Joomla has been downloaded over 95 million times. That makes it the second most used CMS for websites. There are several actions you can and should take to avoid being hacked. To keep your Joomla website secure from hackers you need to take the following steps.
Use only secure third party extensions and keep them updated
Most times when people say their Joomla website has been hacked, the security problem has nothing to do with Joomla itself. In most of the cases, the hacker came in through an unsecure third party extension that the site owner installed. Check this list for vulnerable 3rd party/non Joomla! extensions.
Use secure username and password for Joomla administrators
Don’t use the default admin username. Change it to something safe and choose a safe password. A safe password contains at least eight characters and includes both letters, numbers and special characters. Here is a great Secure Password Generator »
Use a SEF component that makes your Joomla more secure
A SEF component is used to make the url's of your Joomla website more Search Engine Friendly(SEO). But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.
The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack.
Use a secure web host / secure server configuration for Joomla
Avoid any web host that uses php safe_mode, i.e. safe_mode should be OFF.
If you use Joomla 1.0.x, make sure to Joomla's Register Globals Emulation OFF. You find the setting in the Joomla Global Configuration.
Use PHP5 rather than PHP4.
Don’t tell everyone about your configurations
Make sure that no outsider can view php information (server configuration) by phpinfo.
Hide the generator tag that shows that you use Joomla CMS. Note that we are not suggesting that Joomla would be insecure. This suggestion is just to make it harder for Joomla-specialized hackers to recognize that your website is Joomla-powered.
Use an SEF component that masks what components are used on your website.
Write-protect your Joomla configuration file (make unwriteable)
You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.
Delete the Joomla templates that you do not use
It is important to delete Joomla templates that you do not use for your website. If you keep the default Joomla templates, someone could for example link to your site with the url /index.php?jos_change_template=rhuk_solarflare_ii and show your website with the default template. Besides that your website may look terrible for anyone clicking that link, it may also show content that you never intended to publish on the web, for example through module positions that does not exist in your chosen template.
Change file permissions to restrict editing or overwriting
You can restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files.
Disallow User Registration
If your website isn't a community or otherwise needs to allow user registration, you should disallow user registration for security reasons.
Popular Posts Hits
How to secure Joomla based websites
Joomla has been downloaded over 95 million times. That makes it the second most used CMS for websites. There are several actions you can and should take to avoid being hacked. To keep your Joomla website secure from hackers you need to take the following steps.
Use the latest Joomla security update
First of all, use the latest version of Joomla. How to upgrade Joomla to the newest version.
Use only secure third party extensions and keep them updated
Most times when people say their Joomla website has been hacked, the security problem has nothing to do with Joomla itself. In most of the cases, the hacker came in through an unsecure third party extension that the site owner installed. Check this list for vulnerable 3rd party/non Joomla! extensions.
Use secure username and password for Joomla administrators
Don’t use the default admin username. Change it to something safe and choose a safe password. A safe password contains at least eight characters and includes both letters, numbers and special characters. Here is a great Secure Password Generator »
Use a SEF component that makes your Joomla more secure
A SEF component is used to make the url's of your Joomla website more Search Engine Friendly(SEO). But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.
The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack.
Use a secure web host / secure server configuration for Joomla
Don’t tell everyone about your configurations
Write-protect your Joomla configuration file (make unwriteable)
You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.
Delete the Joomla templates that you do not use
It is important to delete Joomla templates that you do not use for your website. If you keep the default Joomla templates, someone could for example link to your site with the url /index.php?jos_change_template=rhuk_solarflare_ii and show your website with the default template. Besides that your website may look terrible for anyone clicking that link, it may also show content that you never intended to publish on the web, for example through module positions that does not exist in your chosen template.
Change file permissions to restrict editing or overwriting
You can restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files.
Disallow User Registration
If your website isn't a community or otherwise needs to allow user registration, you should disallow user registration for security reasons.
Already have an account? Login into comment