Joomla is fast becoming one of the most popular content management systems (CMS) with millions of Joomla websites on the web and more getting built every day. Due to this reason, Joomla developers are unable to provide support for very single website on this platform every day. But the increase in popular of Joomla also means that more hackers are now using the site.
In this post we are going to show you through a thorough 9-point security check list you must make to secure your Joomla site from hackers. If you are familiar with WordPress, then you will no doubt notice a number of similarities in the security points between these two popular content management systems.
As promised, here is the check list:
1. Choose a good hosting service:
Good hosting is vital for Joomla security. While shared hosting may be okay, your website will be left vulnerable when other websites hosted on the same server get attacked. There are many small Joomla hosting companies offering a variety of hosting plans for Joomla website owners. Alternatively, you should go for servers specifically set up to host Joomla websites
but with only a few sites hosted on each server.2. Update Joomla to the latest version:
If your website is running Joomla 1.5 or 1.0, then you must update it to Joomla 2.5 or 3.0. These two versions offer a host of security improvements in the application’s core elements. However, you must be cautious when doing this; ensure that you back up Joomla before going ahead with your upgrade. The Joomla tutorial offers detailed instructions on how you can do this.
3. Perform regular database and full site backups:
This is one of the most important tips. Make regular backups of your website and store your backups in a secure location. Doing this will ensure that even if your websites gets compromised, it will be up and running within no time. But without recent backups, you will probably lose everything.
4. Rename/delete the default Joomla admin ID number:
By default, all Joomla installations come with an admin user ID. When targeting your site, this would be the first thing potential hackers will look for. You can however, use Akeeba Admin Tools to change the ID number of the websites super admin. In most Joomla versions, the ID number is set to the same “62” by default. To enhance your site’s security, you will have to create a new unique user with admin privileges before deleting the default user. Anyone trying to hack the site will now have to crack both your password and user name.
5. Only install secure extensions and manage them carefully:
Joomla extensions made by third parties are extremely popular. They can be very handy when it comes to performing or automating certain tasks on the site. However, they also provide hackers with an easy way to breach your site. So ensure that you really need the expanded capabilities the extensions claims to offer, check the publishers and ensure that you update each extension regularly.
Here is what you must do:
* Run code review before using any extension
* Update extensions and patch them whenever necessary
* Check the Joomla vulnerable extensions list an check if any of the 3rd party extensions you installed appear on this list.
6. Remove name and version number of extensions:
Most known vulnerabilities only target or affect specific releases of specific extensions. For this reason, it is advisable to remove information about the name and version number of all your installed extensions. Doing his may help thwart many attacks before they even happen.
7. Change your admin folder:
Doing this will also change your admin URL which makes it much harder for potential hackers to access this data. The easiest way of doing this is to rename your htacess file .htaccess, an actions that basically create a cookie that will only allow you to access the website. In case the cookies are deleted, an error 404 message will be displayed, which is the same message a potential hacker will get when trying to access your site from a different remote location.
8. Avoid using the jos_prefix for your Joomla databases:
This is because; this is Joomla’s default option so every hacker trying to access your site will assume that this prefix is still in use on your website. When installing Joomla manually, you will be presented with an option to change this prefix to once that strikes your fancy.
9. Turn off Register_globals:
This comes turned on by default. But you must beware that turning it off may disable PHP scripts or affect other plugins and extensions you may be using on the site. To make it, simply go to your domain name’s root directory and edit the php.ini file.