Joomla Security: Top 16 Tips to help secure your Joomla Website
As with any popular web application, Joomla is subjected to all sorts of hacking attacks. This is why it’s important to take all possible measures to protect your Joomla site and improve its security. Follow the instructions in this tutorial in order to minimize the chances of your web site being compromised.
1/ Updating your software
The most important part of securing your Joomla website is to keep it updated to the latest version. In almost all version releases there are fixes for security issues.
If you are running a current version of Joomla (2.x or 3.x) then most of these updates can be applied directly to your website from within the Administration area.
If you are looking to migrate your existing installation to a newer track of Joomla (v1.x/v2.x > v3.x) then we would recommend that you refer to the following guides provided by Joomla:
Migrate Joomla 1.7 or 2.5.x to 3.x.x
Keeping your Joomla extensions up-to-date is equally important for the security of your website. There are more attacks that utilize security issues in extensions than the core Joomla files.
You can also use the Akeeba CMS Update tool to allow you to be notified when an update is available or to have updates applied automatically.
2/ Manage Your Extensions
Third party extensions are what make Joomla so popular but at the same they are a primary point in allowing an attack on your website. Every extension is another item that you have to ensure is updated or patched.
For this reason it’s important to install only those extensions that have a good reputation. You should check the reviews on JED (extensions.joomla.org) as many extensions contain vulnerable code, which when installed makes it easy for hackers to compromise your website.
3/ Remove Unused Extensions
People often test different extensions, components or modules and forget to remove them once they finish working with them. Leaving these extensions installed, even if they are disabled, can create a potential security risk so it’s advisable to remove these after any testing has been completed.
4/ Use Strong Login Details
For almost every website that you build, there will be various user accounts that you have to create and manage. For each of these you should create a secure password. Choosing a password that other people won’t guess easily is a matter of creating unlikely letter and number combinations.
A strong password:
- Is at least eight characters long
- Does not contain your user name, real name, or company name
- Does not contain a complete word
- Is different from previously used passwords
- Contains a mixture of uppercase, lowercase characters and numbers
You can use a free tool like the Norton Identity Safe Password Generator to create a complex password for your Joomla accounts.
5/ Enable the .htaccess file
Joomla has created a number of website directives that can help to protect your website against a set of common exploits.
By default the .htaccess file shipped with Joomla containing these directives is not enabled. You can locate this file in your public_html directory within the cPanel File Manager or your favourite FTP client. Make sure you rename it from .htaccess.txt to .htaccess
6/ Use Proper File Permissions & Ownership
File permissions are a method of controlling what you and other people can do with a file or folder. You will want to configure your permissions so that files and folders can only be accessed by your account, and that outside visitors can’t read important Joomla configuration files.
- All files should be set with a CHMOD value of 644
- All folders should be set with a CHMOD value of 755
- Your configuration.php file should be set with a CHMOD value of 640
7/ Change The Admin Super User
In Joomla the default user name for the Super Administrator is admin. Intruders usually rely on this during a brute force attack, but simply changing the name this will provide protection from attacks that attempt to guess the name of the Super Administrator (admin) account. There are also other attacks that may attempt to guess the default ID of the Super User account in order to gain access to the site.
To create a new Super User Account just:
- Log into the Administration area as the current Super User
- Click on Users >> User Manager >> Add New User
- Assign the new user the “Super Users” role
- Log out of your current Super User account
- Log in with your new Super User account
- Locate the old Super User account, rename it, remove its privileges and then disable it entirely.
Some people may prefer an alternative method using the Akeeba Admin Tools which allows you to do all of these tasks, and change the default ID at the same time.
8/ Disallow User Registration
If your website isn’t a community then you should disallow user registration for security reasons.
- Log in to your Joomla admin panel
- In Joomla 2.x and Joomla 3.x, go to Users >> User Manager and find the Options tab at the top of the page (In Joomla 1.5, go to Global Configuration >> System
- Find the setting Allow User Registration
- Disallow user registration by changing Allow User Registration to No
- Hit the Save button on the top right
9/ Protect Your Administrative Page
You can significantly improve the security of your Joomla website if you restrict the access to your admin area.
