Joomla Security Extensions

I'm taking a CMS class at #mpict13 from @Mark_DuBois and we have spent the day setting up Joomla.

By default it has pathetic security, plaintext logins, very weak password hashes, no filtering of inputs, etc.

These extensions seem to be good, and they are all free. I haven't tried them in any depth, of course.


This is a free Web Application Firewall, blocking SQL injection and other such attacks.


Brute Force Stop

Locks out IP addresses that fail to log in too many times.


Encryption Configuration

Encrypts traffic with RSA, even when HTTPS is not enabled. The wireshark capture below shows the result--long scrambled strings, produced by several local Javascript functions:


One strange thing is that the user can turn off the encryption before logging in--if they do that, the protection vanishes. Note the option in the upper left here:

File Integrity Checking

I could not find any free plug-in to scan Joomla 3 files for integrity, unfortunately.

Cracking Hashes

More information here:

Posted 3:36 PM 6-19-13 by Sam Bowne