How to secure OJS

In the last few years, the Journal site has become very popular. Open journal system is released for PKP to make any publisher easier to manage any scientific journal process. In 2018 there are 10.000 users who already get the benefit of this content management system. However, in the massive growth of the use of this system, it also attracts hackers to try out their ability to tear apart the system in OJS. Based on Security Magazine data there is a study made which states that there is an attack every 39 seconds on average on the web and the usernames and passwords that are not safe are used to provide greater opportunities for attackers to succeed.

This is very troublesome especially for your Journal Managers who have painstakingly managed the journal and have built the journal from scratch and you must repeat from the beginning when the attack occurred in your journal. It would be fortunate if you have the previous archive file for an article. What if you don’t have an archive for any journal article file such as article text, galley or others file.  That is very bad.

In this article, we guide in detail any steps that you should take to increase the security aspect of your current OJS site that we have applied to our clients that have trusted their hosting to manage their journal sites.

OJS website security can be defined as a series of actions and procedures that you must take to protect your OJS website. This is very important if you want to prevent all forms of data exploitation and site users. PKP has made a very good security system on the OJS system itself. However, there are always new security holes discovered by the PKP team and or reported by the community. Fortunately, the security flaws are always fixed by the PKP team which is released on official OJS Download page.

* For example, version 3.1.2-1 has been declared to have security holes and is fixed in the next version.

There are several server systems that we have to do extra security setup so that the security system on the OJS system on your server gets a security system that can handle attacks from hackers because it is very vulnerable to occur not only in OJS but all website frameworks if you don’t take extra care of your site.

In the past, web systems have escaped without much investment in security, but this is no longer an option. Currently, hackers can automatically find targets by using an automatic way to exploit all vulnerable websites regardless of their income and reputation. If you do not maintain security on your OJS site, this will lead to the possibility of a loss of data, reputation, theft of internal web data, traffic, and even legal issues. This can happen by the way the person looks for a gap in our server and then runs the script and the boom will start when all those bad people can enter your server system. Obviously, we all don’t want that to happen on your journal site.

I will show you some hacking statistics to illustrate the impact of hacking on modern society. Naturally, hacking is a big concern for journal site owners – that’s why we all need to be very concerned and focused on the security of our OJS site sites with a few tips that we will share in this article.

 

Hacking Statistics 2020 :

  • There is a hacker attack every 39 seconds.
  • Russian hackers are the fastest.
  • 300,000 new malware is created every day.
  • Multi-factor authentication and encryption are the biggest hacker obstacles.
  • You can become an American citizen for $6,000.
  • The average cost of data breaches will be about 150 million in 2020.
  • The cybersecurity budget in the US is $14.98 billion.

 

Reference : https://hostingtribunal.com/blog/hacking-statistics/

How to Secure OJS

In this guide we will explain in detail to make your OJS more secure, the tutorial that we submit in this article is very specific to OJS.

Also In this article, we will explain some important points that we have applied to OJS Cloud Hosting. So the information we provide below we can say is valid because it has been proven to work well for the past few years, here are some tips for securing OJS systems.

Always use OJS and plugins from their official site

OJS is now the latest standard on a global publisher site. It means that more and more users are getting used to this publishing system and more publishers use this as their publication system. However, on this massive growth there are always people who lure new or existing users to provide fake ojs or plugins that have already altered from the official site. 

You should make sure to always get the original version released by PKP, make sure you download the OJS file for installation and upgrade from their official site, because it is not impossible if you download through their unofficial site there is injected with a malware or something bad that will harm you in the future, and we agree we all do not want that bad thing to happen, when you have well-developed journal site..

This 0injected script potentially can unauthorized access to ojs files, databases and threatens to delete database files or exploit your ojs site for illegal activities.

Always use the latest OJS version (stable)

Why is it important to always update OJS to the latest stable version? PKP always gives improvements to the security system on the version of OJS that they release, it will greatly benefit us if we are diligent in updating,

Because this can narrow down the exploitation of bugs in the OJS system by hackers. Because in the previous version of OJS there were several BUGs on the OJS security system as I explained above before in OJS 3.1.2 there was a security issue – PHP unserialize the bug can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

However, PKP did a quick fix on a security bug and they have fixed it very well in the latest version of OJS 3.1.2-4

Regularly backup OJS data.

