In the last few years, the Journal site has become very popular. An open journal system is released for PKP to make any publisher easier to manage any scientific journal process. In 2018 there are 10.000 users who already get benefit of this content management system. However, the massive growth of the use of this system, it also attracts hackers to try out their ability to tear apart the system in OJS. Based on Security Magazine data there is a study made which states that there is an attack every 39 seconds on average on the web and the usernames and passwords that are not safe are used to provide greater opportunities for attackers to succeed.
Since 2022 until now, journals have become more and more vulnerable to online gambling hacks called Judol (Judi online). This emerges as the provider of Judol organizes some freelance hackers and reward them with money if they can hack an OJS site and place a backlink to their site. Our expert team also contributes to report this platform vulnerabilities to PKP :
This is very troublesome, especially for your Journal Managers who have painstakingly managed the journal and have built the journal from scratch and you must repeat from the beginning when the attack occurred in your journal. It would be fortunate if you have the previous archive file for an article. What if you don’t have an archive for any journal article file such as article text, galley, or other files. That is very bad.
In this article, we guide in detail any steps that you should take to increase the security aspect of your current OJS site that we have applied to our clients that have trusted their hosting to manage their journal sites.
Need our expert team to handle your OJS site to make it smoother and secured ?
Contact us here to discuss your needs.
OJS website security can be defined as a series of actions and procedures that you must take to protect your OJS website. This is very important if you want to prevent all forms of data exploitation and site users. PKP has made a very good security system on the OJS system itself. However, there are always new security holes discovered by the PKP team and or reported by the community. Fortunately, the security flaws are always fixed by the PKP team which is released on the official OJS Download page.
* For example, version 3.1.2-1 has been declared to have security holes and is fixed in the next version.
There are several server systems that we have to do extra security setup so that the security system on the OJS system on your server gets a security system that can handle attacks from hackers because it is very vulnerable to occur not only in OJS but all website frameworks if you don’t take extra care of your site.
In the past, web systems have escaped without much investment in security, but this is no longer an option. Currently, hackers can automatically find targets by using an automatic way to exploit all vulnerable websites regardless of their income and reputation. If you do not maintain security on your OJS site, this will lead to the possibility of a loss of data, reputation, theft of internal web data, traffic, and even legal issues. This can happen by the way the person looks for a gap in our server and then runs the script and the boom will start when all those bad people can enter your server system. Obviously, we all don’t want that to happen on your journal site.
I will show you some hacking statistics to illustrate the impact of hacking on modern society. Naturally, hacking is a big concern for journal site owners – that’s why we all need to be very concerned and focused on the security of our OJS site sites with a few tips that we will share in this article.
Hacking Statistics 2020 :
- There is a hacker attack every 39 seconds.
- Russian hackers are the fastest.
- 300,000 new malware is created every day.
- Multi-factor authentication and encryption are the biggest hacker obstacles.
- You can become an American citizen for $6,000.
- The average cost of data breaches will be about 150 million in 2020.
- The cybersecurity budget in the US is $14.98 billion.
Reference : https://hostingtribunal.com/blog/hacking-statistics/
How to Secure OJS #
In this guide we will explain in detail to make your OJS more secure with OJS Security tips and tricks, the tutorial that we submit in this article is very specific to OJS.
Also In this article, we will explain some important points that we have applied to OJS Cloud Hosting. So the information we provide below we can say is valid because it has been proven to work well for the past few years, here are some tips for securing OJS systems.
Always use OJS and plugins from their official site #
OJS is now the latest standard on a global publisher site. It means that more and more users are getting used to this publishing system and more publishers use this as their publication system. However, with this massive growth, there are always people who lure new or existing users to provide fake ojs or plugins that have already been altered from the official site.
You should make sure to always get the original version released by PKP, make sure you download the OJS file for installation and upgrade from their official site because it is not impossible if you download through their unofficial site there is injected with malware or something bad that will harm you in the future, and we agree we all do not want that bad thing to happen when you have well-developed journal site..
This injected script potentially unauthorized access to the OJS files, and databases and threatens to delete database files or exploit your OJS site for illegal activities.
Always use the latest OJS version (stable) #
Why is it important to always update OJS to the latest stable version? PKP always gives improvements to the security system on the version of OJS that they release, it will greatly benefit us if we are diligent in updating,
Because this can narrow down the exploitation of bugs in the OJS system by hackers. Because in the previous version of OJS there were several bugs on the OJS security system as I explained above before in OJS 3.1.2 there was a security issue – PHP unserialize the bug can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.
