Web Site Security Tools

1 reply [Last post]
Joined: 2011/03/15

So I wasnt sure whether to put this under security or hacking... so I chose security.

So I am in the process of starting a new web design company

I have a team of guys proficient in Joomla, Wordpress, Drupal, MODx, Mambo, and a Few other CMS apps...

So I am wondering what tools are best to use for security checks on Joomla, and WordPress. I want to make sure I do an ethical hack on all my clients sites to verify security is properly in place prior to making their sites completely live and vulnerable to the world. I was thinking burbsite sounded good, Brutus as an oldy but goody... I am just curious what is best for checking for cross site scripting vulnerabilities, and sql injection vulnerabilities (I ALWAYS change the sql tables prefix from the standard jos_ to something random) but still need to scan for vulnerabilities. I have implemented all the following security protocols on the Joomla Sites:

-Easy update / refresh of the core Joomla! files

-Emergency Off-Line switch to put the site securely off-line in the case of an attack

-Protection of its configuration with a Master Password

-ACL: fine-grained control over which features each user can access

-Protect access to the administrator directory with a username and password

-Change the database table name prefix

-Change the Super Administrator ID

-Fix the permissions of all files and directories on the server or apply configurable, custom permissions down to file and directory level
Automatically rewrite links pointing to old site's domain name / directory to point to new domain name / directory

-Automatically convert all links to insecure (HTTP) items to HTTPS when site is accessed over SSL

-One-click purge of temporary directory

-Change your database collation

-Repair and optimise all of site's tables

-Purge and optimise the sessions table with a single click

-Scheduled cleanup of temporary directory

-Scheduled optimization of sessions table

-Scheduled purge of the sessions table

-Automatic migration of hardcoded URLs in the articles, modules and everywhere when its changed in the site's domain name/location
CSS and JavaScript aggregation to speed up the site

-PHP file changes and security scan

-.htaccess Modifier

-Disable directory listings

-Protection against common file injection attacks

-Disable PHP Easter Eggs

-Block access to security-sensitive files such as htaccess.txt, configuration.php-dist and php.ini in your site's root

-Block specific user agents

-Protection against direct access to PHP file. It can even block access to uploaded hacking scripts, mitigating the attack.

-Force index.php parsing before index.html

-Optimise expiration time (for SEO)

-Automatically compress static resources such as images, CSS, JS

-Redirect index.php to site root

-Redirect www to non-www, or non-www to www site, e.g. http://example.com to http://www.example.com

-Redirect old domain name to new domain name

-Force HTTPS for specific URLs, even when Joomla! doesn't let you to

-Web Application Firewall

-Customised exceptions, down to the component, view or query string level

-Full logging of security exceptions

-Send out an email when a security exception occurrs

-Geographic Blocking: prevent access to the site by specific countries or continents

-IP black-listing: prevent access to the site by specific IP addresses or blocks of IP addresses

-Administrator IP whitelist: only allow access to the site's administrator section by specific blocks of IP addresses

-Administrator secret URL parameter. I can only see the administrator login page if I append ?secretWord to the URL

-Send email on successful or failed administrator login

-Forbid front-end Super Administrator login to deter brute-force password cracking

-SQLiShield protection against SQL injection attacks

-Cross Site Scripting block (XSSShield)

-Malicious User Agent block (MUAShield)

-CSRF/Anti-spam form protection (CSRFShield)

-Remote File Inclusion block (RFIShield)

-Direct File Inclusion shield (DFIShield)

-Uploads scanner (UploadShield)

-Anti-spam filtering based on Bad Words list

-Hide/customise generator meta tag

-Block access to Joomla! extensions installer

-Disable editing backend users' properties

-X-Content-Encoded-By HTTP header content for GZip compression customisation

-X-Powered-By HTTP header override

-Remove all instances of Joomla from the output (Have to use with caution, it really removes all instances)

-Block tp=1 module debugging

-Block tmpl=foo system template switch

-Block template=foo site template switch

-Integration with Bad Behavior anti-spam/anti-hacker library

-Integration with Project Honeypot's HTTP:BL anti-spam / anti-hacker IP blocking directory

-Auto-ban IPs causing excessive security exceptions

OK, so thats the Joomla security tools I have in place, did I miss anything Blatant that you guys can think of?

Ok so what I dont know is what tools are needed for WordPress and the rest. So I was hoping I could get a list of tools and Plugins for Joomla, Drupal etc.... the most important are Joomla, WordPress, and Drupal because those are the platforms on which the majority of clients want their companies ran. (Also if you have any tools modules or plugins for Joomla, WordPress, and Drupal that are paid extensions that you can link me to download free I would be very happy)

Thanks Ahead for all the wonderful replies!

Given the right hardware there is nothing a line of code cannot do that a human can, given that a human takes the time to develop the hardware and make the code- codeboy-