Securing A Joomla Website - Part 1

I believe that the Joomla core framework is quite secure, right out of the box.

Regretfully, the Joomla framework sometimes get a bad reputation for security, not because the core framework is specifically insecure but due to the fact that there are a ton of factors external to the Joomla framework that make Joomla driven websites insecure.

If there is a weak spot in the security of any aspect of a Joomla website, the site can be compromised, hacked into or hijacked.

Most people just turn a blind eye when hearing the words “Joomla" and "security” spoken in the same sentence. Believe me, You don’t have to!

Securing your Joomla driven site is rather easy, if you know what, where, and how the Joomla website must be hardened.

This Hub is in no way an in-depth tome of Joomla security, but I'm hoping it will provide enough information for you to:

• Handle the changes you need to do to harden your Joomla website on your own
• Communicate with anyone with greater technical skills than yours to harden your Joomla website for you

IMHO, the two biggest sources of Joomla website insecurity issues are:

• Using a Joomla website hosting environment that is a wee bit lax in its security
• Using Joomla extensions that have been flagged as having security vulnerabilities (But you don't know about this)

I really cannot go into details about what you should do to create a really secure Web server environment for your Joomla website, I’ll simply take the easy way out and use a webhost is reputed to have all the necessary security measures in place for Joomla sites.

Rochen is the most secure webhost for Joomla that I’m aware of currently. Hostgator and Bluehost are also good.

Google for these names and take a look sometime. Choosing a good webhost for Joomla will go a long, long way in making your Joomla website more secure than others.

To address the second major source of Joomla security issues (using extensions with security vulnerabilities), follow these guidelines:

• Make sure that any extensions you’re using on your site are updated to the latest version.
• Check this list of extensions for any that you’re using and see if there are known vulnerabilities: http://docs.joomla.org/Vulnerable_Extensions_List  - I'm sure you will be glad you did.
• You can also check this site for listings of Joomla extensions that have vulnerabilities: http://www.milw0rm.com/webapps.php
• If you want to check further, Google the name of your extension plus the word vulnerabilities in the Google search box

Rogue Extensions

Additionally, there are rouge extensions available for free download and use. These extensions are actually developed for the explicit purpose of infecting a Joomla website, under the guise of doing something useful there. A really good idea is to scan the downloaded zip file of the Joomla extension / plugin / module with the antivirus on your local computer. If there is a PHP trojan sitting quietly in the extension your anti virus should be able to identify this. 

I use Avast, the free version for personal computers and I've been saved on multiple occasions by doing this simple exercise.  Till today, I've not got a single 'False Positive' identification. 

If you understand PHP code the you can always open the file identified by your antivirus in perhaps Notepad, or some other ASCII editor and read its content carefully, if you suspect a False positive identification. 

Please do this only if you are really sure of what you are doing.  IMHO, if a extension is flagged as a Trojan, delete it immediately, there will be other clean ones with the same functionality available somewhere.

Uninstall unused extensions on your website

Remember there are definitely times when uninstalling Joomla extensions uisng Joomla Admin - Extensions > Install/Uninstall does not completely remove all of the associated directories and files for a given extension.

Hence, after your uninstall process, never forget to look through all the extension directories on your Web server using your FTP program. Make absolutely sure that any directories or files associated with the uninstalled extensions are totally and completely deleted. Do this manually via FTP if necessary.

Extensions can often be the cause of a Joomla site getting hacked, this means that core of Joomla is not really at fault. It’s the extension that had a security hole in it that caused the site, for example, to be hacked with an XSS/SQL injection a common exploit used by hackers.

If you want to be sure of your website's security, make sure to check your extensions!

Keep Joomla up-to-date

Keep Joomla up-to-date, particularly when a security release has just come out.

Make sure to read the release notes about what has changed in the new version of Joomla, and then clone your site.  Test the upgrade patch on your cloned site (which means that you must test everything on your site) and when you’re sure the upgrade patch is working well, apply it to your live site.  Do this on a local computer before making it live on the Internet.

