Security

These FAQs briefly summarise key points regarding securing your Composr site.

For more information, check out these tutorials:
Question What are the main security features of Composr?
Answer Composr has a robust set of security features to protect your website, including:

Passwords:
  • Visual representation of password quality and enforcement of complexity rules.
  • Password expiry and prevention of re-use.
  • Secure password hashing, even if the database is compromised.
  • Temporary passwords for staff setup.

Login Restrictions:
  • Two-factor authentication via IP address approval.
  • IP address banning, including wildcard banning.
  • Session locking to IP addresses.
  • Configurable session expiry times.
  • Ability to prevent privileged actions from auto-logged in sessions.
  • Optional member approval process.

Auditing Systems:
  • Comprehensive audit logging of administrative actions.
  • Logging of user actions and IP address history.
  • Tools to analyze audit logs.
  • Failed login logging.
  • Hack attack detection, logging, and banning.
  • Email notifications for changes to user credentials.

Framework Security:
  • Protection against CSRF attacks.
  • Click-jacking prevention via CSP implementation.
  • Secure coding standards and scanning techniques.
  • Configurable HTML filtering to prevent XSS attacks.
  • Secure code modularization standards.

Other features:
  • Granular privileges and access permissions.
  • Content submission validation process.
  • Rootkit detection system.
  • Spam prevention systems.
  • Web application firewall rules.
  • Moderation systems.

View

Question What are some tips for secure website maintenance?
Answer
  • Avoid FTP: Use secure alternatives like SFTP or SSH for file transfer.
  • Secure Email: Enable SSL for IMAP and POP3 email protocols.
  • Strong Passwords: Use unique and complex passwords for different services.
  • Secure Computers: Keep your own devices patched and secure.
  • Maintenance Password: Remove the maintenance password from _config.php when not in use.

View

Question What are the different types of security alerts in Composr?
Answer Composr has a variety of hack-attack codenames that trigger security alerts and logging. Some common examples include:
  • DODGY_GET_HACK: Suspicious URLs with potentially harmful characters.
  • EVIL_POSTED_FORM_HACK: Possible CSRF attempts via malicious form submissions.
  • SCRIPT_UPLOAD_HACK: Attempts to upload PHP scripts, potentially malicious.
  • DOWNLOAD_PRIVATE_URL_HACK/TRY_TO_DOWNLOAD_SCRIPT: Attempts to download sensitive files.
  • BRUTEFORCE_LOGIN_HACK: Repeated failed login attempts.
  • SQL_INJECTION_HACK: Attempts to exploit SQL queries for data extraction.

You can customize alert handling for each type in data_custom/xml_config/advanced_banning.xml (Admin Zone > Security > Configure advanced banning).

View

Question How does Composr protect against Cross-Site Scripting (XSS) attacks?
Answer Composr utilizes multiple layers of defense against XSS attacks:
  • HTML Filtering: Configurable levels of filtering prevent malicious script injection.
  • Content Security Policy (CSP): Restricts the sources from which scripts and other resources can be loaded.
  • Input Sanitization: Data is sanitized before being processed to prevent malicious code execution.
  • Output Encoding: Data displayed to users is properly encoded to prevent interpretation as active code.

View

Question How can I enhance the security of my Composr installation on shared hosting?
Answer Shared hosting environments can be inherently less secure. Here are some tips:
  • Choose a Secure Host: Opt for hosts that offer suEXEC and open_basedir for better account isolation.
  • Test Security: Verify the host's security measures with the provided filesystem_browser.php script.
  • Restrict _config.php: Remove world-writable permissions from _config.php after installation.

View

Question What is the purpose of "confirmed" and "non-confirmed" sessions?
Answer Composr distinguishes between confirmed and non-confirmed sessions for added security:
  • Confirmed: When you actively log in with your credentials.
  • Non-confirmed: When you return to the site and are automatically logged in via cookies.

You can configure zones to require confirmed sessions, preventing access from cookie-based logins alone. The Admin Zone uses this by default.

View

Question How does Content Security Policy (CSP) contribute to Composr security?
Answer CSP adds a layer of protection by controlling the resources the browser is allowed to load. It helps prevent:
  • XSS Attacks: By restricting inline scripts and limiting script sources.
  • Data Injection Attacks: By controlling the allowed origins for data requests.
  • Clickjacking: By specifying allowed framing sources.

Composr's CSP implementation utilizes "Trusted partner sites" and nonces for fine-grained control.

View

Question What additional security measures can I implement for my Composr website?
Answer
  • SSL: Enable HTTPS for encrypted communication and improved user trust.
  • Secure Zones: Configure sensitive zones to require confirmed sessions.
  • Restrict Logins: Enforce IP address confirmation for enhanced account security.
  • Maintenance Scripts: Restrict access to maintenance scripts like upgrader.php via IP restrictions.
  • Server Hardening: Disable unnecessary services, change default ports, enable automatic updates, and more.
  • Robots.txt: Use the robots.txt file to prevent search engine indexing of sensitive areas.

View

Question What steps should I take if my website has been hacked?
Answer If you suspect a security breach, take immediate action:
  • Identify the Cause: Analyze access logs for suspicious activity and pinpoint the vulnerability.
  • Clean and Restore: Restore your website from a clean backup and thoroughly remove any malicious code.
  • Address Vulnerabilities: Patch security holes, update software, and strengthen security configurations.
  • Seek Expert Help: If needed, consult security professionals for assistance with cleanup and prevention.

View