It is important for me my sites to be protected. My data need security and protection from malicious acts. I am sure you need the same.
This article describes several important things that will help you to make your Joomla! site more secure. I described several steps you can take even the initial installation of the system. I enumerated a few tips and tricks that will make your fortress impenetrable.
Change the default prefix of the database tables. Nobody needs to know the prefix of the tables. That will prevent your site from MySQL injections.
Аfter fresh installation
After initial installation of Joomla, you should take several steps to prevent abuse in a still unprotected site. What should you do?
Globa settings and mod_rewrite
Go to "Global configuration" and make "Site Offline" because no one should visit the site until you finish the configuration.
You should also turn on the search engine friendly functionality and rewrite URL scheme. It will block many attacks, exploits and hacks.
Do not forget to rename htaccess.txt to .htaccess. :)
Disable user registration
Some sites do not enable their users to register. If yours is similar, prohibit the registration for new users. You can do it in "Global Configuration". Go on the tab "System" where the "User settings" are placed, and set "Allow User Registration" to "No".
Change the username and user ID
You should change the ID and username of the super administrator. Every time when you install the system for the first time the ID of the administrator is 62. The username is "admin", and many people know it. To change it:
- Go to "User manager";
- Add new user;
- Set the group type for the new user as "Super Administrator";
- Delete the old user;
Set the secret token
The time has come to make administration difficult to access.
Install the extensions kSecure.
It is a Joomla! plug-in you will use it to add a token in the URL address. Your address becomes something like
That will protect your admin area from raiding because only you will know the password for access.
Access from your IP address only
Make your administration available only from your IP address. For this purpose add ".htaccess" file in the directory "/administrator". Then put those directives in the file and change "IP Address" with your one.
Now only you can enter the area of administration, and you can do it only from the computer you are currently using.
You can pick up your IP address by visiting this page.
Apache HTTP Authentication
You are able to add new authentication functionality powered by Apache web server. Put following directives in the ".htaccess" file that you created earlier.
AuthName "Forbidden access!!!"
AuthUserFile /Secure Path/.htpasswd
Now create a file where you will store usernames and passwords for access. The name of the file should be ".htpasswd". Save it in a safe place outside the public directory ( outside public_html ).
Set the right path to .htpasswd for the directive "AuthUserFile".
Record your message for the directive "AuthName", which will scare the invaders.
Move configuration file
It is the time when you should move the configuration.php. Download FTP client and connect to your host. Find a secure place for the file, outside public_html directory. It is necessary because you must protect the configuration file from public access. And it is the best way to do it.
Now put the new pathway to configuration.php in those files:
Set the new path of this constant and save the file.
define( 'JPATH_CONFIGURATION', "/New Path" );
File permissions are very important for the security of your web site. Never leave the permissions of 0777. Thus allowing anyone to read, write or erase your files and directories.
Whenever you install an extension check the permits of new files. Connect via FTP client to the hosting, where your site and check their current status.
The directory permissions must be 0755.
The file permits must be 0644.
If there is something wrong then right-click the file/folder and select "File Permissions ...". Set the right value and click "OK".
Be careful with extensions
Be careful when install new extensions. Install only recommended and tested components from many people.
Do not leave unpublished extensions. The files are still there, which makes them dangerous. Remove extensions by uninstalling if you do not want to use them anymore.
Be always informed
Use Google Alerts for immediate notification of security flaws. You can specify keywords and a period to receive an information. Google will send you a list of publications when mentioning the specified phrases.
- joomla vulnerability;
- joomla exploit;
- VirtueMart vulnerability;
- jComment exploit;
I recommend you to subscribe for oCERT newsletter. You should also subscribe for the newsletters of extensions that you have installed. Thus you'll be the first to learn about patched security holes. I will be able to react quickly and be one step ahead of raiders.
Regularly review the Joomla Security News. You can also do it from the control panel.
Regularly check for vulnerability on these sites. They have really comprehensive information and solutions for the newly exploits.
Have you ever seen this system alert?
Backup Not Found:
A)bort, R)etry, C)ry?
Be sure you have a recent backup of your site and your database. Enjoy restful sleep as you make a backup of your data every day or every week. And you will never see the above alert.
There comes a time when you running your site. I hope this article will be useful and will help you to protect your data better.
I will be glad if you share your experience with me and readers of my blog. Share your advices by leaving a comment.