Joomla is undoubtedly one of the best and mostly used CMS available in the market. As more and more websites have started using Joomla, it is important that the site is configured properly to prevent any security compromises. Security is a growing concern with all of the hackers and script kiddies waiting to do bad things to your site. There are ways to improve the security of your blog so that it is more secure than it otherwise might be. This article discusses some measures an ordinary user can take to protect his/her Joomla website.
We have at least 4 times every week where a customer comes to us with a hacked Joomla website. Usually, the Joomla website will be either filled with hidden malicious content, is redirected to another website with malicious content, has all its data erased, or is simply does not show up.
Here are, according to our experience, there are few reasons on why your Joomla website got hacked:
Why are Websites Vulnerable to Hacking and Other Exploits
All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which may only connect to the Internet sporadically (such as when you turn it on your computer to surf), websites are hosted on servers that are permanently connected to the Internet, exposed to anyone who wants to connect to it.
Sites that run blogs, content management software (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.
How to Improve the Security of Joomla Website :
Change your Administrator username. Do not use "Admin" or "Administrator".
By default, the administrator username in Joomla website consists is admin. Most often, people never change this default username, which makes it quite easy for hackers to gain access to your site as they already know one-half of your login details, the remaining is to obtain your password. Changing the administrator username reduces the chances of hacker guessing your login details. This is an easy, yet important tip for strengthening your Joomla security.
To create a new SuperUser Account just:
=> Log into the Administration area as the current Super User
=> Click on Users >> User Manager >> Add New User
=> Assign the new user the “Super Users” role
=> Log out of your current Super User account
=> Log in with your new Super User account
=> Locate the old Super User account and rename it.
or Follow these instructions :
Open your remote web server
=> Double click on Joomla
=> Right click the "htaccess.txt" to edit this file
Right the code in that marked area
=> Write these codes and save the file
=> Rename the "htaccess.txt" file and make it "htaccess"
=> Now your joomla PHP is secured.
Disallow User Registration
If your website isn’t a community or social network then you should disallow user registration for security reasons by doing the following steps:
- Log in to the backend
- Go to Users >> User Manager and find the Options tab at the top of the page
- Find the setting Allow User Registration
- Set Allow User Registration to No
- Click Save button on the top right
Safeguard Your Administrative Pages
You can vastly reduce the risk of security to your Joomla website by applying restrictions on the access to your admin pages. You can protect your site’s administration pages by password protecting all administrator files and folders.
After you’ve set up a password for your administrator folder, you will be directed to another login form for administrators that will require an additional password input. Again, if you’re not entirely sure how to perform this operation, you can simply follow the instructions in the many online tutorials available online.
- Always keep you Joomla upgraded to the latest version. Updating an installation of Joomla! installed with Fantastico is quick and easy. You'll simply need to login to your cPanel and locate the Fantastico icon located under the software section. Next, you'll need to locate the Joomla section under "Content Management". You'll then notice a list of all current Joomla! installations on your account, if an update is available you'll see a link entitled "Upgrade" From this point the upgrade is fully automatic.
- Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts. You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Un-writeable after saving to make it not writeable.
Protecting your session cookies
When a user logs into the back end area of your website, a special session cookie is set in the browser to identify that user. That cookie is transmitted with every page load so that Joomla can determine which user is viewing the page. If the cookie was to be intercepted by a third party they would be granted the same privileges to do what any registered user or administrator user can do. That cookie then grants them the privileges to do what any registered or administrator user can do.
You can force SSL to be enabled for the entire session for either the Super User (admin) or all registered users visiting the site. This will prevent the cookie from being tampered with by a third party looking to gain access to your website. You should choose the “Administrator Only” option instead
Make sure your configuration.php is not writeable. This step is critical, and a world-writeable configuration.php file is an invitation for hacking. You can make this non-writable from within Joomla. Go to Site > Global Configuration, and click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Override Write Protection while saving check box.
