Joomla! is considered as one of the most powerful CMS platforms out there and as with every web application its security is essential.
The folks from Joomla! have created an official article on Joomla! security which we encourage that you read thoroughly. In this blog post we made our own security check list – adding couple of extra tips. If you have already read our WordPress security article you will find a lot of common security points between WordPress and Joomla! – but after all they are both CMS and similar security tips apply.
As a matter of fact, you will be surprised to how many web applications these security tips can be applied.
And as promised, here is the MUST do list:
- Make sure that you have the latest version of Joomla! – you will hear this for any application that you use for your site(s). You have to update to the latest version available, it is not only advisory, this is obligatory. The new versions are improved with less options to be attacked, so make sure that whenever there is an update for your applications, you install it.
- Select a strong password – please review our designated article on how to select a good password . Selecting a strong password ensures better Joomla! security. A good advice to follow is to use different passwords for the different programs and to change them every few months.
- Change the default ‘admin’ username to a different username – this is the first user a hacker would try to guess, so create an additional boundary by changing it to a non-common word.
- Remove unused templates – The same rule that applies for WordPress is valid here as well. If you don’t need a certain template anymore, make sure that you remove it, otherwise you leave a back door open for a potential hacking attack. Also, keep in mind that when you need a template, you should use up to date and original templates. In any case avoid using “nulled” templates, since there are very often infected with “back doors”, left with the only purpose of infiltrating your site and content.
- Install only secure extensions – Joomla! extensions are applications created to enhance the performance of the CMS and to add valuable features. Joomla! has an official site listing a lot of extensions, and it is highly recommended to select your extensions from this list. You can check for rating, last update, reviews and any other characteristic you find to be relevant.The above couple of tips were easy to be implemented. The next couple of tips are for the more advanced users and require certain manual changes to Joomla configuration which we do advise to be implemented with care:
- Remove the version from your site – As already discussed for WP, displaying your current version is something you should avert – keep in mind that when installing Joomla!, in the site code a meta tag will be added, revealing the version. Make sure that you have removed it. Having the version published is like a banner for people who attack the sites, since it will allow them to attack the site specifically for this version concentrating on its specific weak points. You can either set another value by inserting it in the head tag of your index.php file<?php $this->setGenerator(‘live blank or type something’); ?>or remove it from /libraries/joomla/document/html/renderer/head.php. If you don’t want to completely remove it, you can simply comment this line:$strHtml .= $tab.'<meta name=”generator” content=”‘.$document->getGenerator().'” />’.$lnEnd;
- Change the admin folder – this will respectively change your administrative URL and make it much more difficult for a potential hacker to access your data. An easy way to do so is to rename your htaccess file to .htaccess which basically creates a cookie allowing you to access your site. In case you delete your cookies, error 404 will be displayed. The code and the changes needed to be done are explained here,
- Avoid the jos_ prefix for your databases – this is the default option and every person trying to breach your security will assume that this is the prefix you have left. When you install manually Joomla!, during the installation process you are given the option to change this prefix with one of your choice.
- Do not choose the root user in mySQL to be the user for your databaseas well – this is made for restriction purposes and is available for our VPS and Cloud solutions. When you create a new database that you will use for a new site, you should create a separate user and provide the rights only for this database. Also consider restricting the permissions of this user, so that if a user do not need to create new databases, then this is not allowed. In case of a shared plan where you don’t have access to the root user, make sure that for each database you create, you allocate a different user.
- File permissions – Do not use CHMOD 777! This is very straight forward and as recommended, not only for Joomla!, set 644 for files and 755 for directories. A little detour for those of you not familiar for what these numbers stand. The first number is the permissions for the owner, the second for the group and the third for other. The numbers themselves are created based on what permissions you would like to set, with ‘read’ having the value of 4, ‘write’ of 2 and ‘execute’ of 1. Their sum in a certain situation shows which ones are allowed – for example 6 stands for ‘read’ and ‘write’, 5 for ‘read’ and ‘execute’, etc. So 644 means that the owner will have ‘read’ and ‘write’ permissions, and the group and other only ‘read’. You can set these settings from your control panel.
- Create a backup – whenever you deal with sensitive data create a backup. The supported by Joomla! backup extensions are listed here.
As with every CMS you should also keep in mind something very important – you are giving access to other people to your data. Which means that not only you need to secure your information, but you have to be very careful with the level of access you are providing the users with. Following the instructions above will make your Joomla! site much more secure and will leave you manage your sites without the thread of being hacked.
I will be happy to see your comments on the matter.
Have a secure month everyone,
Elena @ MH Team