Our article, 10 reasons why your Joomla website got hacked, was well received by our readers (clients and visitors alike). In this post, we want to list the top 10 security tips to protect your Joomla website.
- Always keep your Joomla website up-to-date with the latest version of Joomla: Every Joomla update addresses security issues that are known to the Joomla community at the time of the update, this means that if you don’t update your Joomla website immediately, then the potential that your website will be hacked will increase. If you leave your website without updates for a long time, then it will be almost a certainty that your website will be hacked.
Hide your Joomla version: Telling the world about your Joomla version in your HTML code is like inviting malicious attacks to your own doorstep. It’s like saying, “Hey, I have Joomla version 1.5 – that is known for the following vulnerabilities (add list of vulnerabilities here) – would you like to attack me?” If you want to check that you are exposing your Joomla version to the world, then just go to your website using Firefox, right click on the page, and then click on “View Page Source”. If you see something like the following line:
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
then you are exposing your Joomla version. Check this post on how to hide your Joomla version.
Only install reliable and community-trusted extensions: Joomla has many extensions. For every feature that you can think of there is already an extensions that is written and ready to be installed. But that convenience comes at an expense. What if a new extension that you install is not secure? Because if it is, then it will compromise the security of your whole website, not just the feature(s) pertaining to that extension. So, what to do in this case? Well, before installing any extension, you need to make sure that the extension is trusted, here’s how:
- Check how many people downloaded/reviewed the extension. If the number is small, then avoid the extension altogether.
- Check the reviews by the people who have installed the extension. Are there reviews complaining about security issues with this particular extension? If you even find one such review, then avoid the extension altogether.
- If you insist on using an extension that is not used by many people, then hire a Joomla consulting company to audit the extension.
Keep your Joomla extensions up-to-date: You cannot just forget about an extension once you have it installed. You need to make sure that you always have the latest version of the extension and you need to update to the latest version whenever there’s a new one (for the same reasons you update your Joomla core to the new version of Joomla).
Install security extensions: There are many extensions that will make your website secure (but may compromise the speed of your website and/or may limit your website’s functionality, so choose wisely). Go ahead and do your research, and install one that is highly recommended by the Joomla community.
Don’t use the default table alias: Everyone who knows a thing or two about Joomla development knows that, by default, the table alias in Joomla is jos_. You should change this alias to a different one (a random 3 or 4 letter word that you can come up with). Note that some of the security extensions on the market do this for you.
Change the default permissions on your Joomla .php files: Don’t leave the permissions on your Joomla .php files set to 666 (the default). Change them to 444, which means you are giving just read access to everyone (and not read and write).
Change your passwords regularly: It is very important to change the following passwords regulary:
- The password of the “admin” user.
- The FTP password
- The MySQL password
- The hosting password (e.g. the cPanel password)
Changing your password regularly is a very healthy practice for your website’s security.
Do not allow users to upload scripts to your website: While Joomla, by default, totally forbids user upload of scripts to your website, you might be tempted at one point to allow (for one reason or the other) some of your users to upload inline scripts or executable script files to your website. No matter what the rewards are, avoid this completely. If you think it’s necessary for your website to have a feature to allow people to upload scripts, then ask some Joomla security experts to secure that feature.
Run a vulnerability scan: You should regularly run a vulnerability scan on your website. There are many website security scanners out there (just make sure you choose one that is tested and is known to provide reliable results). For our clients, we use Acunetix (read this post we have written a while ago about Acunetix and Joomla).
A couple of other tips, for advanced users:
- Read your web logs: Web logs are there for a reason. Check to see if there are some weird requests by the same IP constantly. If you see an offending IP, then block it (read how to block an IP address on your Joomla website).
Check your hosting environment: Check that your hosting provider is using the latest version of Apache, MySql, PHP, phpMyAdmin, and cPanel. Inform your hosting provider immediately if you see one of them that is not fully up-to-date.
If you need any assistance implementing the above, then, as usual, we are ready to help. We have secured many websites (we will be later introducing a monitoring package that will include the monitoring of the website’s security) and we are sure that you can secure yours. Just contact us and see how we can help you!