Hardening your glFusion Site
Hardening a site refers to preventive actions you can take to secure your site. glFusion developers and plugin authors take security very seriously, but as with any other complex system, there are potential security issues that may arise. We’ll look at some preventative actions you can take to keep your glFusion installation secure.
Running a secure website is always a challenge and at times can seem like a full time job. Most of us are not system administrators, instead we are folks who just want to have a web site. Our challenge is how do we keep our glFusion powered website as safe and secure as possible.
glFusion is already a very secure platform. If you look at the number of Content Management Systems (CMS) out there, glFusion has one of the best track records on security issues. A quick search of the Secunia Security Website shows the number of vulnerabilities reported for glFusion to be much lower than many of the other popular blogs and content management systems.
This does not mean that glFusion is the most secure or that it is 100% secure 100% of the time. The bad boys on the Internet are always looking for methods to exploit existing code or circumvent security controls. So how do you keep a site safe and secure? Using multiple layers of defense and staying informed are the best methods to keep your site safe.
Let's look at some of the options you have with multiple layers of defense.
Install glFusion Properly
glFusion is designed so many of the source files are located outside of the web root, so they simply cannot be accessed via a browser. This is an excellent design since the best defense is to minimize the 'attack surface'. Attack surface refers to how many targets are available to a hacker. By having many of the glFusion core files outside the web root, the attack surface is made smaller.
Many glFusion sites are installed using tools provided by hosting services. cPanel, Fantastico and Plesk installers are the most popular. Unfortunately, these tools do not install glFusion securely. They place everything in the web root which means you now have a larger attack surface.
The main problem with an installation that includes everything in the web root is this: All plugin files, your data backup directory, and config files are available through the web browser. These files were never designed to be available via the web browser. Fortunately, the glFusion team has been very proactive and has placed some security checks in the core glFusion files to prevent problems on installations like this. But not all plugins do the same checks, so there is a risk.
How can I remove this risk? I can't change hosts and don't want to do a manual glFusion install? In this case see the Installing glFusion in Webroot section below.
If you used Fantastico/cPanel, you can still implement the steps below but it does require moving files around on the server. Also, it may well break future upgrades through the install tool. My recommendation would be to do a manual glFusion install. It really isn't that difficult and there are lots of folks willing to answer questions in the glFusion forums. Also, there are several folks who will do the install for you for a small fee.
How To Install in Web Root (if you must)
As explained in the installation instructions, parts of glFusion (everything in the private/ directory) should be installed such that they are not accessible from a URL (for security reasons). However, some hosting services won't let you install files outside of the webroot.
In that case, you can still install glFusion if there is a way to password-protect a directory on your site (usually done through .htaccess and htpasswd files, although some hosting services offer web frontends for those).
Here's what you should do:
- Upload everything that is in glFusion's public_html directory onto your site.
- At the top level, create a new directory (try choosing a not too obvious name, i.e. don't just name it “glfusion” or “private”).
- In that directory, copy all the files from the private/ directory that came in the glFusion distribution.
- Password-protect that directory!
- Run the installation program as normal.
- If you can not password-protect the directory, you could still install and run glFusion, but it wouldn't be a very secure installation. You may be better off using another hosting service.
Plugins can offer a great addition to your glFusion site but they can also offer new security challenges. As much as I pride myself on being security conscious, even Media Gallery, my flagship plugin, suffered from a security vulnerability a few releases back. The plugin development community has been pretty good about security in their software, but plugins don't get the same broad exposure the core glFusion distribution receives. Also, most plugins are developed by 1 or 2 developers instead of a team like glFusion, so the peer review is a little less. I'm not saying you should not run plugins, instead, just be aware they offer an additional attack surface. I always recommend that you should only install the plugins that you need. Do not install extra plugins if you do not plan on using them. Fortunately, if there is an issue with a plugin, the fix is generally available very quickly and is usually easy to implement.
Register Globals PHP Setting
Make sure you have register_globals=off in your PHP configuration. glFusion does not require register_globals to be on. By turning register_globals off, you eliminate the ability for remote hackers to pass configuration data to your site. This is just one step in the overall hardening process.
You may run into some older plugins that still require register_globals to be on, personally, I would recommend you not run them. If it is a must have feature, contact the author or post on glfusion.org and maybe someone will update the plugin or there could already be an update available.
If you are not sure how to turn register_globals off, contact your hosting provider's technical support. Let them know you want to ensure this is turned off in the PHP configuration for you site. They should be able to either point you in the right direction or take care of it for you.
Disallow URL Include in PHP Setting (PHP 5.2.0 or newer)
If you are running PHP version 5.2.0 or newer, there is a new configuration option, allow_url_include, that will prevent remote URLs from being used in the PHP require and include commands. The default setting is 0, which will prevent remote URLs from being opened via the require or include command. Check your php.ini settings, or with your hosting provider to ensure this option is configured properly.
If you have access to the .htaccess file for your site (again check with your hosting provider for specific details), you can filter some known bots so they will never gain access to your site. I analyze several web server logs files from all over the Internet each day. What I've found is that a large majority of attack attempts originate from scripts using a tool called libwww-perl. If you block that user agent, you will immediately eliminate many of those script-kiddies from gaining access to your site. This does not block all hack attempts, but it will certainly reduce them.
You can also filter for most common exploits, anything referencing the _CONF variable, some of the standard root shell attacks, and the libwww-perl tool.
Finally, and probably one of the most import steps you can do, is to subscribe to the glFusion Announce Mailing List and see if the plugins you use have a similar alert system in place. When there is a new exploit for glFusion or any of the plugins, the mailing list can provide you notification as soon as the exploit is know and fixed. The quicker you can apply the fix, the better! I still see attempts at exploits that were identified and fixed over 2 years ago.
By implementing the tools and methods mentioned above and staying informed, you can easily run a secure site with minimal effort.