OJS Security

  • OJS is an excellent e-publishing platform, but it has many security loopholes that hackers can exploit to get into your site to either cripple or destroy it. Open Journal Systems security should therefore be one of your primary concerns. See Open Journal Systems (OJS): Hacking Epidemic and Solutions for more information.
  • The end result of any OJS security breach is significant as publishing sites using OJS have databases containing detailed information about the researchers, which attackers can use for identity theft and fraud. Furthermore, attackers could access and steal unpublished manuscripts or even utilize the OJS to publish bogus research. This is on top of compromising the entire server security and causing a total site malfunction. Open Journal Systems security should therefore be one of your primary concerns. See Open Journal Systems (OJS): Hacking Epidemic and Solutions for more information.
  • Unfortunately you won’t know you’ve been hacked until it’s too late! Here are some tell-tale signs: you may notice that OJS landing page has been changed, or you may see links or funny characters in your content, blank pages, or PHP errors – chances are your site has been hacked. See Open Journal Systems (OJS): Hacking Epidemic and Solutions for more information.
  • Yes; however, there are many steps to properly secure an OJS site, some of which are very technical. If you aren’t well-versed in the workings of OJS, PHP coding and databases, you’re better off leaving it to a professional. Almost all the hacked sites we’ve fixed had some type of do-it-yourself security. See Open Journal Systems (OJS): Hacking Epidemic and Solutions for more information.
  • Yes. We will perform a security audit of your site from many different angles and then, present our findings and recommendations to you in a document with a clear road map for taking the next steps.

OpenJournalSystems.com place the utmost emphasis on security and we’re always looking for ways to improve. We use many different layers of security to help protect your OJS site from being hacked. Each layer by itself is capable of stopping an attack. When all of the layers are combined, the overall security level goes up geometrically, creating a stronger OJS security system. We have implemented cutting-edge security policies and protocols that includes OJS as well as server security hardening.

  • OJS Security Hardening:
    1. OJS File Upload Validation Plugin: File Upload Validation Plugin enables the Admin/JM to choose the approved file types, which can be uploaded by an author during the submission process. This plugin will prevent the upload of OJS malware, such as PHTML files, which are used by hackers to gain entry into an OJS web server and upload malicious files.
    2. OJS Registration Notification Plugin: Registration Notification Plugin sends an email notification to a predetermined email address whenever a user has been registered for a journal. This email contains the user name, email, affiliation, journal and role(s) registered for, and the option to delete them form OJS. This plugin enables the Admin/JM to verify or block the registration of any new user.
    3. OJS Files Directory Protection: OJS file directory placed in a non-web-accessible location and cannot be accessed directly via the web server.
    4. Restrict File Permissions: Getting OJS file permissions right is one of the most important factors in maintaining the security of OJS installation. We use restrict file permissions for better security while maintaining OJS functionality.
    5. OJS Encryption: Changing OJS configuration to use SHA1 hashing rather than MD5 for better security.
  • Server Security Hardening:
    1. ConfigServer Firewall: ConfigServer Firewall, known and referred to simply by most cPanel and WHM users as CSF, is one of the best, most effective firewall configuration scripts in the market today. Designed to considerably increase server security, having this in place will allow you to use a robust interface to manage firewall features and settings.
    2. CPHulk Brute-Force Protection: CPHulk prevent a server falling victim to brute force login attempts. A brute force is a password guessing technique that consists of trying to login with a user name and password over and over, changing either the username and/or the password if not successful. Given enough time even a moderately secure, random character password can fall victim to this as some attackers will try every combination they can if given the chance. CPHulk will detect and block these attacks by checking for failed login attempts. This can affect you if the failed logins are originating from your internet connection. The steps below will guide you on how to unblock yourself depending on the access you have.
    3. Lynis Security Audit: Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
    4. Munin Network Monitoring Tool: Munin is a system, network, and infrastructure monitoring application that provides real time monitoring and alerting services for servers and alerts the system administrator when things go wrong.
    5. Clamav Malware Scanner: Clam AntiVirus (ClamAV) software toolkit able to detect many types of malicious software, including viruses and trojans. One of its main uses is on entire home directory, and mail servers as a server-side email virus scanner.
    6. Server Side Security Scripts: Proprietary Security Scripts to prevent execution of OJS deface malware and closing of any unused ports.