Joomla! Tips for security
If you run a Joomla website, you should think about the security a bit!
Unfortunately, popular content management systems such as Joomla are repeatedly targeted by hackers. Most of them want to distribute spam mails and that harms your web server, your domain or IP by blacklists and especially your nerves. But not only spam emails are the target also the spreading of viruses, the stealing of passwords, the forwarding on profitable Urls or the shutdown of the Website can be the reason for a hacker attack.
You do not want all that! Therefore, we have summarized a few hints and tips for you which you should consider when administering Joomla.
Let's start with the security of the web server. In a shared web hosting or a managed server, the web host will certainly take care of the appropriate security packages, but you should use its own root server, then a WAF (Web Application Firewall) should be installed. For an apache there is modsecurity and for nginx naxsi.
Although a WAF reduces website speeds, one should always prefer the security of the web server. In addition to the WAF you have to take care of a root server itself to all security updates and administer the server.
After the Joomla installation, you should create an additional access protection for the backend (administration interface). An htaccess protection can either be created directly via the webinterface of the webhost or manually via a .htaccess file.
The protection should apply to the entire path "/ Administrator" and have different logins than the Joomla administrator.
A decent backup saves you a lot of time and nerves in case of a hack. With some web hosts an automated backup is adjustable with a few clicks and also a recovery of the file level and databases can be done quickly via scripts.
If your hoster does not offer a backup, you have to take care of it yourself. To do this, you can use a file and database backup script that already exists on the net, or you can use a Joomla component with a disaster recovery function if access to the backend should no longer be possible. Akeeba offers a good solution here.
The backups should be stored in a non-public area of the server.
In addition to the security on the web server, you should pay attention to a few things when configuring Joomla.
FTP login data you should not save in Joomla unless this is absolutely necessary. If you need the FTP upload function, you should create a special login for Joomla with a secure password here and use this login only here. In the server's access log, you can find out more quickly about which FTP login files have been uploaded.
The file permissions can be checked via the Joomla backend. However, you should give the configuration.php in the Joomla directory better the rights 444th
Via an FTP program the file permissions can be set quite easily. You should never use the permissions of the 755 in a live environment. Here is always 644 or 444 recommended.
Note, however, that the configuration.php file with permission 444 is no longer writable. Configurations on Joomla must then be made directly in the file. Even with the renewed upload to the web server, the permissions must first be changed back to 644 in order to be able to overwrite the file.
This is a bit awkward but you should protect the data (database and FTP login) in the configuration.php well.
Security updates are regularly released for Joomla, which you should install immediately. The popularity of Joomla also increases the interest of potential hackers and discovered vulnerabilities are exploited immediately.
If the e-mail notification in Joomla is activated, you will receive an e-mail for new updates. Usually, this happens when a website is visited by a visitor, here it is checked whether Joomla is used in the current version.
To avoid so-called footprints, not every one of your technically-minded visitors should immediately realize that this is a Joomla CMS.
In addition to the htaccess protection of the administration you should activate the URL-Rewrite option in the Joomla configuration. In the source code of your website Joomla is output as a used system, this can usually be deactivated via the used template or a module in the JED (Joomla Extensions Directory).
Joomla uses the user name Admin as a standard login. Do not make it too easy for an attacker and prefer to use an alternative user name for the administrator. It goes without saying that the associated password should not be 1234 or Admin.
For the editor used in Joomla, you should define which user group should receive special permissions. These are, for example, the use of iframe or unfiltered HTML, which should only be allowed to administrators.
There are once in the Joomla configuration corresponding text filter and in the Tiny Editor plugin further configuration options.
In order to avoid sending unwanted e-mails via your system, you should deactivate (if necessary uninstall) system plugins such as "recommend" in addition to the previous security measures. The e-mail address stored in Joomla should not be used anywhere else and instead of PHP mail you could choose an alternative authentication such as SMTP in the Joomla configuration.
A little bit of security you can still do on the web hosting, namely the deactivation of PHP mail as well as the setting of a limit for the e-mail transmission. Of course, a regular look into the mail queue on the web server never hurts.
As a further area a few hints for the safe handling of Joomla and everything that belongs to it.
Less is more! Experience has shown that this is absolutely true when installing components, modules and plugins in Joomla. The more installed, the more there is to maintain and the more complex the system becomes.
When choosing extensions, you should trust sources from experienced Joomla developers.
Optionally, you can divide complex projects into multiple Joomla instances. Thus, a single installation will not overload and can be better maintained and analyzed.
As additional security of Joomla, there are two or three good Joomla firewalls in the JED which block and log various hacking attempts in addition to detected vulnerabilities in extensions. Investing in such an extension is definitely recommended.
Sounds strange at first? But it is not. Many hacked sites have a file somewhere that was uploaded by the attacker. This wants to communicate his skills in various forums and possibly sets a backlink to the site.
Also your local system (PC, Mac, Tablet ...) should be safe. In addition to a sufficient protection, here also passwords of the Joomla installation should be stored in plain text. Use a password manager and make sure that your software does not save any passwords.
Currently the FTP client Filezilla stores all saved connections with password in clear text. There are corresponding instructions on the net to change this, but you should be aware of this.
Generally you should always use secure passwords.