However, PKP did a quick fix on a security bug and they have fixed it very well in the latest version of OJS 3.3.0.3
The other case emerged in the OJS version below 3.3.0.13 where any of the authors can change the metadata of another author on a published article by using the vulnerability in the OJS code.
With the described multiple vulnerabilities that were made public by the PKP team, it is wise to do regular upgrades on your OJS once the new security vulnerabilities are announced.
Never host other platform that is same host with OJS #
If you host multiple platforms within the same public_html directory—such as running WordPress alongside OJS on the same shared hosting account—you significantly increase the risk of security breaches. Since both applications share the same hosting environment, a vulnerability in one platform can be exploited to compromise the other.
For example, if your WordPress installation has outdated plugins, themes, or core files, hackers could exploit these weaknesses to gain access to your hosting account. Once they infiltrate the server, they may move laterally and target your OJS installation, even if it is fully updated and secured. This interconnected risk makes shared hosting a less secure option, especially when running multiple applications within the same environment. To mitigate these risks, consider using separate hosting environments, implementing strict security measures, and regularly updating all installed platforms.
So it will be better to host your journal / OJS exclusively or separately with other platform.
Avoid using shared host #
Shared hosting is a web hosting service where multiple websites share the same server resources, including CPU, RAM, and storage. It is an affordable option, making it ideal for small websites, blogs, and startups. However, since resources are shared, high traffic on one website can affect the performance of others. It also poses security risks, as vulnerabilities in one site can potentially compromise others on the same server. While it is easy to set up and manage, it offers limited customization, scalability, and security compared to VPS or dedicated hosting.
When using shared hosting for your OJS (Open Journal Systems), your website may be exposed to security threats originating from other users on the same server. Since multiple websites share the same environment, a vulnerability in one site can put all others at risk. For example, if another user on your shared host fails to update their platform and their site gets hacked due to an application vulnerability, the attacker may gain elevated privileges on the server. Once they have access, they could potentially exploit weaknesses in the shared infrastructure, allowing them to view, modify, or even take control of your data.
Even if you take all necessary precautions—such as keeping OJS updated, using strong passwords, and implementing security best practices—your site may still be compromised due to security gaps elsewhere on the server. Since you do not have full control over the hosting environment, any breach affecting another website on the shared server could indirectly impact yours. This is a fundamental limitation of shared hosting, making it less secure than VPS or dedicated hosting, where you have isolated resources and greater control over security configurations.
Why using our managed hosting and Support Service is right for you ?
1. Added 4 layers of security using our exclusive OJT Guardian Server Security Protection, OJT Advanced Security (OJS Plugin), Protecting traffic using Malicious user agents, and Webserver Additional security. These will protect your journal with our sophisticated tool
2. Optimize the speed of your journal using our OJT Blazing Cache which will leverage your journal speed with more than 2000% speed improvement!
3. Our managed hosting is the ONLY solution that is built specifically for OJS compared with other hosting out there.
4. Handle and dedicated support without robot or AI, we provide you with REAL HUMAN that has a long experience in handling OJS
More read our here: Why do we create exclusive OJS Managed Hosting
Regularly backup OJS data. #
OJS data not only the database but includes all the galley or any attachments that get posted on the article data. Such as article pdf files, videos, images, and others galley files.
Doing backups is a must for the management of a journal site to avoid the worst possibilities on your OJS site so that you don’t lose data on OJS, but unfortunately in some panel backup systems, it is only done on a database which means when doing a restore when a bad event happens your OJS security site, it is of no use at all. yes, obviously that’s not very good.
Unfortunately when you back up the OJS system, the panel usually only backups only the database, and the data is only available on the local server, what if the hacker does a complete data wipe on your panel.
Our experience, in one of our clients handling the host where it turns out that hacked is the server from the hosting. This resulted in all virtual hosts using the hosting server becoming victims as a result of one of the virtual hosting that get hacked.
On our OJS cloud hosting, we make a full backup of the system which is done every day and then our system automatically uploads the file outside the server system, such as the Google server. o that greatly reduces the possibility of your data being lost as a whole.
In this tutorial, we will guide you to doing an OJS full backup including database, ojs_files, and public folder along with detailed instructions.
1. Database
Your ojs database is the structure of your OJS site, the database stores data such as user details, submission details, and detailed settings for your OJS, OJS databases are very important.
