Tips For Maintaining A Secure Joomla Website

Joomla is a popular Content Management System (CMS) used by thousands of people world-wide, and is the second most popular CMS used on our hosting platform.

Here, we provide some hints and tips to help keep your Joomla website safe and secure

Always use the latest version

Older versions of Joomla contain security holes and bugs, and are only supported by the Joomla community for a certain length of time. Once their support has ended, these bugs are no longer fixed, and your site becomes vulnerable if you haven’t kept up-to-date with updates and patching.

By installing the latest version of Joomla, and keeping it patched and up-to-date, you minimise the risks of your website being compromised.

The latest available version can always be downloaded from http://www.joomla.org/download.html

Choosing your login/username

Since version 2.5, Joomla has removed the default username from the easily-guessed “admin”, and lets you choose your own username for administering your Joomla site.

Choosing a username other than “admin” helps prevent brute-force attacks, where someone repeatedly tries to log in to your website with the username of admin, changing the password each attempt.

Change the database prefix

When you’re installing Joomla, you should change the table prefix for the database Joomla uses from the default value.

Doing so will help prevent any potential hackers from trying to access tables in the database

Password protect your administrative area

A major failing in Joomla is that you can’t rename the “administrator” folder. It has to be called that, because there are 3rd party plugins and themes that rely on it existing to work correctly.

So, because anyone trying to break into your site knows they can always go to /administrator, we need to have some additional protection. We can do this using a htaccess file.

Find the path for your administrator folder

Create a file called path.php with the following code in it:

<php echo "The path is " . getcwd(); ?>

and upload it to your administrator folder.

Visit the file in your web browserat http://[your Joomla website address]/administrator/path.php and copy or make a note of the path

Create a username and password for accessing this folder when it’s protected

Go to http://aspirine.org/htpasswd_en.html and fill in the form with the username and password you want to use to protect the administrator folder. Use the crypt() method when using the form on this site so the correct format is created.

In the Source box, enter your desired username and password on one line (eg: freddblogs mypassword), then click on the Generate htpasswd button. Copy or make a note of the text in the htpasswd file box

Create your password protection files

Create 2 new files in a text editor, like Notepad (Windows) or Text Wrangler (Mac), called htaccess.txt and htpasswd.txt.

In htaccess.txt, add the following lines:

<Files ~ ^.\ht*>                    
    order allow,deny                    
    deny from all                    
</Files>                    
AuthUserFile {the path that you copied down from path.php}/.htpasswd                    
AuthGroupFile /dev/null                    
AuthName EnterPassword                    
AuthType Basic                    
require valid-user

In htpasswd.txt, add the following lines:

{the text you copied from the htpasswd box in the previous step}

Upload htaccess.txt and htpasswd.txt to your Joomla administrator folder, and rename them to .htaccess and .htpasswd

Test the password-protection works

Visit the admin section of your Joomla website in your web browser. A box should pop up on screen asking you for a username and password.

Type in the ones you used and you should then be able to see the Joomla admin section, where you will need to log in using you normal Joomla username and password.

Protect Your Site With Some Basic htaccess Rules

Joomla displays your site using the files index.php and index2.php. It normally doesn’t need to access any other file on your site.

A basic htaccess file to enforce this is

<Files *.php>     
    deny from all     
</Files>     
<Files ~ "^index(2)?\.php$">     
    allow from all     
</Files>

Additionally, you can stop the following files from being accessed in a web browser. You wouldn’t normally have files with these extensions accessible

<FilesMatch "\.(htaccess|htpasswd|ini|phps|log|sh|conf)$">     
    Order allow,deny     
    Deny from all     
</FilesMatch>

File And Folder Permissions

Never, under any circumstances, set a file or folders’ permissions to 0777. If a plugin, module or theme needs this, then you shouldn’t use it.

There is absolutely no reason ever for a file or folder to need these permissions, and they are inherently unsecure.

Because your PHP scripts run as your group ID, and not as a seperate process, they only need user and group permissions, and never need world/other access.

The correct permissions to use on our hosting platform are:

folders         : 0771                
PHP files       : 0660                
Perl files      : 0755                
config files    : 0440                
all other files : 0664

We strongly recommend that you do not change these.

In addition, our new Apache will refuse to serve files and folders set to 0777. This is a security rule and will not be changed.

Housekeeping

There are a few general tips that all website users should follow, not just Joomla users:

• Remove all design templates, themes, modules, and plugins not needed by your site.This removes the risk of code not being updated because it’s no longer active on your site
• Clean up after installs.The installation process will require you to delete the installation directory and all its contents. Do this; do not simply rename it.If you upload files to your site as compressed archives (xxxx.zip for example), don’t forget to remove the compressed file.Check your Joomla /temp, /tmp and /cache directories, as temporary files may remain there after an installation
• Do not leave any unneeded files (compressed or otherwise) on a public server.Each unused (and perhaps long forgotten) file is a potential security hole
• Keep your website up-to-dateMke sure your website is full-patched and up-to-date by using the available tools in the admin panel

Add The Joomla! Security Announcements Feed

Joomla provide a security announcements feed, detailing latest vulnerabilities and patches. This is your number one source of security information for your Joomla website, and should be used

• Login to your Joomla! Administration panel
• From the menu, select Extensions -> Module Manager
• From within the Module Manager, select Administrator
• From the Icon Menu (top right), select New
• From the choices available, select Feeds Display
• At the Feed Module configuration page, enter the appropriate details (Title (EG: security Announcements) and Feed as a minimum)
• Enter http://feeds.joomla.org/JoomlaSecurityNews in the Feed URL
• Select cpanel as the position
• Optional Select Apply from the Icon Menu (top right) and place the feed in the order where you want to see it in the Admin Control Panel
• Select Save from the Icon Menu (top right)
• Go back to your Admin Site main page (Site -> Control Panel) and you should see your newly built Security Feed.

Choosing modules, plugins and themes

There are many resources for additional component for Joomla. You should consider only using those that have some form of support on the official Joomla forums.

These additional points should also be addressed:

• When was the last version released?If it has been over a year, consider the project abandoned and find something else. Do not install old components.
• What kind of release is it? (Stable, Release Candidate (RC), Beta, Alpha)For production sites you should be sticking to Stable releases as much as possible. If you cannot wait until a Stable release has been made available, Release Candidates are the only other option you should consider.We would not suggest anyone install any Beta or Alpha extensions on a production site. This means they still have bugs, they have not been tested enough, and could have any number of inconvenient bugs or security issues that have not been fixed or worse, found.
• Is there a support community for this extension?This is very important for usability and security awareness. If there is a support community for an extension there is a better chance of security issues being known and dealt with.A support community means that people would like to continue using the extension and that they care about the extension. This furthers the chance that security issues will be found, disclosed, and dealt with promptly.
• Is the extension generally bug free?While it is almost impossible for an extension to be completely bug free, the smaller the number of bugs, the better.If there are bugs in the software it means there are mistakes in the software. The more mistakes, the higher risk of usability issues and security issues. Security issues are often a result of not one bug, but several bugs or bad practices