When you've done that, there are several other actions you can and should take to avoid being hacked:
Implement Two-Factor Authentication
Two factor authentication is additional layer of security, which creates a temporary (time-based) password which is unique to a specific username. If you don't have access to this temporary password or secret key, you won't be able to login.
You can improve your site’s security by applying this tip. With one more layer and improve security against - Key loggers , Password cracking, Password hacking and many more security threats.
Install security extensions
Using security extensions is another easy way to improve your Joomla website security. There are many extensions that will make your website secure. Go ahead and do your research, and install one that is highly recommended by the Joomla community. Listed below are some pupolar Joomla security extensions
Using security extensions is another easy way to improve your Joomla website security. We have developed our own security extension (jHackGuard) that is free for download by anyone. Below you will find a list of the most popular Joomla security extensions:
Akeeba Admin Tools
Change the default permissions on your Joomla .php files to restrict editing or overwriting
File permissions are a method of controlling what you and other user can do with a file or folder. You can restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions:
- Set the permission of /index.php to 444
- Set the permission of /configuration.php to 444
- Set the permission of /templates/*yourtemplate*/index.php to 444
- Set the permission of the folder /templates/*yourtemplate*/ to 555
- Change the default database prefix
By default, old Joomla versions used to install with a database table prefix of jos_. Unfortunately, hackers know that, if you leave the default setting and hacker will adjust their attacks to that end. You should change this alias to a different one (a random 3 or 4 letter word that you can come up with). Note that some of the security extensions on JED can do this for you.
Also, you can pre-set the database prefix when installing your Joomla site. If you've already installed Joomla! and want to change your prefix, do the following:
Log in to your Joomla Admin Panel.
Go to Global Configuration and search for the database
Change your database prefix and press Save.
Go to phpMyAdmin to access your database.
Go to export, leave all default values and press Start. Exporting the database can take a while.
When done, select all code and copy it to notepad (or any other text editor)
In phpMyAdmin, select all tables and delete them
In notepad, do a Search & Replace (Ctrl + H). Set the search term to jos_ and change it into your new prefix. Press "Replace all".
Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start
Use a SEF component
As you might already have known, a SEF component is used to make the URL:s of your Joomla website more Search Engine Friendly. But a good SEF component also gives security improvement. A default Joomla URL tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. If you do not tell the hacker that your website is powered Joomla, it will be a lot harder for him to know where to start hacking. Most hackers use the Google in url: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits.
In addition, you'll get a higher rank in Google when using search engine friendly URL's.
- Shut Down the Joomla FTP Layer
The FTP layer often has to be turned off anyway to allow some third-party extensions to work, and many servers use suEXEC instead, so it's no longer as useful as it once was. Disable the Joomla FTP Layer and ensure it has not stored your login details.
Remove version number/name of extensions
Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:
=> Retrieve all files of the extension from your server.
=> Open up Dreamweaver.
=> Load any file from the extension that you just downloaded to your local machine.
=> Use the Search function and set the search to Search through a specified folder. Navigate to the folder where you downloaded the exploit to.
=> Set the search term to "MyExtension version 2.14" and press OK.
=> When found the correct file, remove the version number.
=> Upload the changed file to your server and check if the changes are made.
Routinely Update Your Extensions, keep it Up-to-Date
The most popular and surefire method of securing a Joomla website is to make sure it is updated to its most current version. In almost all version releases there are fixes for security issues. Regular updating of your extensions is also essential to have a more secure browsing experience. So, be sure to update your Joomla website and its components and plugins as often as you can.
- By default, the htaccess file is not in use.
Make sure you rename it from .htaccess.txt to .htaccess. Then it needs to be placed in your root folder. You can also add some rewrite rules to it to prevent common exploits. You can find directions on how to edit the htaccess file here. This will add an additional layer of protection to your system.