OJS data not only database but including all the galley or any attachment that get posted on on the article data. Such as article pdf file, video, image  and others galley file.

Doing backups is a must for management of a journal site to avoid the worst possibilities on your OJS site so that you don’t lose data on OJS, but unfortunately in some panel backup systems, it is only done on a database which means when doing a restore when a bad event happens your OJS site site, it is of no use at all. yes, obviously that’s not very good.

Unfortunately when you back up the OJS system, the panel usually only backups only the database, and the data is only available on the local server, what if the hacker does a complete data wipe on your panel.

Our experience, in one of our clients handling the host where it turns out that hacked is the server from the hosting. This resulted in all virtual hosts using the hosting server to become victims as a result of one of virtual hosting that get hacked.

On our OJS cloud hosting, we make a full backup of the system which is done every day and then our system automatically  uploads the file outside the server system, such as Google server. o that it greatly reduces the possibility of your data being lost as a whole.

In this tutorial we will guide you to doing an OJS full backup including database, ojs_files and public folder along with detailed instruction. 

1. Database

Your ojs database is the structure of your OJS site site, the database stores data such as user details, submission details, detailed settings for your OJS, OJS databases are very important.

backup-ojs
backup-ojs2
backup-ojs3
backup-ojs3

2.OJS_data

OJS data stores is a data submission files in the form of PDF, JATS, HTML on Journal sites, You have to do extra backups on the ojs data folder and do some backup setup so that you can ensure the data on your OJS Stored safely, here’s how to backup OJS data on cpanel : 

backup-ojs4
backup-ojs5

Then download the zip file

3.Public_html

 

Public HTML contains image files such as journal thumbnails, issue covers, and other images contained in OJS that have been structurally processed in the public_html folder by PKP, so you have to do regular backups on this folder, so that if your site gets hacked you don’t need to design the images from scratch and upload the image files manually to the OJS system.

backup-ojs6
backup-ojs7

Then after all OJS data has been completed in backup and download. 
For the backup process we recommend doing it routinely once a week to ensure you have keep your latest version of your journal. 

Use Random Password Combination

Make sure that the journal manager or super admin account that you use on your ojs uses authentication that is difficult to guess.

Avoid using a username or password that is very easy to guess by hackers for example: using your email on a password or using your email username on a password or can also use your identity and add a year in the password column.

We recommend that for the password field you can use a combination of random numbers and letters with a combination of upper and lower case letters. This policy would prevent your passwords from being hacked by the brute force or dictionary attack method, and keep your journal accounts.

Here are some tips :

  • Don’t use the same password, security question and answer for multiple important accounts.
  • Do not use any dictionary word in your passwords. Examples of strong passwords: 54edrt6rt5hrd5y, 56uydrthfxh, zbfUMZPE6`FC%) sZ. 

Examples of weak passwords: abc123456, asdzxc123, admin2020, journal789

  • Do not send sensitive information online via unencrypted (e.g. HTTP or FTP) connections, because messages in these connections can be sniffed with very little effort. You should use encrypted connections such as HTTPS, SFTP, FTPS, SMTPS, IPSec whenever possible.
  • Use combination of number, character, upper / lower case letter :

Example :
    x$03Ddo34Ken

69D%03n^D&htioDdn

To make it easier you can use a password manager application such as Lastpass or another application that is integrated into your browser so that you don’t have to remember all the passwords on different sites. You only need to remember your master password and this password manager extension will be easy to automatically fill in the password on the authentication page.

Block access for Injected script

Unfortunately, there are a few gaps that can be exploited by hackers if we don’t do extra security on OJS when the server doesn’t have a really good security system.

I will give a little idea of ​​how the hackers work using security holes in our OJS server.

Some authors would send  PHP shell script on their submission process , then they access the file through a browser, then the .php script can run well. Of course, this is very much the case if it happens on your Journal site.

