Top things to do to secure your Joomla website
Updated: 3/2/2011 (you can now download and view this as a checklist document for your reference and guidance)
Here’s my list of the top things to do to make sure that your not leaving security vulnerabilities in your Joomla website and that it runs smoothly each and every day…
- FIRSTLY MAKE SURE YOU ARE RUNNING THE LATEST RELEASED VERSION OF JOOMLA. Login to your Joomla site and look at the version number. If you are not running the latest version, download it and update your site straight away! At the time of writing this (Feb 2011) there are two major versions of Joomla. 1.6 is the latest brand new release and version 1.5.xx. If your site is using a 1.5.xx version make sure you upgrade to the latest version in that range e.g. 1.5.xx to 1.5.xx – do not jump to version 1.6 without a lot of testing and looking at the implications of doing so!
- If your database tables in MQSQL for Joomla have ‘jos_’ as the prefix, read this first tip:
Download EasySQL (http://extensions.joomla.org/extensions/hosting-a-servers/database-management/2867) and rename the database prefix of our databases within MySQL from the jos_ prefix (if everyone wants more feedback on how to do this leave me a comment and I’ll create a blog entry :) )
- Create a spreadsheet grid showing all your Joomla websites against modules / version installed in each site with dates and links to latest versions (this should be reviewed and signed off every month)
- Delete the Administrator account and create an account within each site with Super Administrator rights – use a different user account for each site in case one site gets hacked. Create the Super Administrator account before you logout (having deleted the original Administrator account) – for obvious reasons – you don’t want to lock yourself out!
- Verify that your DATABASE password is not the same as your ADMINISTRATOR password. The database password is the password you chose when you first installed Joomla and went through the wizard to install the MYSQL database. It’s important that the Joomla Administrator password is not the same. Use an FTP client to login to your website, navigate to your ROOT directory on your site, and view the CONFIGURATION.PHP file. Look for the line that says “var $password = ‘. Check this password is NOT the same as the password you have just used to login as administrator. If it is the same CHANGE YOUR ADMINISTRATOR PASSWORD NOW!You can also check your “var $dbprefix = ” line is NOT SET TO ‘jos_’ (see my first tip here about renaming this prefix with the EASYSQL product.
- Change the default editor to NONE and manually add the Tiny Editor to all those named users you want to use the full editor. This way the default users will not be able to use the full editor.
- Enable SEF from the control panel. This will create nice URL’s that are search engine friendly AND it will stop hackers from searching GOOGLE for index.php?com_<modulename> and getting a list of all websites that use a certain module that has a security issue. After you switch on the SEF under the control panel, make sure you check the links on your site and they are now using proper SEO friendly links rather than then older links.
- Disable ALL Non used Joomla core modules/components and extensions in each site that are not being used
- Uninstall all 3rd party modules that are not being used on each site
- Use an exploit and vulnerability site like inj3ct0r (http://inj3ct0r.com) to check to see if there have been any security issues with all your third party modules. Go to that website and type in the name of the component to see if there are any issues. Then check the version number returned and that your site is above that version. Also check with the third party component site to check if there are updates that fix the reported issues.
- Make sure that the admin database MySQL account password is not the same as the Joomla site login
- Use Akeeba Backup (http://www.akeebabackup.com/software/akeeba-backup.html) in order to completely automate the backup and download of all Joomla websites on a daily basis. Keep a monthly backup that stays static and is not overwritten.
- Download the full web logs monthly from each Joomla site and use the weblog expert software (http://www.weblogexpert.com/lite.htm) and review the reports for potential attacks and phishing attempts.
- Install free web monitoring software to alert non availability for each Joomla website and ensure the alerts are SMS’d to make them immediate.
- Subscribe to the Joomla Security forum (http://feeds.joomla.org/JoomlaSecurityNews) on joomla.org to receive regular updates of critical level fixes and updates.
- Check the version of PHP your site is currently running. You need to have version 5.x installed. Login to your site and select HELP -> SYSTEM INFO. Look for PHP Version.. it should say something like 5.2.xx. If you are still using PHP version 4.x on your site you need to upgrade the PHP for your site. This can usually be done via CPANEL or by contacting your ISP via their support system.
- Make sure that each sites configuration.php is set to READ ONLY once we have it set
- Ensure that the Joomla installation folder is deleted for each site
- Make sure that every third party modules and components have the correct php coding structure at the top of the file:// no direct access
defined(‘_JEXEC’) or die(‘Restricted access’);
This will check and use the built in Joomla security which is the official method for security with Joomla websites. To do this you will have to login to your site using an FTP client and look at each third party component.
- Make sure the .htaccess file in the root of each site is set correctly – this means renaming ‘htaccess.txt’ to ‘.htaccess’ on Apache servers and uncommenting code within the file that stops XML access issues. Please note that .htaccess is usually marked as a hidden file, so you may need to set an option in your FTP to view hidden files on your site.You should also add ‘IndexIgnore *‘ (without the speechmarks and capitalised as this) to the bottom of the .htaccess file.
- Put the following into each sites php.ini to stop SQL Injections:
allow_url_fopen = OFF disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
- Finally make sure you delete all accounts that are not required, and you regularly review all users allowed into the system for security permissions.
All the above information has been gleaned from various videos and websites and considered ESSENTIAL within the Joomla community as the MINIMUM required to keep Joomla websites protected.