How many times have I seen this online: Help my site has been hacked! Or someone asking the question: is Joomla secure? Sadly the truth of the matter is security is mostly up to you. This tutorial will guide you in making choices that will keep your site more secure.
Myth buster: is Joomla secure? Joomla is very secure. In fact it's probably one of the most secure platforms you could design your site with.
There are however some extra precautions you may want to take. Here are 8 tips to better Joomla security (In no particular order) ...
1. Change the default database prefix (jos_)
Most SQL injections that are written to hack a Joomla website, try to retrieve data from the jos_users table. This way, hackers retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections. You can set the database prefix when installing Joomla!
2. Use a SEF component
Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits. Additionally, you'll get a higher rank in Google when using search engine friendly URL's.
3. Use the correct CHMOD for each folder and file.
Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:
PHP files: 644
Config files: 666
Other folders: 755
If you're not sure how to fix these permissions you can search for a component called Admin Tools. This component has an option to repair file permissions. It will take care of it for you.
4. Password protect your administrative area.
Password protecting the "administrator" folder will add an additional layer of protection to your Joomla website. For more information on how to do that you should refer to our tutorial on How to password protect directories. You should set username and password for your website different from the ones for your Joomla application.
Once you do this, you will have to login twice. First to access the login page of Joomla and then to login in the application itself.
That would make guessing your passwords a very difficult task for any attacker. In addition, even if there is a security breach within the Joomla script itself, a potential attacker won't be able to gain access to your administrative end even if s/he knows your login details.
5. Keep your website up-to-date.
You should always keep your Joomla application up-to-date. We recommend you to download and use the Admin Tools component mentioned in point 3 in order to receive alerts about new versions. You can do this at Joomla's official extensions download page.
Once you receive a notification that a new version of Joomla is released, you should upgrade your website immediately. The admin tools component also takes care of this. Some cPanel accounts also have option to upgrade to the latest version using Fantastico. Be warned though upgrading may alter your meta keywords configuration.
6. Use a .htaccess file to secure your Joomla.
You should make the following changes to the .htaccess file in the Joomla directory:
First, If you don't have a .htaccess file in your Joomla folder, you should rename the htaccess.txt file that comes with your Joomla installation package to .htaccess. To do this, you can use the File Manager tool in your cPanel. In addition, doing this will allow you to enable the SEF functionality of your Joomla application. The rules in it will block the majority of well-known attacks against your website.
Make sure you are running your website on PHP 5.2 or newer. All SiteGround customers have their accounts running PHP 5.2 by default.
Block the access to all files except index.php and index2.php. Note, however, that you may have to allow the access to some additional files if your extensions require them. If certain parts of your website do not appear, you can check the files that they rely on. Then, you can add them to the access rules. Generally, if you add the following lines to your .htaccess file, everything should work just fine:
deny from all
allow from all
allow from all
7. Passwords - Use a unique and strong password.
P@ssw0rd does not make a good password. Neither do any of the words on defaultpassword.com's list.. The bad guys have terrific tools, called Brute Force Tools and password crackers. They contain dictionaries of common passwords, combination's and so forth. Using your dogs, childs or wifes name, is not acceptable. FAIL.
Create a unique passwords from a combination of upper- and lowercase letters, numbers and symbols. For instance WsHc3_#7
Use an Online Password Generator to make the process easier, like: http://www.techzoom.net/tools/password-generator.en
8. Install the jSecure Authentication plugin.
Every Joomla back-end has the same URL. If you install a security plugin, you can add a suffix to your back-end URL to make it look like this: http://www.yoursite.com/administrator?helloworld
If the URL is not entered with a correct suffix, the site will redirect to a 404 (not found) page. Change the suffix regularly.