First, you can password protect the /administrator folder of your site. To do this, follow the instructions in our tutorial on How to Password Protect a directory using cPanel. Once you protect your /administrator folder an additional password will be required in order to see the standard administrator login form.
Next, you can restrict the access to the /administrator directory only to your IP address.
- Create a file called “.htaccess” in your /administrator directory
- Open the file and add the following lines
Deny from ALL Allow from x.x.x.x
Note that you need to replace x.x.x.x with your actual public IP address. To find out your address, you can use the What Is My IP website. To add multiple IPs, simply replicate the Allow from x.x.x.x command to a new line and change the address.
If your Internet service provider provides you with a dynamic IP address, the IP restriction option might not be suitable for you because you’ll have to edit the .htaccess file each time your IP changes.
10/ Implement Two-Factor Authentication
Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password).
OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your Joomla Administrator username and password correctly, they would still require the OTP to login.
To enabled Two-Factor Authentication requires Joomla 3.2.0 or higher.
- Login into the Administration area.
- Click on Components >> Post-installation Messages.
- Click on Enable two-factor authentication.
- Install a Google Authenticator compatible client for your device.
11/ Enable Search Engine Friendly (SEF) URL support
SEF makes the URL’s of your Joomla website more search engine friendly whilst also providing an important security benefit. The SEF component masks important information contained in your web site URL’s therefore making it harder for a hacker to find eventual security vulnerabilities.
- Login into the Administration area
- Click on Site >> Global Configuration
- Click on the “Site” tab
- Select “Yes” next to Search Engine Friendly URLs
12/ Use SSL Certification
Use SSL on your site and force Joomla into SSL mode for all logins. Just be aware that you must have a properly configured SSL certificate for your site’s domain, or you will not be able to enable this feature.
When you have an SSL certificate on your website, this setting will have the user’s browser encrypt their user name and password before it’s sent over the internet to your server.
To enable the SSL Login feature in Joomla:
- Go to Extensions –> Module Manager
- Locate and open up the Logins module
- Go to “Basic Options” and select the option “Encrypt Login Form”
13/ Protecting your session cookies
When a user logs into the back end area of your website, a special session cookie is set in the browser to identify that user. That cookie is transmitted with every page load so that Joomla can determine which user is viewing the page. If the cookie was to be intercepted by a third party they would be granted the same privileges to do what any registered user or administrator user can do.
For additional protection you can force SSL to be enabled for the entire session for either the Super User (admin) or all registered users visiting the site. This will prevent the cookie from being tampered with by a third party looking to gain access to your website.
Enabling this option for all visitors does create a slight performance hit as all the associated images, html pages, scripts and CSS files would be encrypted preventing the visitors browser from being able to cache these assets. We recommend that you choose the “Administrator Only” option instead.
To learn more about how to purchase an SSL certificate click the following link – 256-Bit SSL Certificate Geotrust from AUSWEB
14/ Disable the FTP Layer
For the majority of Joomla installations the FTP layer is not required, so we recommend that you disable this.
- Login into the Joomla administration area
- Go to Site –> Global Configuration –> Server
- Under “FTP Settings” select “No” for the Enable FTP option.
- Click on the “Save & Close” button in the upper right hand corner to save these settings.
16/ Use Joomla Security Extensions
Security extensions provide a way to monitor, review and secure important files and components for your Joomla installation.
One of the most popular is the free Admin Tools from Akeeba which will detect and notify you of new Joomla releases as they are made available, fix your file and directory permissions, protect your administrator directory, change your database prefix, set a secure Super Administrator ID and perform database maintenance.
You can learn more about Admin Tools by visiting – https://www.akeebabackup.com/products/admin-tools.html
16/ Setup a backup and recovery process
Always rely on a strong backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install.