Here’s how the majority of malicious users try to hack your beloved Joomla website:
- They search for an exploit on your Joomla website.
-
They use that exploit to upload a PHP file to your website.
-
They invoke the URL pointing to that file, and by doing so, they create duplicates of the malicious file, hack your website, or send spam.
So, if they upload a file called cms.php, then all they need to do is to go to http://www.yourjoomlawebsite.com/cms.php and it’s over: your website either becomes labelled as a “compromised website” by Google or you will receive the dreaded email from your host telling you that your Joomla website is sending spam and you have 24 hours to address the problem or it will be shut down! At best, your website becomes an incubator of malicious files that will be used by any wannabe malicious user out there.
Fortunately, there’s a simple solution that will address this problem: block all access to all PHP files with the exception of the index.php file: your visitors, and even your administrators, only need access to the index.php file to be able to visit/manage your website. They should never need direct access to any other file on your server.
So, how to only allow access to the index.php file?
This can be done easily by adding the following code to the very beginning of your .htaccess file:
<Files *.php> Deny from all </Files> <Files index.php> Allow from all </Files>
Once you implement the above, even if the malicious user was able to upload the cms.php file to your Joomla website through a vulnerability, he will not be able to execute it (he will be redirected to http://www.yourjoomlawebsite.com/403.shtml page), which means that he just can’t do anything with the file that was uploaded.
But how will administrators be still able to login?
If you have read our post from the beginning (yes, some people still do that instead of just jumping to the solution), you will see that we said that this trick also works for administrators. But, as you (probably) know, administrators use another index.php, which is the one located under the administrator folder. Luckily, the .htaccess rules are recursive, which means that any index.php file in any directory (and sub-directory) will still work, including the one located under administrator folder. Now, although this is convenient, it creates another problem: what if the attacker uploads a file called index.php, under, let’s say, the media folder? “Obviously, this solution is not bullet proof!”, you might be wondering…
You’re right, it is not bullet proof! It does block the majority of the hacks, but an experienced saboteur can still upload an index.php file instead of a cms.php file and he’ll gain control over your website. To address this problem, you will need to completely deny PHP execution in all the Joomla folders by creating, under each and every folder (with the exception of the administrator folder), an .htaccess file with the following content:
<Files *.php> Deny from all </Files>
This will block the execution of all PHP scripts within those folders, even if they are named index.php. Since we will need to be able to execute the index.php file under the administrator folder to allow for backend access, we can’t add that .htaccess file there, but we will need to add it under all the directories located under the administrator folder.
So, will this solution guarantee the security of my Joomla website?
No – it won’t. Certain exploits will allow malicious users to modify core Joomla PHP files (including the index.php file), so the solution is not a silver bullet. It’s not worthless though, and we think it’s a must, as it is a first level barrier against attacks and will greatly increase the security of your Joomla website.
But what if an extension needs direct access to another PHP file?
There are a few extensions out there that require direct access to a PHP file other than the index.php file (unfortunately, some of these extensions are major extensions). While this is not a good practice (and a sign of bad Joomla programming), you can also create another rule in your .htaccess file to allow the file(s) required by these extensions to work properly.
We are confident that implementing the security tips in this post will greatly enhance the security of your Joomla website (we think that all Joomla websites should only allow the index.php file to be executed). If you need help with the implementation, then please contact us, we are always here to help, our fees are affordable, our work is very clean, and we treat all the websites we work on as if they were ours!
Hello,
Thank you for your interesting article.
One of my sites has been hacked the third time now.
I hope this helps.
This should be part of standard Joomla.
Did you contact them about this?
Hi Josk,
The Joomla team most likely knows about this, but the decision to add this in the .htaccess file with a fresh Joomla install by default is probably not that easy, since there are some high profile extensions that require the usage of files other than the “index.php” file. Additionally, doing this will mean that if someone has a sub-website with other .php files, they will not wok.