Security is a subject all too often addressed after an unforeseen event, at least that’s how I came to be forced into action. It’s true you can never stop 100% of attacks but you can certainly take some simple steps to minimise the risk of your site being compromised.
One of my early sites was subject to attack, the first I knew was when I was unable to gain admin access, someone had changed the password and effectively locked me out. After exploring the many options to restore my admin passwords I decided I could not even then be 100% sure that my core files were unaffected. So I simply rolled the site back to a known good time making the security changes shown below. A backup regime is always good see my blog thank goodness I had a backup http://www.joomlaandme.co.uk/thank-goodness-i-had-a-backup/. How did this happen and why hadn’t I taken the steps that I’m about to reveal, simply because I didn’t know what the security issues and resolves were in Joomla. I can’t understand what anyone gets out of causing harm to unknown people but I do know its a good feeling minimising harm to others.
There are many arguments and comments on the web and in the forums about Joomla security and whether Joomla is secure. On the one hand the anti commentators say because Joomla is open source and all of its code is freely available, it is easy for ill intentioned people to find the security weak points and exploit them. The pro Joomla lobby on the other hand say the core of Joomla is secure and it is only poorly written modules and plug-ins that cause the problems.
My viewpoint is that Joomla is a fantastic free content management system provided by a very active community that does, for free, what would normally cost thousands. It is without doubt bound to have some security issues arise, but so do all the main operating systems. However I do believe that the majority of these issues can be mitigated against by us the users in tandem with the security updates as they become available. One of the great advantages of Joomla is the variety and volume of plug-ins and modules available. We as the user have to be aware of what risks each one poses and balance this against our requirements. I will cover how you can do some checks later before making a choice.
Here are three moments you can make easy changes to improve security
- installation steps
- updates and security patches
- module and plug-in vulnerabilities.
IMMEDIATE BASIC STEPS
- At installation you have the chance to change the prefix for your Joomla database tables e.g. jos_users table may become don_users table or whatever prefix you want to use. This makes it difficult for a number of injection attacks.
- Change your admin name to something else e.g. Janet.admin, again this makes it awkward for the hackers.
- Enable SEF address this helps mask the components to crawlers.
- Create a cpanel authentication protecting your admin folders, this means you have a double authentication to open your admin.
- 99% of site compromises are a result of insecure scripts and/or insecure passwords. So make sure all your passwords have a strong basis.
- NEVER set file permissions above 644 and folders above 755 Configuration files (such as Joomla’sconfiguration.php) should have file permissions set to 640. (file permissions article)
- Create a .htaccess file
- Remove demo users and demo files before launching your site.
UPDATES AND SECURITY PATCHES
The first place to go to find information on Joomla security is http://developer.joomla.org/security.html. Once you have installed Joomla it is worth signing up for the Joomla Security Notifications the security checklist, a good starting point is http://docs.joomla.org/Category:Security_Checklist part of which is the administrators checklist http://docs.joomla.org /Joomla!_Administrators_Security_Checklist.
Join the Joomla security news feed http://feeds.joomla.org/JoomlaSecurityNews?format=xml
Before making your decision about a plug-in or module checkout the Vulnerable extension list at http://docs.joomla.org/Vulnerable_Extensions_List this is updated and modified as the developers for the add ons seal any issue.
Use templates, modules and plug-ins from known suppliers they too will keep you advised of security fixes and will keep them up to date.
There is one last aspect to my basic advice and that is about hosting you need to have a company that backs up regularly and makes that available to you and also that they run suphp and have knowledge of Joomla. Again there is list available http://resources.joomla.org/directory/support-services/hosting.html I myself for Joomla use Rochen
http://www.rochen.com/ who provide an excellent service, just what I wanted.
One commentator on the Joomla forum said “I am always learning though, It’s impossible to know everything.” and I concur with that sentiment. The problems are always changing and you need to keep up to speed and be open to learning about others experiences.
If you have a site of great value then you may consider using a professional to get your site security to the highest level.
I hope the information in this article lays a foundation for you to build upon, remember join the forums and keep up-to-date.