- Check your site for vulnerabilities :
There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Amongst these, Joomla Diagnostics ( http://www.joomla-addons.org/joomla-diagnostics.html ) is invaluable. Using Joomla Diagnostics you can easily scan for files that didn't transfer completely during the upload of Joomla. It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the diagnostics page, and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise, you will be advising your issues to hackers!
Another great tool for checking your site is the Joomla Tools Suite. This is another tool which (amongst other uses) allows you to perform a Health, Installation and Security Audit of your site. This will enable you to identify and remove any issues with your website. For more information on the usage of this great tool visit the following link on the Joomla Forum: http://forum.joomla.org/index.php/topic,136328.0.html
- Never leave extra files running around
Ensure that there are no unnecessary files on your web server. Delete any files left over from the installation. Delete your installation folder and any compressed files which you might have uploaded to your web server to install the Joomla! core. Remove any components/modules/templates that you are not using.
- Protect your configuration files and sensitive directories :
All configuration files should not be put in the public html directory. Some webhosts (e.g. GoDaddy) might not allow you to do this, so the next best thing is to create a password protected directory by using an .htaccess file. If you're not sure about the function of the htaccess file, its a good idea to read about it before you continue. Create a directory, it is a good idea to name it something random e.g. ehxum3jq rather than config in your Joomla! directory.
Create an .htaccess file to protect the directory. Use the .htaccess generator to help you generate the file. Based on the example above you should have an .htaccess file similar to this. Remember that the directory you want to protect is the home directory (if you are not sure you can find it in the Absolute Path of your original configuration.php file) and appending the directory name you will be putting your protected files in e.g. /home/content/a/b/c/abccompany/html/ehxum3jq/
N.B.: This only gives Basic Authentication which does not offer rigorous secure. In the words from Apache.org:
Basic authentication should not be considered secure for any particularly rigorous definition of secure.
To really offer security, you need to send the password through SSL (where it would be encrypted along the way).
Use strong passwords or passphrases or random characters for the .htpasswd file which should be something like this. You can protect your directory even further by using IPs in the .htaccess file as stated in this FAQ
Test to ensure that the directory is protected. Put a file in it and try to access e.g.http://www.yourcompany.com/ehxum3jq/myfile.txt. You should be prompted for a password. Supplying the username and password specified during generation should grant you access to the file, otherwise, you should get a 401 error (Access Denied).
- 3rd Party extensions
3rd Party Extensions are one of the best things about Joomla! There is such a wide variety of extensions, that you can probably find something already written for you. However, 3d party extensions come in all shapes and sizes and are not monitored by the core team. This means that vulnerability exists which can compromise your installation. You need to be extremely careful about installing any extensions. Monitor the List of Vulnerable 3rd Party / Non-Joomla Extensions.http://forum.joomla.org/index.php/board,346.0.html. If you install extensions to make sure you monitor their releases and ensure that you follow their security recommendations.
For more information go to the Joomla! Security FAQhttp://forum.joomla.org/index.php/topic,102558.0.html and Joomla! Administrator's Checklisthttp://help.joomla.org/component/option,com_easyfaq/task,view/id,167/Itemid,268/and the 10 stupidest Joomla! Security tricks.http://forum.joomla.org/index.php/topic,130926.0.html
- Run a vulnerability scan:
You should regularly run a vulnerability scan on your website. There are many website security scanners out there (just make sure you choose one that is tested and is known to provide reliable results). For our clients, we use Acunetix (read this post we have written a while ago about Acunetix and Joomla).
BACKUP! BACKUP! BACKUP!
Even if you have taken ALL the steps to ensure that your website is 100% secure, vulnerabilities might still lurk, waiting to be found and exploited. If your site does get hacked Frown, you MUST ensure that it comes back online as soon as possible with as little loss of content as possible. For this, you must ensure that you have good working (daily or more frequently as the need arises) backups. There is a popular free Joomla extension that we recommend. AkebaBackup is an open-source component for the Joomla! CMS that allows for full site backups (files and database).