1. Keep your Joomla site up-to-date
You should always keep your Joomla site up-to-date with the latest version of Joomla. The latest version is Joomla 3.3.6 with tons of new features added and security improment. Every new Joomla release may solve some security issues that are informed to the Joomla community at the time of the update. Therefore if you don't update your joomla for so long, the chance of being hacked will increase accordingly.
For Joomla 2.5.x, you should know this "As of 1 October 2014 the only version of Joomla 2.5.x believed to be secure is J2.5.27"
2. Keep your Joomla extension up-to-day
Beside updating main Joomla core. You need to make sure that you always have the latest version of the extension and you need to update to the latest version whenever there’s a new one.Updating Joomla and its extentions is the most important part of securing your Joomla website. Keeping your Joomla extension update not only helps improving security but may make your joomla faster as well
3. Remove Unused Extensions
People often test different extensions, components or modules and forget to remove them once they finish working with them. Leaving these extensions installed, even if they are disabled, can create a potential security risk. These can lead to unseen vulnerabilities down the road. Therefore it’s advisable to remove these after any testing has been completed. Removing them can help to speed up your joomla too.
4. Use Strong Login Details
It is important to have a strong password for your website. Many attackers try to guess yours by using list of commonly used passwords. For almost every website that you build, there will be various user accounts that you have to create and manage. For each of these you should create a secure password. Choosing a password that other people won’t guess easily is a matter of creating unlikely letter and number combinations.
A strong password should:
- Not use common words for passwords like love, god, pass, admin, admin123, etc.
- Avoid personal information in passwords like your personal or family name.
- Have at least eight characters long.
- Not contain your user name, real name, or company name.
- Not contain a complete word.
- Avoid password generators. Password generators use algorithms to generate the passwords which can be compromised by an attacker.
- Use as many special characters ( *!@#)$ ), numbers and capital letters in your password as possible.
- be different from previously used passwords.
- Contain a mixture of uppercase, lowercase characters and numbers.
5. Disallow User Registration
If your website isn’t a community or social network then you should disallow user registration for security reasons by doing following steps:
- Log in to backend
- Go to Users >> User Manager and find the Options tab at the top of the page
- Find the setting Allow User Registration
- Set Allow User Registration to No
- Click Save button on the top right
6. Hide your Joomla and Extension version
The main reason why we should hide our Joomla and its extensions versions is because there are malicious scripts on the Internet, their target is to find which type of CMS is your site powerd. So showing up your Joomla version in your HTML code is not a good idea. Similar an invitation for hacker attact. For example, if an attacker finds out that a certain website is running Joomla version 1.7, he will be able to search and know what are the vulnerabilities of this Joomla version (they are listed by the Joomla community), and then start performing his attacks accordingly.
If you want to check that you are exposing your Joomla version to the world, then just go to your website using Firefox, right click on the page, and then click on “View Page Source”. View this file /templates/system/css/system.css , you may file these line for its Joomla version accordingly
Joomla 1.6: * @version $Id: system.css 20196 2011-01-09 02:40:25Z ian $
Joomla 1.7: * @version $Id: system.css 21322 2011-05-11 01:10:29Z dextercowley $
Joomla 2.5: * @copyright Copyright (C) 2005 – 2012 Open Source Matters
7. Change your administrator username
By default, the administrator username in Joomla website consists is admin. Most often, people never change this default username, which makes it quite easy for hackers to gainaccess to your site as they already know one half of your login details, the remaining is to obtain your password. Changing the administrator username reduces the chances of hacker guessing your login details. This is an easy, yet important tip for streghthen your Joomla security.
To create a new Super User Account just:
- Log into the Administration area as the current Super User
- Click on Users >> User Manager >> Add New User
- Assign the new user the “Super Users” role
- Log out of your current Super User account
- Log in with your new Super User account
- Locate the old Super User account, and raname it.
8. Use SSL on your site and force Joomla into SSL mode for all logins
Using SSL, you can enable a few features already built-in to Joomla! and protect from some easy exploits that may be taken against your site and users users. Note that you must have a properly configured SSL certificate for your site’s domain, or you will not be able to enable this feature.
When you have an SSL certificate on your website, this setting will have the user’s browser encrypt their user name and password before it’s sent over the internet to your server.
To enable the SSL Login feature in Joomla 3:
- Go to Extensions >> Module Manager
- Filter Login Module
- Locate and open up the Logins module
- Select YES the option “Encrypt Login Form
- Click "Save"
9. Protecting your session cookies
When a user logs into the back end area of your website, a special session cookie is set in the browser to identify that user. That cookie is transmitted with every page load so that Joomla can determine which user is viewing the page. If the cookie was to be intercepted by a third party they would be granted the same privileges to do what any registered user or administrator user can do.That cookie then grants them the priveleges to do what any registered or administrator user can do.
