Be proactive and protect your website from hacker intrusions
Most Joomla attacks are a result of plugin/components vulnerabilities, weak passwords, and obsolete software. Perhaps the biggest disadvantage of every OpenSource CMS is that anyone can download the full source code; this makes it easy for an attacker to determine if your site is running Joomla!, and often he will know the weak points of each version, sometimes even better than you do.
Let this motivate you: we see between 100 – 1,000 unauthorized login attempts every single day at the sites we host (Documentation, Magazine and the main Gavick.com). The vast majority of these are hackers using brute force techniques to get into websites. That’s why you should be ready; so take some precautions to minimize the risk of your website getting broken into.
- A classic example of weak security is continuing to use the word ‘admin’ as a user name – this is the default super administration account that’s created when you first install Joomla! – along with a password that brute-force attempts are likely to succeed in guessing. So don’t waste time anymore and rename ‘admin’ account with a different name and ensure it has a strong password.
- Ensure that you have installed the latest versions of both the Joomla core itself and any third-party extensions.
- You can use Akeeba CMS Update tool – which allows you define specific Super User accounts to be emailed when an update is available, Automatic updates and gives automatically backup your site before updating Joomla.
- Outdated versions of the Joomla extension may contain a very serious security vulnerability that allows a hacker to upload files to a website. Exploitation of this vulnerability has been a common cause of the hackings among the hacked Joomla websites. Even if your Joomla doesn’t show if new version is available regularly check on developer page.
- Turn on Search Engine Friendly URLs – this will hide typical Joomla URLs.
- Disable New User Registration in User Manager – if you don’t need new users added from front-end.
- Rename htaccess.txt to .htaccess – because it include some rewrite rules to block out some common exploits. For example you can add this code to your .htaccess file, paste it just after “RewriteEngine On” :
RewriteCond %{REQUEST_URI} ^/images/ [NC,OR] RewriteCond %{REQUEST_URI} ^/media/ [NC,OR] RewriteCond %{REQUEST_URI} ^/logs/ [NC,OR] RewriteCond %{REQUEST_URI} ^/tmp/ RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]
This code will block all attempts to run scripts outside the Joomla control.
- Never leave permissions for a file or directory set to 777: this allows everybody to
write data (including exploits) to it. A wrong CHMOD may also allow access to the hackers. - Use ‘firewall’ extensions such as: jHackGuard (www.siteground.com), Marco’s SQL Iniection – LFI protection (www.mmleoni.net)
or commercial solutions: Akeeba Admin Tools Pro (akeebabackup.com) or RSFirewall! (rsjoomla.com) to protect against the most popular hacking attacks – SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks! - Install only extensions that have a good reputation; check the reviews on JED (extensions.joomla.org). Because many extensions (from different sources) contain vulnerable code , which when installed makes it easy for the hackers to get in.
- Always have a backup ready to restore your Joomla! site to its most current healthy state. (Read about Joomla 3.x full backup).
- Password protecting your /administrator folder can add an extra layer of security to your server, as password protection can break any script that uses ajax on the front end. To do this, you will need to create a .htpasswds file (htpasswd-generator), putting it in this directory causes the browser to display a login dialog.
- If you have old templates, components, plugins that you’re not using anymore – uninstall them, especially if they haven’t been updated.
Summary
This guide may not prepare you for all contingencies, but it can help you prevent catastrophes ranging from the occasional outage of your CMS all the way through a full-blown disaster. Take action to apply these basic tips and you’ll have the essential Joomla 3.x security measures in place. All security-related components and plugins are not designed to offer 100% protection of your site against any attack imaginable and –even though they do increase the security of your site– in no case should they replace common sense and security fine-tuning customized for your site.
This article was first published