Backup your site daily

Don’t rely on the automated backups of your webhost only. Having those available to you is a great thing, but you shouldn’t rely on those webhost backups alone.

Use your cPanel to backup your site daily.  Ensure that the back up files are placed in a folder outside public_html the root directory of you website. Ensure that you download these backup files daily to your local computer. Immediately delete the backup file from its directory after you've downloaded it.  Do not leave your Joomla backup file on the Web server, irrespective of where it's located.

Use cPanel / PHPMyAdmin and export the content of the Joomla database to your local computer.

The combination of your cPanel backup and cPanel/PHPMyAdmin export is really the complete Backup of your Joomla website.

Do not use the default jos_ prefix for your database table names

Many attacks on Joomla sites depend on your database tables starting with “jos_”. Hackers typically try to get access to the jos_users table so they can get your username and password to login to the admin side of your site.

If you simply change the database prefix for your site to something else, like “mig_”, you would be protected from the kind of security exploit that relies on the default database prefix of “jos_”. 

Change the default super admin name from “admin” to something else

When you install Joomla 1.5, the default super administrator username is “admin.” If you don’t change this, you’ll give hackers 50% of what they need to login to the administration side of your site.

To do this, when you first Login as Admin, immediately create another user with a completely different name.  Assign this new user super administration rights to your Joomla website.  Then immediately log out as Admin.  Login as the new user that you just created. Delete the user Admin. You're done.

Use a really strong password for your Joomla Admin login

Make sure you use strong passwords for the users logging in to the Admin side of your Joomla website.

A password like “password,” or even “pa$$w0rd” is not that strong. Avoid using any words that are in the dictionary.  Make sure to mix lower and uppercase letters with numbers and symbols. The greater the number of characters in this password (i.e 12 - 14 ) the better.  Here's an example: QM6xb%z?8b6j

Lastly, for additional security, change your strong password every month.

Use Eyesite to keep track of changes made to code on your Joomla site

If your site gets hacked, there will be changes made to the code of your site, new files might be added to your server, or some files may be deleted. There is a handy extension called Eyesite. Install Eyesite in your Joomla framework, if/when any of these things happen, you’ll get a notification via email.

Joomla Files and Folder permissions

Using cPanel > File Manager or your FTP client, change the permissions of all Joomla folders to 755 and all files to 644, no matter what.

index.html in all Joomla folders

Ensure that there is a blank (empty) index.html within each folder of your Joomla website.

Take your Joomla site completely off line during maintenance

Do not use a simple index.html file with a ‘Site under Maintenance’ image. Everyone on the planet knows that if you type in the site URL/index.php the site will come up even if this is not what you want at that time.

You must go to Site > Global Configuration

Then under the Site Settings heading Set the Site Offline radio button to Yes to take your Joomla completely site offline.

This ensures that no one can use the site URL/index.php to access your Joomla website.

To deliver a customized ‘Site Under Maintenance’ page to any visitor, edit the following file: /templates/system/offline.php

Place whatever content you want displayed to a site visitor within the file offline.php when the site is being kept offline for maintenance.

Preventing User registrations from a specific domain

When anyone registers with your Joomla website, it may be a good idea to copy and paste their Login Email ID into Google, Yahoo and Bing (all three). If any of these search engines return a Forum Spam page simply delete this user.

NOTE: Most registration Email ID’s being flagged as forum spammers by the search engines on our website seemed to end with .ru. If this happens you can block all registrations with this domain extension.

Go to > Extensions > Plugin Manager – (Then filter all the plugins for SYSTEM plugins only)
Double click on the Register Validator plugin link displayed

Settings:
Use Internal Block list. Select the Yes radio button.
Add the Block list URL – In this case *.ru
Click SAVE.
You’re done.

Ivan Bayross
Joomla Security