2.OJS_data
OJS data stores is data submission files in the form of PDF, JATS, and HTML on Journal sites, You have to do extra backups on the ojs data folder and do some backup set up so that you can ensure the data on your OJS Stored safely, here’s how to backup OJS data on Cpanel :
Then download the zip file
3.Public_html
Public HTML contains image files such as journal thumbnails, issue covers, and other images contained in OJS that have been structurally processed in the public_html folder by PKP, so you have to do regular backups on this folder, so that if your site gets hacked you don’t need to design the images from scratch and upload the image files manually to the OJS system.
Then after all OJS data has been completed in backup and download.
For the backup process we recommend doing it routinely once a week to ensure you have to keep the latest version of your journal.
Use a Random Password Combination
Make sure that the journal manager or super admin account that you use on your ojs uses authentication that is difficult to guess.
Avoid using a username or password that is very easy to guess by hackers for example: using your email on a password or using your email username on a password or can also use your identity and add a year in the password column.
We recommend that for the password field you can use a combination of random numbers and letters with a combination of upper and lower case letters. This policy would prevent your passwords from being hacked by the brute force or dictionary attack method, and keep your journal accounts.
Here are some tips :
- Don’t use the same password, security question and answer for multiple important accounts.
- Do not use any dictionary word in your passwords. Examples of strong passwords: 54edrt6rt5hrd5y, 56uydrthfxh, zbfUMZPE6`FC%) sZ.
Examples of weak passwords: abc123456, asdzxc123, admin2020, journal789
- Do not send sensitive information online via unencrypted (e.g. HTTP or FTP) connections, because messages in these connections can be sniffed with very little effort. You should use encrypted connections such as HTTPS, SFTP, FTPS, SMTPS, IPSec whenever possible.
- Use combination of number, character, upper / lower case letter :
Example :
x$03Ddo34Ken
69D%03n^D&htioDdn
To make it easier you can use a password manager application such as Lastpass or another application that is integrated into your browser so that you don’t have to remember all the passwords on different sites. You only need to remember your master password and this password manager extension will be easy to automatically fill in the password on the authentication page.
Regularly backup your Server #
it’s important to take the necessary steps to protect your data and ensure it’s safe from potential disasters. One of the most effective ways to do this is by implementing regular backups. And one of the easiest and most reliable ways to do that is by using one of the backup tools.
The backup system should run regularly without needing your attention, however, you need to make sure that the result of the backup system can be restored perfectly.
Other backup tips include placing the backup file outside of the server, such as using S3 storage, as the server may have technical issues in the future, but you still have the file that can be retrieved easily.
Block access for Injected script #
Unfortunately, there are a few gaps that can be exploited by hackers if we don’t do extra security on OJS when the server doesn’t have a really good security system.
I will give a little idea of how the hackers work using security holes in our OJS server.
Some authors would send PHP shell script on their submission process , then they access the file through a browser, then the .php script can run well. Of course, this is very much the case if it happens on your Journal site.
So when we don’t do any extra setup, they (hackers) can access the PHP scripts that they put or upload on public folders. Like the following picture :
This time we will provide tips to limit access to dangerous scripts that can be run by the OJS system in the following ways:
- Create a .htaccess file in the public folder
- then paste the following script in .htaccess into the public folder
<Files ~ "js/\.(js|JS)$"> allow from all</Files> <FilesMatch "\.(?:inc|php|py|php5|php4|php3|rb|phtml)$">Order allow,denyDeny from all</FilesMatch>Move OJS data on the upper of public_html #
To do this extra setup you can do it by moving OJS_data outside the public_html folder so that the data cannot be accessed via a link in the browser and if this happens it can lead to the possibility of exploiting original data on your OJS system.
Installing https #
Using HTTPS ensures that communication between your journal and the user cannot be intercepted by the Man in the Middle attack. Without using HTTPS someone using the same network can catch the credentials of the OJS user. For example, if a journal manager is logged in a public place such as a coffee shop or another place, someone can obtain the credential and exploit it for bad purposes.
be encrypted so that it becomes more secure. Besides that HTTPS also encodes session data using SSL (Secure Socket Layer) or TLS (Transport Layer Security) protocol. HTTP is a protocol used for collaborative and distributed information systems that run on application reports. HTTPS was created with the aim of providing authentication and encrypted communication and was created by Netscape Communications Corporation.