You can force SSL to be enabled for the entire session for either the Super User (admin) or all registered users visiting the site. This will prevent the cookie from being tampered with by a third party looking to gain access to your website.You should choose the “Administrator Only” option instead
10. Disable the FTP Layer
For the majority of Joomla installations the FTP layer is not required, so we recommend that you disable this by doing following:
- Login into the Joomla backend
- Go to System >> Global Configuration >>Server
- Under “FTP Settings” select “No” for the Enable FTP option.
- Click on the “Save & Close”.
11. Implement Two-Factor Authentication
Two factor authentication is additional layer of security, which creates a temporary (time-based) password which is unique to a specific username. If you don't have access to this temporary password or secret key, you won't be able to login.
You can improve your site’s security by applying this tip. With one more layer and improve security against - Key loggers , Password cracking, Password hacking and many more security threats.
12. Install security extensions
Using security extensions is another easy way to improve your Joomla website security. There are many extensions that will make your website secure. Go ahead and do your research, and install one that is highly recommended by the Joomla community. Listed below are some pupolar Joomla security extensions
Using security extensions is another easy way to improve your Joomla website security. We have developed our own security extension (jHackGuard) that is free for download by anyone. Below you will find a list of the most popular Joomla security extensions:
13. Change the default database prefix
By default, old Joomla versions used to install with a database table prefix of jos_ . Unfortunately, hackers know that, if you leave the default setting and hacker will adjust their attacks to that end. You should change this alias to a different one (a random 3 or 4 letter word that you can come up with). Note that some of the security extensions on JED can do this for you.
Also, you can pre-set the database prefix when installing your Joomla site. If you've already installed Joomla! and want to change your prefix, do the following:
- Log in to your Joomla Admin Panel.
- Go to Global Configuration and search for the database
- Change your database prefix and press Save.
- Go to phpMyAdmin to access your database.
- Go to export, leave all default values and press Start. Exporting the database can take a while.
- When done, select all code and copy it to notepad (or any other text editor)
- In phpMyAdmin, select all tables and delete them
- In notepad, do a Search & Replace (Ctrl + H). Set the search term to jos_ and change it into your new prefix. Press "Replace all".
- Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start.
14. Use a SEF component
As you might already have know, a SEF component is used to make the url:s of your Joomla website more Search Engine Friendly. But a good SEF component also gives security improvement. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. If you do not tell the hacker that your website is powerd Joomla, it will be a lot harder for him to know where to start hacking. Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits.
In addition, you'll get a higher rank in Google when using search engine friendly URL's.
15. Use a secure web host / secure server configuration
Use good quality secure web hosting including an appropriate PHP file handler such as suPHP or FastCGI and security extensions such as mod_security. A good quality web host will be using a recent version of PHP. Check that your hosting provider is using the latest version of Apache, MySql, PHP, phpMyAdmin, and cPanel. Inform your hosting provider immediately if you see one of them that is not fully up-to-date.
16. Change the default permissions on your Joomla .php files to restrict editing or overwriting
File permissions are a method of controlling what you and other user can do with a file or folder. You can restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions:
- Set the permission of /index.php to 444
- Set the permission of /configuration.php to 444
- Set the permission of /templates/*yourtemplate*/index.php to 444
- Set the permission of the folder /templates/*yourtemplate*/ to 555
17. Change your passwords regularly
It is very important to change the following passwords regulary:
- The password of the “admin” user.
- The FTP password
- The MySQL password
- The hosting password (e.g. the cPanel password)
18. Do not allow users to upload scripts to your website
While Joomla, by default, totally forbids user upload of scripts to your website, you might be tempted at one point to allow (for one reason or the other) some of your users to upload inline scripts or executable script files to your website. Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website. Therefore no matter what the rewards are, avoid this completely. If you think it’s necessary for your website to have a feature to allow people to upload scripts, then ask some Joomla security experts for advice
19. Run a vulnerability scan:
You should regularly run a vulnerability scan on your website. There are many website security scanners out there (just make sure you choose one that is tested and is known to provide reliable results). For our clients, we use Acunetix (read this post we have written a while ago about Acunetix and Joomla).
20. Setup a backup and recovery process
The time to consider an incident management plan is before your site is hacked not after, so take the necessary time to outline what will happen should you fall victim. As the saying goes, "Back up early and often.". You should rely on a strong backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install.