Joomla is a popular open source application for developing websites that is, like any platform, likely to be the subject of hacking attacks. With such online cyber-attacks forever on the rise, it makes sense to secure your Joomla installation as much as possible.
There are many steps that you can take to achieve higher levels of security. This guide takes you through the basic steps that you need to know in order to secure your Joomla website, to a reasonable extent, from hackers.
This is why it is important to take all possible measures to protect your Joomla site and improve its security. Here we will cover how to perform a Joomla security audit of your installation, finding the most appropriate hosting provider, setting user names and passwords, file permissions and using Joomla security extensions to secure your site.
Simply follow the instructions in this guide to reduce the chances of your site being hacked!
Joomla security audit
The first thing a responsible Webmaster should consider is carrying out a Joomla security audit of your website. This will enable them to create a list of potential security issues and then address them in turn with the most appropriate solution.
This may mean simple things like changing file permissions and implementing strong passwords or data encryption. It may reveal the need to carry out some more complex tasks.
For the more complex tasks, you need to have some web development skills, if in doubt seek out the services of a professional web developer first!
It is important that your website is hosted on a secure server, so make sure that your hosting provider has implemented a strong security policy within their hosting servers. If not, change to a more secure Joomla hosting provider.
Securing a website developed using the Joomla website development platform can be a challenging task, but most professional web hosting companies will be more than happy to help you to move from one host to another if you ask them.
The main things you should look for, as a minimum, when selecting a Joomla website hosting provider are as follows:
- Automatic Joomla Updates Available
- IP Address blocking
- Multiple layers of Server-side Security Filters
- Firewall, Antivirus and Malware detection software
- Immediate Response to Zero-day Mass Attacks
- Insist that your Joomla installation and its extensions are kept up-to-date
It is vitally important to keep your Joomla installation updated to the latest version, to make it difficult for new and old exploits to be used by hackers. With Joomla there are usuallynew fixes for many security issues included with each release. If your Joomla version is not up to date, you will not have these new security fixes! Curiously enough, there are more attacks that are utilising security issues in Joomla extensions than there ever are in the Joomla 3 core files themselves. This is often due to third parties being responsible for developing Joomla open source extensions.
Strong passwords and user names
Always avoid using easily cracked default user names like “user”, “admin” or “administrator”. Any hacker worth his salt will always give those a go first! Use longer, more complex user names with a combination of upper case, lower case, numeric and symbol characters like “RaT67£xxyb4”, they will be far more difficult to crack.
The next thing to worry about are passwords, again use upper case, lower case, numeric and symbol characters like “dF%*82rTY3£zYT” for example. his would be a strong password. Doing this will mean that any brute force attack will be foiled as your user name and passwords will simply be too strong to crack in a reasonable amount of time.
Here are some more tips regarding setting secure user names and passwords:
- Never use common words for passwords such as “password”, “admin”, “admi456” etc.
- Never use any personal information in passwords such as your first name or surname.
- Do not use a password generator to create a password for you because they just use algorithms to generate passwords which could be compromised by an attacker with access to the same password generator software.
- Always use Symbol characters such as #~”^!@)$ ), together with numbers, capital and lowercase letters as mentioned above.
Correctly set your File Permissions
The right permissions should be set for your Joomla files and their folders. Our recommendation is to use the following settings for the permissions:
- Set your configuration.php file permissions to 444
- Joomla folders permissions should be se to 755
- Joomla Files permissions should be set to 644
- Do not ever set 777 permissions – because this will allow anyone access!
Restrict access to your Administrative Page
The security of your Joomla website can be improved simply by restricting access to your admin area. To do this, first of all you can password protect the /administrator folder for your installation.
When you have done this an additional password will be required in order for any user to be served your standard administrator login form.
You can also restrict access to the /administrator directory just to your IP address. This will involve editing your htaccess file in the /administrator directory and adding your IP address to it
Use Joomla security extensions
There are many Joomla security extensions available such as Securitycheck, OSE Secure, JHackGuard and RSFirewall to name a few. They all have their pluses and minuses, compare them side by side to see which would work best for you. Some afree and some are not!
Backup and test restore your Joomla Site
You must ensure that you doback-up your Joomla installation regularly. Make sure that your backups are available for you to perform a restore as necessary. Also make sure that you do actually test your Joomla Installation restore procedure before you have any issues, so that you can be sure that it works!
It is always safest to have a reliable backup and restore recovery process in case the worst happens.