New exploits and vulnerabilities are constantly being discovered and used against unsuspecting website owners. It's critical to take measures to protect your site’s security and to proactively prevent your website being exploited.
A bulk of Joomla attacks stem from the result of weak passwords, components/plugin vulnerabilities, and outdated software. On any given day, roughly 200-1,000 unauthorized logins are attempted every day for a given host. The majority of the hackers use brute-force techniques in order to illegally gain access to websites.
Below are a list of simple steps that you can take to secure your Joomla website.
Keep Joomla + Extensions Updated
One of the most important things to do is keep your Joomla website and extensions updated; new version releases include bug and security patches.
When you log into your Joomla Administration area, you'll be notified if there are any updates available and can update with a simple click of a button.
Setting Appropriate Login Details
For the login details, avoid using the default names such as administrator or admin. Those login details are generally the first places that an attacker looks to exploit.
A strong password is very important for your website since many attackers try to elicit your login details. They may use a list of commonly used login details to guess yours. Here are several tips in solidifying your login details:
- Avoid simple but overused phrases such as admin123, admin, pass, god, love, hate, etc.
- Refrain from using any personal details from your name or family.
- Special characters greatly decrease the chances of being hacked.
Setting the Appropriate File Permissions and Ownership
Setting the right permissions for access to your folders and files is one part of having a secured Joomla site. Here are some suggestions for setting permissions and access:
- Joomla folders should be set to 755
- Joomla files should be set to 644
- Permissions for your configuration.php files should be site to 444
- Never use 777
Extensions for Joomla Security
You can improve your Joomla website security if you use security extensions. The a few popular Joomla extensions are:
- Securitycheck Pro
- Akeeba Admin Tools
Only Download Extensions from Trusted Sources
When you’re looking for new extensions, you should always make sure to download from a trusted source.
Unlike many other CMS Plugin / Extension libraries, Joomla! Extensions Directory will remove any extensions that have been found to contain vulneribilities.
Although your webhost will most likely keep a backup copy of your website, its important you also keep a backup your Joomla site (or any website) at least twice per month.
For for additional safety, make sure to keep at least five months of backups stored on your computer incase your backup included an infected site.
Strengthen the Security of Your Administrative Page
If you restrict permissions and access to your Joomla admin area, you can greatly improve its security.
The /administrator folder of your Joomla website can be password protected. Once your password has been set, you have to set an additional password so that you can see the standard administrator login form. You can bottleneck access to you /administrator directory by localizing it to your IP address.
If you do not have a file named .htaccess in the /administrator directory, you can create a new one and upload it through FTP (File Transfer Protocol). Otherwise, you can add the following lines:
- Deny from ALL
- Allow from (Your IP Address)
If you have a dynamic IP from your internet provider, the restriction option may not be ideal. You would have to edit the .htaccess every time your internet provider assigns your PC a new IP.
Contact us if you need help with securing your Joomla site.
Other Ways to Increase Joomla Security
- If you enable the Search Engine Friendly URLs, it will hide the Joomla URLs.
- If you do not need any new users from the front-end of your Joomla site, disable the New User Registration in the User Manager.
- Avoid extensions that do not have enough reviews to justify its use.
- If you are not using any plugins, old templates, or components, you should uninstall them if they have not been updated.
You should monitor your website to ensure that your site is up and running for your customers. Site availability is critical to the success and security of your website. If available, enable notifications from your service provider whenever your site is experiencing any issues.
When Hacked or Defaced
If you are ever hacked, you should take your website offline and delete all files before restoring your backup and database.
This article is not an all-encompassing contingency plan for hacks and the catastrophe’s they yield. From a small outage or downtime of your CMS to a full blown hack, this will help you set some of the standards that prevent brute-force hacking. Not all plugins/components are designed to offer 100% protection from attacks, but a lot of them offer standard security and fine-tuning of your site. Internet security is a dynamic field and challenge, and there is no one-size shoe fits-all solution to protect your site from every hack possible.