HTTPS is very important for your OJS site to be more secure. There are many benefits that you will get when using HTTPS for websites, one of which is to secure sensitive information, such as personal data, payments, or login information, during the transmission process. Then https can increase visitor confidence and ultimately increase conversion opportunities on your website. Installing SSL Letsencrypt
The advantages of using https namely:
1. For SEO
As announced by Google in 2014 if HTTPS was one of the determining factors in ranking a website. However, your website ranking will not change significantly if you change to HTTPS.
But this is to have a long-term effect on user experience and build customer confidence going forward.
So to move from HTTP to HTTPS is the thing that needs to be done in the following way.
Limit the types of files uploaded using htaccess
On the OJS system, a hacker can upload php, phtml files to your OJS site server with several methods. This is very dangerous if your journals do not have extra security on the server
We will try to explain setup of lets encrypt using cpanel :
Then change the baseurl setup in the OJS config on the following line :
Then setup on line security so that your Journal site always redirects to https, change so that the OJS system always redirects via conifg on this line by turning ssl_force toon
Prevent xss attacks on journal websites #
XSS is HTML code or Client Script that is injected into a journal website or other type of website. As a result, the attacker can bypass security on the client-side, get sensitive information, and even insert dangerous applications. This is clearly very detrimental for you, a journal manager, here are tips from OpenJournaltheme to avoid XSS attacks through the .htaccess script by adding the following line to the .htaccess file contained in cpanel.
# Add Security Headers
<IfModule mod_headers.c>
# Protect against XSS attacks
Header set X-XSS-Protection "1; mode=block"
</IfModule>Add protection to the PHP #
Protect any hack injection from other domain #
Open Base dir configuration is configuration in PHP-FPM that add protection for the domain that will prevent browse the folder to other folder that is used by the domain.
For example the other domain is using outdated version of PHP 5 and running some custom app such as WordPress. When this domain gets hacked, the hacker can inject the malware to other domain if the open_basedir does not settled on each of the domain.
To add the open_basedir, you can open the PHP-FPM configuration that is used by the domain and add this parameter :
open_basedir = "folder/ofyourdomain/"Note that each of the domain that use the same server should use add the configuration of the open_basedir since we would not know in the future which backdoor will be used by hacker to hack all the domain on that server.
The best bet that you better use different server for each of the app/website that is used on your institution.
Add disabled function on PHP-FPM configuration #
It is also strongly recommended to add the disabled function setting on the PHP-FPM configuration.
This is the configuration that we add to disable an hacker to exploit the vulnerability of OJS by run function in PHP :
php_value[disable_functions]=popen,eval,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signalsAlways patch your PHP version #
Like OJS, PHP also an application that is installed on your server and required regular maintenance such as upgrade the PHP version or make a patch to the app.
For OJS below 3.3.0.13 we recommend using the PHP 7.4 version, as on that version OJS still have some issue with PHP > 8 version.
Here is the list of posted vulnerability for PHP :
https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/PHP-PHP.html
Add layer of protection using security app #
The other recommendation to be used for your OJS is using additional layer of protection when the traffic came to the your OJS.
One of example of using this is by deploying the ModSecurity on your server and configure the exception for the OJS workflow so it will protect your OJS from any common hack attempt for your OJS system. However configure the ModSecurity is not a tool that need some advanced knowledge on server configuration since it can make your OJS inaccessible to some the feature in the back end.
For more information on how to configure the Modsecurity can be read here : https://www.tecmint.com/install-modsecurity-with-apache-on-debian-ubuntu/
The other way is using the CloudFlare (CF) protection which is available with the free version of the security layer of protection. However, our team does not very like the CF since on historical data CF suffer from some downtime in the past and your domain is solely dependent on their proxy server. The detail of the CF configuration can be read here.
If you think that security and OJS speed are one of your priorities when using OJS or you need to use the OJS without any necessary technical burden, we have implemented all the protection on our hosting package below.
Our package of hosting includes routine support and daily backup for your OJS. So it will be far more efficient to handle your journal without having to think about the technical aspect of your OJS.
Need our expert team to handle your OJS
If you still need to be sure that your journal needs special care for the hack or needs to clean the hacked site, just contact us here
Here are some quick tips from OpenJournaltheme so that your OJS site site has a better security system than before. If there is anything unclear in the article above, please ask us in the comments column of this article. openjournaltheme team is very happy if it can help solve your problem. Cheers !!
Our References :
https://hostingtribunal.com/blog/hacking-statistics/
https://pkp.sfu.ca/ojs/
https://thycotic.com/resources/black-hat-2019-hacker-survey-report/
https://blog.detectify.com/2020/01/30/web-security-trends-to-watch-for-2020/
https://passwords-generator.org/
