Joomla is one of the most popular content management systems of the world but without proper configuration it can be vulnerable to attacks. Here are some tips on how to protect your Joomla website.
Joomla is solidly positioned as one of the most popular content management systems in the world (currently second as per Wappalyzer (https://wappalyzer.com/categories/cms), BuiltWith (http://trends.builtwith.com/cms) and W3Techs (http://w3techs.com/technologies/overview/content_management/all )) only outgrown in market share by WordPress. Despite its popularity and ease of use Joomla has –as many other CMSs- some inherent security risks that can leave your website vulnerable to attacks if it is not properly configured, updated and protected. This article intends to offer tips to increase the security of Joomla based websites but should not be taken as an absolute guide on how to protect your website: there is no one right way to protect your website depending and security measures are subject to immediate obsolescence once an exploit is found.
1- A strong foundation.
I don't manage the statistics for this, but I venture to say that the majority of CMS-based websites find their home in shared web hosting servers. If this is your case, my first tip is to try and stretch your budget for a virtual private server. A VPS will offer a significant performance increase on top of many security benefits. An attack to a website hosted on a shared server will potentially put indirectly in risk all the other accounts hosted in the server. VPSs, on the other hand, run on independent virtual instances and even if one of them is compromised the other VPSs are isolated from the attack.
If you can't afford a VPS (even less a dedicated server!) then try at least to use the services of a provider that limits the amount of shared account per server and has strict security policies. Generally speaking, try to go here with the big names and remember that you also get what you paid for when it comes to web hosting. One requirement you should consider a must have is the capacity to password protect directories. More about this about this will follow.
2- Hide your credentials.
The more you information you expose about your website the easier it will be for a knowledgeable person to find vulnerabilities to exploit. Joomla inserts by default a meta tag named "generator" that identifies itself as a Joomla website and although there are many ways to find out what technology was used to create a website (such as technology lookup browser extensions) it is always a good idea to hide your information beginning from the simple steps and then moving towards the most complex solutions.
How to remove the meta tag "generator" from your Joomla website:
In your template's index.php file, add the following line of code right before ending the section:
This line of code will prevent Joomla from generating the aforementioned generator Meta tag and thus adds a bare minimum cloaking layer.
3- Administrator? I don't think so!
Another easy way to detect if a website is built in Joomla is adding /administrator to the end of the website's URL. If the administrative section of the website is exposed, it becomes both reveals that the website is Joomla based and becomes an easy target for brute force attacks, so once again, action should be taken to prevent the regular user or hacker to "see" or access your administrator folder. There are at least three easy ways to do this:
I) Install a third party extension:
There are many good free and paid extension in the Joomla Extensions Directory (JED) that will prevent unauthorized users from accessing your Administrator folder. Most of them use a key-value combination added to the website's URL to allow the user to reach the backend login screen and also provide useful tools for brute force attacks prevention and general administrative tools. There are many extensions to choose from, but I personally have obtained good results using AdminExile (Multicored is not related to nor sponsored by the developers of this extension) but feel free to shop around and take your time to read the reviews and look at the support pages of several extensions before deciding for one. Always remember to back up your site before installing new extensions!
II) If your web hosting provider uses CPanel, you can use the Password Protect Directories feature. This feature will ask for a valid username and password to the user trying to access this folder. This feature is very easy to use because it can be set up through a GUI and actually adds considerable protection to the website.
III) If your web host doesn't support CPanel or you prefer to manually edit your configurations, then you can achieve the same results of variant II) by using .htaccess to password protect directories and child files.
To use this method you will need to create two files: .htpasswd and .htaccess. The .htpasswd file will contain a list of valid users and their respective passwords and would look similar to this:
This file should be placed in a folder that is not publically accessible, for instance, it could be placed on the parent folder of the public_htm directory.
The .htaccess file has to be placed inside of the folder that you want to protect (Administrator in our case) and add the following code:
AuthName "Secured Area"
There are many cool things you can do with .htaccess beyond password protecting a folder, which also happen to go beyond the scope of this article, however, I encourage you to do a quick Google search for .htaccess password protect folder or similar terms to dig further in this subject.
4- Beware of 3rd party extensions.
One of the strongest selling points of Joomla is the JED. There is an extension for almost any task you could possibly have to tackle. Ironically, this can also be a weak point of this (and others) CMS when it comes to security. There are bad extensions and there are good extensions no matter if they're paid or free, and very often a poorly coded extension with known vulnerabilities are the entry point for an attack. The advice here is... read the reviews! Joomla's community is very vibrant and vocal, there are many extensions to choose from, so don't settle for one with low ratings or just a couple of reviews. Another indicator to look for is the last time the extension was updated. An extension last updated several months or years ago can indicate the developer is no longer supporting it and it's never good to rely on old code no one is taking the time to debug. Get to know the best developers, those who give active support and update their extensions regularly, and try to stick to their products.
5- Update and backup often. Very often.
If you are in charge of developing/managing/maintaining a Joomla website then you have to subscribe to the Joomla Security Centre mailing lists. This is the fastest way to find out of new vulnerabilities found and subsequent fixes. You should always install the system updates in a reasonable short time after they are released, allowing time enough to test the compatibility of all your extensions before upgrading. Sometimes it is wiser to disable an incompatible extension and find a suitable alternate than staying with and outdated, vulnerable system.
Extensions need to be updated too. Joomla 3.x has made updating extensions a lot easier but you can click "Purge" and "Find updates" every once in a while to make sure you get notified for any available update. Visiting the developer's web also helps to stay up to date.
At several points of this article we have advised or mentioned backups. Backups are a vital aspect of websites given that no matter how secure you think your website is, no system is invulnerable and having secure, up-to-date offline backups can greatly decrease your recovery time if your website is ever compromised. Do not rely on shared host servers backups, make the habit of backing up at least once a week or more often if your website generates a lot of content and also test the backup archives. Remember that an untested backup is not much better than no backup at all.
As previously stated, the above points should not be taken as a definite guide to securing your Joomla website, but I hope they can help you to add extra security to your website. I have purposely left out of discussion the complexity of usernames and passwords because I assume anybody trying to improve the security of his or her Joomla website has already mentally surpassed the stage of using Admin as the administrator username and uses a strong non-dictionary password. If you haven't, then you probably aren't ready to manage a website's security and should get a professional to help you!
Jokes aside, general security rules also should be taken into consideration: strong passwords, avoiding using public networks to connect and manage your website and always logging off when using shared computers are apparently small precautions that can take you a long way in securing your website.