Joomla, an open source content management system (CMS) needs no introduction as it is one of the most popular systems nowadays. One can say that it’s a very powerful framework too. As it’s open source and very popular there are lots of hackers and attackers who try to break into your website, steal information, crash it, inject scripts and totally destroy your hard work.
In this article I’ll try to list some of the most common Joomla security tips that every web developer or website owner should take in order to prevent attackers from breaking your site.
Install Latest Version - When you usually start Joomla website you go to Joomla.org and it’s highly recommended to download the latest version of Joomla available.
If you already have a website that runs Joomla, you should definitely update it to the latest available version.
Now, it’s time for real tips:
1. Administrator’s User Name
It’s worthy to mention that it’s a common issue for most of the website owners to leave Joomla’s default username. If you are still using “admin” as a username – go and change it now! And make sure not to put password like “1234” during installation. I did that once, and on the second day of launching the website it was hacked. It’s highly recommended to use punctuation symbols (? ! . :) within your password.
2. TEMP and LOG folders
By default, Joomla places its log and temporary files inside /temp and /log folders. This wouldn’t be a big issue if you wouldn’t install third party extensions. In most of cases extensions use the built in “JLog” class. This will, by default write logs to /logs folder. In this case it will be much easier for attackers to read the 3rd party extension’s code and then access your log files that by default will be located at the well known location. This is what Joomla’s official docs have to say regarding /temp and /log folders:
“If the log and temp paths are changed and PHP open_basedir configuration directive is set, make sure that the new paths fall within the scope of open_basedir. There is currently no easy way to move the Joomla! /image and /media directories. This is because thousands of third party extensions expect to find these important directories at the current location. The best plan is to make sure open_basedir is properly set for all the user accounts on your server. Check with your host if unsure.”
To change /temp and /log folders you have to log into back-end, go to System -> Global Configuration menu. Under the System tab you will find field titled “Path to Log Folder” and under Server tab find field titled “Path to Temp Folder”.
3. File and Directory permissions
Usually when under development you don’t need to set proper file and directory permissions to your site as far as – personally I do develop everything on my local machine and upload the final product to the public server when the testing process is finished. When under development I usually set all permissions to 777. But it’s very important not to forget to set appropriate permissions when you upload your website to the public server. On Unix/Linux based servers, depending on the security configuration of your Web server the recommended default permissions are 755 for directories and 644 for files. For your configuration.php file use 444 file permissions. And never use 777 permissions. Don’t use extensions that require you to set 777 permissions.
You can typically set file and folder permissions using SSH connection (in case your hosting company provides SSH) or simply using your FTP client. My favorite is FileZilla.
Access your server and navigate to your Joomla installation folder, right click on the folder that contains your website and select “File Permissions…”. First set permissions for folders by selecting “Recurse into subdirectories” -> “Apply to directories only” and then perform the same for files only with appropriate permissions mentioned above.
4. Password-protect administrator directory
HTPASSWD is a common utility in Unix- and Linux-based web servers that adds basic user authentication to a set of files and folders. Blocking HTTP requests to the Joomla Administrator folder is widely regarded as one of the easiest and most effective deterrents to intruders. For the hacker this makes the Administrator directory completely invisible, since there is no need for anyone in the public to be able to see it why not protect it completely?
.htpasswd file is simply a file that includes usernames and encrypted passwords, a .htaccess file can include directives to ensure the username and password need to be entered to access the folder. This method can be used without adding any extensions to your Joomla installation and relies on your server instead. It is recommended that the .htpasswd file is saved outside the public_html folder.
First create the .HTPASSWD file
The .htpasswd file contains the username and password and should NOT be found in the folder that needs to be protected. In order to ensure it is most secure it should be located outside the public_html folder.
Inside the .htpasswd file you should place: mysecretusername:myencryptedpassword
The above creates a username "mysecretusername" with an encrypted password "mysecretpassword". You can generate your username and encrypted password at DynamicDrive.
Then copy the generated contents and using your FTP client or cPanel file management utility, navigate to the folder in which public_html is found, the path is likely something like /home/myaccount.
- Create a simple text file name .htpasswd
- Copy the usernames with password into the .htpasswd file
Next you need to create the .htaccess file
The .htaccess file is found in the folder that needs to be protected and includes directives that enforce the username and password and the full path to the .htpasswd file Navigate to the Administrator folder, the path is likely something like /home/myaccount/public_html/administrator
Create a simple text file name .htaccess (or open the one that already exist there)
Copy the appropriate directives at the top of the .htaccess file:
AuthName "Secured Area"
5. Restrict access to administrator by IP
You can restrict the access to the /administrator directory only to your IP address. If there isn't a file named ".htaccess" in the /administrator directory, create one and upload it via FTP for example, otherwise, just add the following lines at the end of the .htaccess file:
Deny from ALL
Allow from xxx.xxx.xxx.xxx
You need to replace xxx.xxx.xxx.xxx with your actual public IP address. To find out your address, you can use the whatismyipaddress.com for example. To add multiple IPs, simply duplicate the “Allow from xxx.xxx.xxx.xxx” command to a new line and change the address.
NOTE: If your Internet service provider is giving you a dynamic IP address, the IP restriction option might not be suitable for you because you'll have to edit the .htaccess file each time your IP changes.
6. Restrict PHP script execution in folders
Joomla uses only two PHP files to execute in order to work properly. There are: index.php files in Joomla’s root directory and administrator directory. The rest of the PHP files are part of Joomla framework and are executed from inside the framework and are not called directly.
Sometimes hackers manage to upload some PHP files to your Joomla’s directories and then execute them directly from the browser and get access to your configuration file and execute scripts to hack your site.
In order to prevent direct execution of PHP files you are advised to put .htaccess files inside: cache, images, includes, language, libraries, media, modules and plugins directories as far as these are most commonly attacked folders.
Inside the .htaccess file you should code that prevents execution of all PHP files inside the directory where you place your .htaccess file:
deny from all
7. Check your extensions
I’m not a big fan of third party extensions, but there are times when you really need to install them. Before you install any particular extension, read comments on Joomla’s extensions website, check developers page and see if they release updates or patches to their extensions. Well, take your time and do some research!
Through the time some Joomla extensions can become vulnerable, so in order to keep things up to date and learn which of your extensions have become vulnerable visit Joomla vulnerable extensions list website and National Vulnerability Database.
8. Do Backups!
The most important thing to do is Do Backups of your website. Do it at least on monthly basis. It depends so often you update your content; what changes are you making to your website. I personally recommend that you do updates on weekly basis. Some hosting providers do regular backups too.
This is almost everything that you can do to secure your Joomla installation. But this doesn’t guarantee that your website is safe for 100%. Keep in mind that your security highly depends on your hosting provider too. Which version of PHP are they using? What rules have they applied to take care of security. It’s also recommended to avoid shared hosting as far as if the server isn’t properly set up your site might get affected if someone else’s website has been hacked.
One of the best optimized hosting providers is SiteGround and they really do a great job for security.
So do read and research a lot, keep an eye on updates and never stop enhancing your website’s security.