I would like to share with you some tips and tricks, how to protect your Joomla site from hacker attacks and vulnerabilities. There were several security patches for our favorite content management system last month. If you have not upgraded to the latest version in time, your site would be target of hackers, and they might take the control on it.
If you follow my advices in this article, it would not happen again, and your site will be protected.
Keep your content management system and third-party extensions up to date
It is really important to upgrade your third-party extensions and the core of Joomla in time. The system provides a tool that checks for updates every time when you join the administration of your website. Please, use it when the red color lights up in your browser.
However, there are extensions that do not use Joomla Update. You can learn about that from its information on J!ED ( Joomla! extensions directory ) or from its documentation.
If you have installed such extensions on your website, I suggest you to create a list with them and periodically to look for new version.
Uninstall templates and extensions that you do not use
Sometimes, you install components, plugins, modules or templates just to test them. It happens to forget for plugins and modules when you have installed.
If you are sure, you will not use them anymore, you have to uninstall some of them. Keep clear your system from extensions that you will not use because their code will be part of your website. If there are vulnerabilities in one of them, the hackers would use it to attack your site.
Use strong credentials
Do not use common usernames like "admin" and "administrator".
Your password should be longer than 12 symbols. It has to include special characters ( *!@#)$ ), numbers and capital letters.
If you would like, you can replace letters with special characters and numbers. That will help you remember your password easily.
For example: StrongPassword becomes $tr0ngP@s$w0rd.
Protect the username of the administrator account
If you post articles in your blog or you have a forum on your website, you can compromise your username. The system will display the username as an author of your posts. You can do the following things to prevent that.
- change the option used for managing author’s name. You should select to be shown the real name of the author. For example, Kunane provides an option that you have to use to set, the system to display real names instead usernames.
- create and use another account to post articles and forum topics. Do not use an account with administrator permissions for this job.
- change the username of the administrator and its password regularly. You should do it in every six months.
Often backup your website
Most hosting provider creates daily backups of your websites. That is good because you will be able to restore it if you need.
However, some of them do not provide this feature, and you will have to create backups of your database and files regularly. You should use PhpMyAdmin to export your database and File Manager to create an archive with your files.
You will find those tools on the control panel of your hosting.
Create Google alerts to receive notifications
Google Alerts is a wonderful tool that you can use to receive latest news about vulnerabilities and security patches, directly to your email address. Just create alerts for “joomla vulnerabilities” or “joomla security patch” and you will receive an email from Google once he reaches an article about those topics.
Choose proven hosting provider for your websites
The hosting provider is one of the most important part for security of your website. If it is crafted with care, you will be sure about the reliability of your system. What the hosting service should offer?
- Firewall - the servers have to be protected by firewall and system administrators should be available in time to configure it. If there is a potential thread any CMS to be compromised, the system administrators should set up the firewalls to protect the websites of their users.
- Latest version of PHP - the hosting provider should be able to provide latest versions of PHP.
- Scanning for viruses and hackalert - there are tools that scan the files on the server and notify their owners if they are infected with viruses.
- Daily backups - it is really important to have a daily backup from where you will be able to restore your system.
- Alerts - many hosting providers send notification messages if there is a new version of the CMS that you use. That will help you upgrade your website in time.
I strongly recommend SiteGround as hosting provider because they treat seriously the security of their services. The people in SiteGround work closely with the developers of the most popular CMS systems. They are ready to react in time to protect your websites when those CMS systems have vulnerabilities.
Restrict the access to your administrator panel
There are three simple things you can do to prevent unauthorized access to your administration.
You should protect your folder "/administrator" with a password.
When you do that, the hosting provider will create a file ".htaccess" in that folder. You should edit that file adding the following directives.
Deny from ALL Allow from x.x.x.x
You need to replace x.x.x.x with your actual IP address.
That will protect the folder by IP and it will be only possible to access your administration from your PC.
If you would like to access your administration from multiple IP addresses, you should replicate the directive Allow from x.x.x.x and change the addresses.
Enable search engine friendly (SEF) features
You should go to your Global Configuration and enable the search engine friendly functionality.
After that, you have to rename htaccess.txt to .htaccess. You will find this fail in the main folder of your website.
This will re-write and mask the URL of your website. That will prevent hackers to use exploits.
Use proper file permissions and user groups
Next important part of having a secure website is to set right file and folder permissions. You should set folder permissions to 755, file permissions to 644 and the permissions of the configuration file (/configuration.php) to 444. You must never set permissions to 777 for any of them.
Disable user registration
If it is not necessary people to register on your website, you have to disable user registration. For example, if you use your website as a blog or corporate website where only you have to be possible to create content, you do not need user registration.
Go to the options of the user manager and set "No" for the option "Allow User Registration."
Disable FTP layer
It is strongly recommended to be disabled the FTP functionality if you do not have plans to use it.
Go to Global Configuration, tab "Server" and select "No" for option "Enable FTP."
Use third-party extensions to make your website more secure
Many developers have published security components and plugins on the Internet and Joomla extensions directory. You can download and use them for free. My favorite ones are:
- kSecure - it is a plugin that does not allow to access administration if you do not include secret token in your URL address.
- Brute Force Stop - this is an extension that protects your website from brute force attacks.
- KeyCAPTCHA - this plugin can protect many of your extensions from robots, fake registrations, posts and advertisement posted by bots.
- Login Notify - this plugin will send you an email when someone login on your website.
- Two Factor Authentication - protect the authentication process by one of both native Joomla plugins - Google Authenticator or YubiKey. You have to install an application on your mobile phone that will generate a secret key. You have to use this key during the process of sign in on your website.
Use SSL certificate
The SSL certificate is a must nowadays, and you should install one on your website, especially when your site is based on interactions with members.
If your website allows registration and login process for customers. If it is social community, forum or online store, and you have to collect privacy data, the SSL certificate is the best way to protect the whole process of sending and receiving data between browser and server.
Furthermore, you will be able to take advantage from HTTP/2 and modern browsers. It will make data transfer between the server and your customers faster and secure.
When you are done with the installation of the SSL certificate on your hosting, you have to go to the Global Configuration, tab "Server" and select "Entire site" for option "Force SSL."
These were some of the techniques that I use to protect my websites. I hope, they to be helpful for you. If I found other ones, I will be happy to share them with you on my blog.
Subscribe for my newsletter to receive similar articles.
Please, share this article with your friends and let more people to take advantage of it. That will help them to protect their site better.