Our article, 10 reasons why your Joomla website got hacked, was well received by our readers (clients and visitors alike). In this post, we want to list the top 10 security tips to protect your Joomla website.
- Always keep your Joomla website up-to-date with the latest version of Joomla: Every Joomla update addresses security issues that are known to the Joomla community at the time of the update, this means that if you don’t update your Joomla website immediately, then the potential that your website will be hacked will increase. If you leave your website without updates for a long time, then it will be almost a certainty that your website will be hacked.
-
Hide your Joomla version: Telling the world about your Joomla version in your HTML code is like inviting malicious attacks to your own doorstep. It’s like saying, “Hey, I have Joomla version 1.5 – that is known for the following vulnerabilities (add list of vulnerabilities here) – would you like to attack me?” If you want to check that you are exposing your Joomla version to the world, then just go to your website using Firefox, right click on the page, and then click on “View Page Source”. If you see something like the following line:
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
then you are exposing your Joomla version. Check this post on how to hide your Joomla version.
-
Only install reliable and community-trusted extensions: Joomla has many extensions. For every feature that you can think of there is already an extensions that is written and ready to be installed. But that convenience comes at an expense. What if a new extension that you install is not secure? Because if it is, then it will compromise the security of your whole website, not just the feature(s) pertaining to that extension. So, what to do in this case? Well, before installing any extension, you need to make sure that the extension is trusted, here’s how:
- Check how many people downloaded/reviewed the extension. If the number is small, then avoid the extension altogether.
- Check the reviews by the people who have installed the extension. Are there reviews complaining about security issues with this particular extension? If you even find one such review, then avoid the extension altogether.
- If you insist on using an extension that is not used by many people, then hire a Joomla consulting company to audit the extension.
-
Keep your Joomla extensions up-to-date: You cannot just forget about an extension once you have it installed. You need to make sure that you always have the latest version of the extension and you need to update to the latest version whenever there’s a new one (for the same reasons you update your Joomla core to the new version of Joomla).
-
Install security extensions: There are many extensions that will make your website secure (but may compromise the speed of your website and/or may limit your website’s functionality, so choose wisely). Go ahead and do your research, and install one that is highly recommended by the Joomla community.
-
Don’t use the default table alias: Everyone who knows a thing or two about Joomla development knows that, by default, the table alias in Joomla is jos_. You should change this alias to a different one (a random 3 or 4 letter word that you can come up with). Note that some of the security extensions on the market do this for you.
-
Change the default permissions on your Joomla .php files: Don’t leave the permissions on your Joomla .php files set to 666 (the default). Change them to 444, which means you are giving just read access to everyone (and not read and write).
-
Change your passwords regularly: It is very important to change the following passwords regulary:
- The password of the “admin” user.
- The FTP password
- The MySQL password
- The hosting password (e.g. the cPanel password)
Changing your password regularly is a very healthy practice for your website’s security.
-
Do not allow users to upload scripts to your website: While Joomla, by default, totally forbids user upload of scripts to your website, you might be tempted at one point to allow (for one reason or the other) some of your users to upload inline scripts or executable script files to your website. No matter what the rewards are, avoid this completely. If you think it’s necessary for your website to have a feature to allow people to upload scripts, then ask some Joomla security experts to secure that feature.
-
Run a vulnerability scan: You should regularly run a vulnerability scan on your website. There are many website security scanners out there (just make sure you choose one that is tested and is known to provide reliable results). For our clients, we use Acunetix (read this post we have written a while ago about Acunetix and Joomla).
A couple of other tips, for advanced users:
- Read your web logs: Web logs are there for a reason. Check to see if there are some weird requests by the same IP constantly. If you see an offending IP, then block it (read how to block an IP address on your Joomla website).
-
Check your hosting environment: Check that your hosting provider is using the latest version of Apache, MySql, PHP, phpMyAdmin, and cPanel. Inform your hosting provider immediately if you see one of them that is not fully up-to-date.
If you need any assistance implementing the above, then, as usual, we are ready to help. We have secured many websites (we will be later introducing a monitoring package that will include the monitoring of the website’s security) and we are sure that you can secure yours. Just contact us and see how we can help you!
[…] In our next post, we will discuss what to do when you know that your website is hacked (the first thing to do if you can’t fix it yourself is to contact us – we will help you and we are available 24/7/365). Meanwhile, if your website is OK, then check these security tips for your Joomla website. […]
[…] your website: Follow these security tips to protect your Joomla website, so that the unfortunate event that happened will not reoccur […]
[…] need to make sure that your website is always clean and safe for your visitors. You can check these Joomla security tips if you want to find out more on how you can protect your […]
[…] have discussed before 10 security tips for your Joomla website. We will re-discuss them concisely (and a bit differently) in this […]
[…] The table prefix: Also known as database/table alias, the table prefix defines what prefix should be appended to your Joomla tables in the database. The table prefix is defaulted to jos_, that’s why in the Joomla database, you have tables such as jos_categories instead of just categories. The table prefix is defined by the $table_prefix variable. The table prefix is useful in case you have multiple websites powered by the same database (and you don’t need to have conflicts between the tables). It is also very useful for security (it will be hard to guess your table name if you change the table prefix. (see 10 Security Tips for Your Joomla Website. […]
[…] your Joomla website by injecting malicious SQL into your code. We also suggest that you read these security tips to enhance the security of your Joomla […]
[…] PHP DSO module is much faster and you won’t have any security issues with it if you follow our security tips for your Joomla […]
[…] it by following the above guide (and then enhance your website’s security by following our Joomla security tips. If you can’t, then fear not, only you need to do is to contact us and we’ll fix it for […]
[…] Website getting hacked on a regular basis: If your website gets hacked the first time and then you fix it, then Google will definitively forgive you. If it gets hacked the second time, then it may forgive you. Now if your website gets hacked regularly, then Google will think (and rightly so) that you are not serious about your website and will penalize it. Always keep your Joomla website up-to-date, and make sure you are following these security tips. […]