wikileaks Clinton email disclosures that may have been a factor in Clinton losing the Presidential election. Wikileaks had denied this claim stating flatly that the emails were leaked from Clinton insiders.

To add insult to injury, the Washington Post published a story from a website called Propornot which claimed that 200 alternative and independent news websites were being controlled by the Russians. The list included some of the most reputable alternative news websites in the nation such as Consortium News and Truthdig. The Truthdig editor Robert Scheer has interviewed every US President since Jimmy Carter. The editor of Consortium News, Robert Parry helped expose the Iran Contra scandal. We are also suppose to believe that former Congressman Ron Paul is a Russian spy.

Despite the fact that the Washington Post offered absolutely no evidence for any of its allegations, this story was used by Congress a few days later to pass a bill authorizing $160 million to take down these “fake news” websites and fight the imagined Russian propaganda.

On December 8 2016, reporter Dave Linderoff explained that the Washington Post story had actually been concocted by a US military cyber warfare expert.
http://fair.org/home/rather-than-exposing-propaganda-wapo-shows-how-its-done/

But the real story is that the bill to go after independent news websites was submitted to Congress in March 2016 – seven months before the election – and it was based on meetings that occurred in January 2016 – ten months before the election. So the Russian hacking story had been in the works long before the election and long before Wikileaks published the Clinton emails.

What will the extra $160 million granted by Congress be used for? Here is a clue. On December 1 2016, Federal Rule 41 was revised without a vote of Congress to make it much easier for the FBI to hack into computers and take down websites in the US. In the past, the FBI had to go to a local federal judge before taking down a website. Under the new Rule 41, the FBI does not have to go to a local judge. They can go to any one of 500 federal judges to hack into any computer and/or take down any website in the US. As the digital rights group Electronic Frontier Foundation (EFF) warned: “These changes to Rule 41 will result in a dramatic increase in government hacking… A single judge will be able to grant a warrant to hack a million or more computers.”
https://noglobalwarrants.org/

The term “computers” does not merely refer to private or personal computers but also to servers that host websites. A single server can host more than 1000 websites. So hacking one million computers can mean hacking one billion websites. In short, we were already being subjected to hacking on a massive scale by the NSA and their friends. Now the NSA/FBI have been given a blank check to expand these attacks.

This is why we need to take every possible precaution to protect our websites. These security measures must go well beyond merely moving our website to Canadian servers (as we described in the last chapter). They even go well beyond using Linux computers to post to our websites (as we described in a previous book). In the next section, we will provide an overview of the first ten steps we should taker to protect our websites.