Article Audience: Webmasters
Although by default the Joomla! core development team take great measures to ensure that there are few or no vulnerabilities in the code, there are a number settings which if not given due attention may leave your website vulnerable to attacks.
This article will give a list of measures to take to ensure a more secure Joomla! installation.
These are all tips which we use on our own web design blog, CollectiveRay, so we know that these work nicely!
CORE SECURITY SETTINGS
- Rename the Joomla! admin account - This simple step hardens your website significantly. again if you are paranoid, you should use random characters both for the username and the password for the admin
- Make sure you configuration.php file is not writeable! This step is critical, and a world-writeable configuration.php file is an invitation for hacking. You can make this non-writable from within Joomla. Go to Site > Global Configuration, Click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Overwrite write protection while saving check box.
- Always try to keep your Joomla installation upgraded to the latest version. Each upgrade adds security by closing any security holes and exploits.
- If your host allows it, switch to the more secure PHP7
- Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts. You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Unwriteable after saving to make it not writeable
- JoomlaXplorer is also an easy way to edit permissions. It allows you to do this recursively, thus avoiding having to go through each and every directory.
Check your site for vulnerabilities
There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Amongst these, the following tool is invaluable. Using Joomla Diagnostics you can easily scan for files that didn't transfer completely during the upload of Joomla. It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the page http://www.yourdomain.com/diagnostics.php and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise, you will be advising your issues to hackers!
Other Core Security
Never leave extra files running around
Ensure that there are no unnecessary files on your web server. Delete any files left over from the installation. Delete your installation folder and any compressed files which you might have uploaded to your web server to install the Joomla! core. Remove any components / modules / templates that you are not using.
Protect your configuration files and sensitive directories
- All configuration files should not be put in the public HTML directory. Some web hosts (e.g. GoDaddy) might not allow you to do this, so the next best thing is to create a password protected directory by using an .htaccess file. If you're not sure about the function of the htaccess file, its a good idea to read about it before you continue. Create a directory, it's a good idea to name it something random e.g. ehxum3jq rather than config in your Joomla! directory.
- Create an .htaccess file to protect the directory. Use an .htaccess generator to help you generate the file. Based on the example above you should have an .htaccess file similar to this. Remember that the directory you want to protect is the home directory (if you are not sure you can find it in the Absolute Path of your original configuration.php file) and appending the directory name you will be putting your protected files in e.g. /home/content/a/b/c/abccompany/html/ehxum3jq/
- N.B.: This only gives Basic Authentication which does not offer rigorous security. In the words from Apache.org:
Basic authentication should not be considered secure for any particularly rigorous definition of secure.
Although the password is stored on the server in encrypted format, it is passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.
To really offer security, you need to send the password through SSL (where it would be encrypted along the way).
- Use strong passwords or pass phrases or random characters for the .htpasswd file which should be something like this. You can protect your directory even further by using IPs in the .htaccess file as stated in this FAQ
- Test to ensure that the directory is protected. Put a file in it and try to access e.g. http://www.yourcompany.com/ehxum3jq/myfile.txt. You should be prompted for a password. Supplying the username and password specified during generation should grant you access to the file, otherwise, you should get a 401 error (Access Denied).
- Use the following Joomla Forum FAQ to help you move config files from the public HTML to the password protected directory you have created. Be extra careful though when you update the Global Configuration file, because this will overwrite the file that you have created. Write-protect the configuration.php file, and any changes you require do them manually using an FTP client. And add the following line so that anyone who tries to access the php file gets a "Restricted access" error. As a general rule, all PHP files on your website should contain this line. Any PHP file which does not contain this line is a security risk.
defined( '_VALID_MOS' ) or die( 'Restricted access' );
3rd Party extensions
3rd Party Extensions are one of the best things about Joomla! There is such a wide variety of extensions, that you can probably find something already written for you. However, 3d party extensions come in all shapes and sizes and are not monitored by the core team. This means that vulnerability exists which can compromise your installation. You need to be extremely careful about installing any extensions. Monitor the List of Vulnerable 3rd Party / Non-Joomla Extensions. If you install extensions make sure you monitor their releases and ensure that you follow their security recommendations.
Backup! Backup! Backup!
Even if you have taken ALL steps to ensure that your website is 100% secure, vulnerabilities might still lurk, waiting to be found and exploited. If your site does get hacked, you MUST ensure that it comes back online as soon as possible with as little loss of content as possible. For this, you must ensure that you have good working (daily or more frequently as the need arises) backups. There are various solutions which we can recommend:
- XCloner complete backup solution. This solution allows you to backup and restore your site in minutes. It also has the added benefit of helping you move from host to host if the need arises.
- JomBackup plugin. This takes a MySql dump and emails it to you daily. Only backs up the database, other content NOT backed up.
- AkeebaBackup component. AkeebaBackup is an open-source component for the Joomla! CMS that allows for full site backups (files and database).