Joomla Security: Best practices to secure your Joomla! website
Joomla! is a popular Content Management System (CMS) having the second largest user base in the earth and the Internet is a really big, big, big thing. As good things coming in this area, bad things also surfaces. One of the worst thing among them is the security flaws that make websites vulnerable to exploit.
Security is a huge matter. It is not possible to make the security 100% flawless by following any standards. Because, security hole can surface not only in software, but also in hardware-level. However, the hope is that security experts have asked to follow some steps regarding stepping up securities.
The Joomla! Team is very serious about security. Whenever any security vulnerability is found, they fix it and release a fix immediately. On their official websites and in many seminars, they have provided many guidelines using various means to ensure the security of the websites.
There is NO perfect Security Measures, but, all we can do is to do our best to secure our Joomla! powered websites. In this blog post, I have compiled these security measures to help you raise the security level and safeguard your website.
Security Measures From Within Joomla! CMS
Use a strong password for Super Admin
In most of the cases, users keep the default "admin" username and password during installation and forget to change it to something rock-solid later. This is a seriously a bad practice.
Do not use common, guessable words for passwords, like, love, god, pass, admin, admin123, etc.
Protect your Administrator page URL
The URL to access Joomla! Administrator page is known to all, www.example.com/administrator. Wrap up this URL in a camouflage to protect it from everyone! Use a free Joomla! plugin, AdminExile by Richeyweb.com. Using AdminExile, administrator URL will take the form something like,
Reading its document, will give you detailed information.
Use Two-Factor Authentication
Enable Two-Factor Authentication on your Joomla! site. It will provide an extra level of security beside conventional login system. If anyone get a hold on to your credential, they still need a code that is generated on every 30 seconds and the owner of the website has the app that generates the code. There is a detailed discussion on Two-Factory Authentication on Joomla!'s website.
Use the latest Joomla! version
Whenever Joomla! released a new version, whether a major, minor or security fix release, you will receive notification from your website about the new release. In almost every new release, there are scores of bug fixed and few security fixes. It's most important to update your Joomla! website as soon as possible.
Failing to update in time, you keep your website open to known security vulnerability.
Use the latest version of extensions you use
All major Joomla! extension providers use extension update server as per Joomla! standard. Whenever any extension provider publishes new release of any extension, as a users of that extension, an owner of a Joomla! website receives notification when he/she logs in in administrator area. Keep your extensions up-to-date when you see such update notice.
Do not use illegal "Nulled" copy of paid Joomla! extensions
Use extensions from trusted providers. Many users tend to get Joomla! extensions from various websites run by unscrupulous people. These extensions are stuffed with evil code punched into the extensions to get compromise host server and get away with valuable information like credit card info, users info, product info, etc.
If you run e-commerce business, blog than run Google Adsense, do not even think of using nulled or illegal copy of paid Joomla! extensions. Using such extensions will leave your website to various exploits and poses serious security holes.
Get rid of unused users
Disable, block or even delete all the user accounts which are not used any more.
Many times, super user accounts are created for website developers. When the development work is done, these types of accounts will create a security threat for your site. Therefore, it is desirable to delete these types of user accounts as soon as possible.
Disable Error Reporting from Global Configuration on Production Website
Error Reporting is enabled on the default Joomla installation. However, after migrating to the production server, this setting has to be disabled. Because, if there is a script error in the production level, it shows some information about that script with some detailed information on the script, which helps hackers to penetrate the security of the site.
In Global Configuration of Joomla!, click on Server tab and you can turn off error reporting in just one click.
In order to improve the security of the website, the developers' routine work list must contain a line to stop this error reporting option.
Security Measures outside Joomla!
Host on a reputable hosting providers
Most of the cheap hosting companies sell re-seller hosting through year-end offers and sell them into small packages. Most of them have no experience in hosting business. They just manage the hosting business solely from a commercial perspective. So, take advantage of the hosting service from a good hosting company, without being deceived in the flashy AD.
Rochen, Siteground, InMotion are good hosting service provider to name a few who are specialized in hosting setup favorable for Joomla! websites. Furthermore, you could get a good Virtual Private Server (VPS) if you are confident to set up one. Digital Ocean and RamNode are two good VPS provider.
Set proper file/folder permission
Due to the fact that most web servers are in Linux, there must be sufficient knowledge on how to set permissions on files and folders in this operating system. Otherwise, setting a permissions incorrectly means that the security of your Joomla! site is blown like a cotton in the air. Generally, the permissions of files, folders, and particularly, configuration.php must be set as follows:
- Set the permissions for your Joomla folders to 755
- Set the permissions for your Joomla files to 644
- Set the permissions for your configuration.php file to 444
- Never use 777 (full access) permissions!
From System Information menu item in Joomla!, your Joomla! website will provide many important information. By clicking on the Folder Permissions tab, it is easy to see and know whether Joomla! File and folder permissions are set correctly on the production server!
After the Joomla!-powered website is deployed, this checkup must be kept in the developer's security routine checkup.
Backup your Joomla Site often
If something goes very, very wrong with your website, like, defaced by hackers, delete important files, server crash, the last backup files of your Joomla! website is your only life-line to save your million-dollar business. It is the quickest and best mean to bring your website back online again from the last backup you had taken.
The website and database can be backed up from the Linux hosting server's cPanel. However, with popular extension on Joomla! to backup website and database is Akeeba Backup. The backup system can be automated in Akeeba Backup. Even backup files can be stored in Dropbox and made automated after a certain time interval.
Akeeba has written detailed information on this backup system in their official documentation.
Use Content Delivery Network (CDN)
Content Delivery Network (CDN) is used for better User Experience, reduce server load, reduce latency, and saves your server from traffic surges or spikes. Cloudflare is one of the CDN that you can use freely, beside its commercial packages for more advanced users. One of the benefit of Cloudflare CDN is that it saves your website from a level of DDOS attack, unethical attemp to comprise your website, serves the content of your website when your server is down, and many more.
So, it is a good idea to configure your system to get benefit of using a CDN service.
Security Measures for Joomla!
Check your Joomla! extensions for known vulnerabilities.
Joomla! maintains a list actively where third-party extensions which are found vulnerable are listed. If you use third-party extensions on your Joomla! website, make a list of it. Then match this list one by one in this list. If you have an extension used from this list, and decide to continue to using them, it means that you have meet a hacker and given your valuable information about your business to them.
Is it OK to do it?
You can find the list of "Joomla! Vulnerable Extensions List" and see if any of your extension matches.
Get connected to Joomla!'s social media channel and feeds
Prior to the launch of social media, newsletter service and RSS feeds were the usual method of getting updated blog information. However, after the launch of social media such as Facebook, Twitter, we can learn their updated information by "Like" or "Follow" their related social pages of any organization. Joomla! announces all their seminars, Joomla Day, boot camps, any updates, security announcements on Facebook, Twitter and other media regularly. Therefore, updates to security related information are easily accessible by connecting to these social media.
Sign up for Joomla security notifications.
"Joomla Security News" has a Subscription List Service, Serious Joomlars should subscribe to this list. If Joomla! finds a security hole in Joomla! or in any of its extension, then all those who are on this list will be able to know about this security issue announcement.
1. Joomla! Security - https://docs.joomla.org/Security
2. Top 10 Stupidest Administrator Tricks - https://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks
- Category: Security