In this article, Part 2 on website security, we are going to see how to protect a Joomla based site. Joomla shares a lot of common security practices with Wordpress, with few exceptions. Again, nothing will give you a 100% guarantee that your site will not get hacked, but these security practices should offer a good level of protection, making an intruder's attempts more difficult.
1. Masked Admin username
By default Joomla creates a username for administration purpose called "admin". Always change it to a "hard to guess" username. If the administrator name is not standard, it is much harder for an intruder as they must guess both the username and password, therefore dramatically reducing or preventing login attempts.
2. Use of Secret Key to Login
This concept allows administrator login through a very specific URL instead of the default. In this way, the login is protected from intruders. An extension program, like KSecure, adds a secret key which the administrator will have to enter after the regular URL in order to log in. The following is an example:
3. Joomla Backup
There is no substitute for making a regular backup when it comes to protecting digital data. If you have an up to date backup, you can always wipe and restore your hacked site. Use a reputable hosting provider who backs up your site regularly, such as Symmcom. Remember, your restored backup still contains the security vulnerabilities.
4. Update Joomla Regularly
Security vulnerabilities are continually being discovered in code and Joomla is no exception. However, they are extremely proactive to any security holes that could ruin your day, and do publish new releases on a regular basis. It is very important to be alerted when new releases are coming and actively update your Joomla site. Some hosting providers do offer free auto update as soon as new releases comes out.
5. Use Search Engine Friendly (SEF)
Besides making your site more Search Engine Friendly, SEF also offers a level of protection. SEF masks some information which would have given an intruder clues about different components or extensions used in your site. You can enable SEF using the following steps:
- Login into Joomla Control Panel.
- Goto Site > Global Configuration.
- Under tab Site, click Yes for SEF URLs.
6. Use Security Extensions / Firewall
Like Wordpress, there are many 3rd party extensions for security of Firewall options available for Joomla. This breed of firewall is also known as Web Application Firewall (WAF). The WAFs provides multi layer protection with just a few clicks of your mouse. The following are few protections these WAFs offers out of the box:
- Protection against SQL Injection
- Login Protection
- Joomla Specific Vulnerabilities
- Backdoor Protection
- Bot Protection
7. File / Folder Permissions
Always check files and folders to ensure they do not have incorrect permissions that would allow a hacker to upload malicious code files. All folders within your site must have proper CHMOD configured properly. Here are some good rule of thumb settings for checking permissions:
- Configuration files = 644
- PHP files = 644
- All other folders = 755
8. Use Reputable Joomla Extensions
Always pay extra attention which extensions you are using in your site. Guard against always going for the free ones. Although some free Joomla extensions are really good, most are not coded properly and contain a lot of security vulnerabilities. You may have protected your Joomla core quite well, but one insecure extension can ruin it all and cause havoc. If your site is mission critical, try to find extensions from well known developers that have support available.
Following these practices, your Joomla site will be better protected and you will be able to sleep well.