So when we don’t do any extra setup, they (hackers) can access the PHP scripts that they put or upload on public folders. Like the following picture : 

php-script-ojs

This time we will provide tips to limit access to dangerous scripts that can be run by the OJS system in the following ways:

  • Create a .htaccess file in the public folder
secure-ojs1
  • then paste the following script in .htaccess into the public folder
<Files ~ “js/\.(js|JS)$”>   allow from all</Files> <FilesMatch “\.(?:inc|php|py|php5|php4|php3|rb|phtml)$”>Order allow,denyDeny from all</FilesMatch>

That’s all ! 

We have built our OJS Cloud Hosting that is settled to handle this kind of threat by only a certain OJS file and protect our cloud host with more secure modification in php level, web server level and add additional configuration to tighten the security from any threat. 

Move OJS data on the upper of public_html

To do this extra setup you can do it by moving OJS_data outside the public_html folder so that the data cannot be accessed via a link in the browser and if this happens it can lead to the possibility of exploiting original data on your OJS system.

ojs-files

Installing https

https-ojs

be encrypted so that it becomes more secure. Besides that HTTPS also encodes session data using SSL (Secure Socket Layer) or TLS (Transport Layer Security) protocol. HTTP is a protocol used for collaborative and distributed information systems that run on application reports. HTTPS was created with the aim of providing authentication and encrypted communication and was created by Netscape Communications Corporation.

HTTPS is very important for your OJS site to be more secure. There are many benefits that you will get when using HTTPS for websites, one of which is to secure sensitive information, such as personal data, payments, or login information, during the transmission process. Then https can increase visitor confidence and ultimately increase conversion opportunities on your website. Installing SSL Letsencrypt

The advantages of using https namely:

1. For SEO

As announced by Google in 2014 if HTTPS was one of the determining factors in ranking a website. However, your website ranking will not change significantly if you change to HTTPS.

But this is to have a long-term effect on user experience and build customer confidence going forward.

So to move from HTTP to HTTPS is the thing that needs to be done in the following way.

Limit the types of files uploaded using htaccess

On the OJS system, a hacker can upload php, phtml files to your OJS site server with several methods. This is very dangerous if your journals do not have extra security on the server
We will try to explain setup of lets encrypt using cpanel :

https ojs
instal-https-ojs
install-https-ojs2
instaling-https
setup-https-ojs

Then change the baseurl setup in the OJS config on the following line :

Then setup on line security so that your Journal site always redirects to https, change so that the OJS system always redirects via conifg on this line by turning ssl_force toon

setup https ojs

Prevent xss attacks on journal websites

XSS is HTML code or Client Script that is injected into a journal website or other type of website. As a result, the attacker can bypass security on the client-side, get sensitive information, and even insert dangerous applications. This is clearly very detrimental for you, a journal manager, here are tips from OpenJournaltheme to avoid xss attacks through the .htaccess script by adding the following line to the .htaccess file contained in cpanel.

# Add Security Headers

<IfModule mod_headers.c>

    # Protect against XSS attacks

    Header set X-XSS-Protection “1; mode=block”

</IfModule>

Here are some quick tips from OpenJournaltheme so that your OJS site site has a better security system than before. If there is anything unclear in the article above, please ask us in the comments column of this article. openjournaltheme team is very happy if it can help solve your problem. Cheers !!

Our References :

https://hostingtribunal.com/blog/hacking-statistics/
https://pkp.sfu.ca/ojs/
https://thycotic.com/resources/black-hat-2019-hacker-survey-report/
https://blog.detectify.com/2020/01/30/web-security-trends-to-watch-for-2020/
https://passwordsgenerator.net/

Leave a Comment

Your email address will not be published. Required fields are marked *

Open Journal Theme

Professional OJS products, services and support

Need More Services  or Question?

Openjournaltheme.com started from 2018 by passionate team that focused to provide affordable OJS product and services. Our team initiate this company to help many publisher to be more focus on their content research rather than tackled by many technical OJS issues.

0