There is no telling the damage done when a site is hacked, you might have heard or witnessed seemingly absurd things on a hack site such as a site turned upside down, site turned into a porn site and even theft of valuable data. The hacking sector is part and parcel of the entire web application industry which includes various type of applications such as websites, CMS, ecommerce frameworks etc. The reality is that hackers are here to stay and boy don’t they love popular applications such as Joomla!? There are myriad of activities you can perform on your Joomla site to ensure that it is secured from hacking attempts. This article will look into some of the activities you need to perform to strengthen the security for your site.
There are vital suggestions that any Joomla site user need to put emphasis on when making the desired security changes such as updating your Joomla version alongside the extensions. As a matter of fact this will be the first point of discussion.
Table of Contents
Regularly updating Joomla and its extensions
Since Joomla is open source software there is always the feeling of inadequacy as far as updates are concerned. However, the developers and custodian of the CMS work round the clock to ensure that newer and more secure versions are released. In each latest version the developers try to correct any security issue that was experienced in the earlier version. The updates do not only stop with the Joomla CMS, they also extend to the extensions used on the CMS to make them perform better.
In most cases hackers exploit the loopholes in the extensions since they are aware most Joomla users will strengthen the CMS security. You will find a list of some of the vulnerable extensions on the Joomla site plus the proper method of upgrading the site.
In order to upgrade your Joomla version you need to access the administrative panel at by following this link:
www.yourdomain.com/adminstrator
If you are using Joomla 3.x (the latest version of Joomla) then it will automatically check for newer version in the repository. You will see “upgrade now” prompt if your version is outdated. As they create newer versions support is halted for the older versions. Note: you should make a backup of your site before you update it. The upgrade now link will direct you to the install now and upgrade now (hit the button). In a few moments, your site will be upgraded.
Upgrading an extension is also a straightforward move you just hit the extension button which then leads to the extension manager. Next, you hit the update button on the left column; Joomla will show you all the extensions with latest version. You can now update the extension you would like to.
Use strong logins credentials
The first step in putting up strong logins credentials is to do away with default words such as “administrator or” or “admin”. These default usernames are the first thing a hacker thinks of when they want to infiltrate a site. After you have made a combination of letters, characters and letters into a strong username you need to also create similarly strong password for your site. Many a hackers will try to use brute force to acquire your login credentials. It’s easier for them to follow a pattern which is usually utilized by most people. Therefore, you have to create a password that does not follow these patterns.
The following are some tips that you should follow while creating strong (preferable long and complex password).
- Lose all the common words in your password such as admin, wind, fire, etc
- This goes to even your family names. For instance, you should not use your daughter or wife’s name in Joomla site admin panel.
- If you had thought of password generators then you should also avoid them since they are created using algorithms which can be easily exploited for their vulnerabilities too.
- Make use of the CAPS LOCK, characters, letters, numbers in a neat combination that is so long and complex that it will even take you some time to master.
Use proper permissions and ownership
File permissions should also be considered in securing your Joomla site. You have to set the proper files permissions and folders for your Joomla site. Through the administrator panel you can use the following suggestions for setting the permissions
- Folders permission should be set to 755
- Files permission to 644
- Set the permission for your configuration.php file to 444
- Avoid using 777(which represents full permission) to avoid creating security exploits for hackers
Use recommended Joomla security extensions
The good thing about open source software such as Joomla or WordPress is the fact that developers are always willing and ready to create extensions for practically any need including for security purposes. There are a number of Joomla security extensions you can install on your site to protect it against brute force attacks and other security vulnerabilities. This trusted security extensions include: Akeeba admin tools, jomdefender, jhackguard and Jsecure.
Some hosting companies offer third party security applications for Joomla users or you can simply sign up to a site monitoring service such as Sucuri. Click here for more information on sucuri.net.
Regularly back up your Joomla site
It’s critical to store a backup of your Joomla site in a safe storage or even in your local computer (although here lie a risk in case your computer is hacked or stolen). You can as well hire cloud based storage services to store your data. There are a number of options available for creating Joomla backups either through use of Joomla extensions or through hosting company backups package.
How to back up a Joomla site
Using FTP client you can always transfer your Joomla files to your local hard drive. However, it gets tricky when you have to transfer 3000 + core files contained in Joomla and also your very own site’s data. The process will be slower since they are many small files instead of one big file. But through the admin panel you can actually compress these files into one ZIP file.
This can be achieved through the file manager tool in the Cpanel. Simply, go to the main folder of the Joomla 3 installation and select the entire barrage of files then press the “compress’ button. Once the files have been compressed you can easily download them using a FTP client or regular browser.
How to back up your database
There are two options of backing up your Joomla database via SSH console or through php MyAdmin. In both ways you need to have the login credentials for your Joomla MySQL. However, if you do not have this information you can obtain it through the configuration.PHP file in the Joomla root directory. You will find the entire information contained in the following code:
public $user = 'user_joomlat'; public $password = 'password'; public $db = 'user_joomlatut';
Before you can backup your Joomla site you need to access your account first. Next, head on to the Joomla site folder whereby you will use mysqldump command plus information obtained in the above step to create your backup database.
mysqldump -uuser_joomlat -password user_joomlatut > db-backup.sql
This is followed by last step where you head on to the yourjoomlasite.com/db-backup.sql and subsequently download the backup of your joomla backup locally.
Backup Joomla database using phpMyAdmin
Log into your account and open the phpMyAdmin tool located in the databases sections. Next up, you need to select the database that you need to backup, you can get the name from the configuration.php file. Now select your Joomla database and hit the export button,; do not change the options let them remain as default and press GO. The phpMyAdmin will create a backup of your Joomla database which can be easily download to the local host.
Protect your administrative page
Technically, the best way you can protect your administrative area is to restrict access to this area. Its starts off with the protection of your administrative folder of your site -password protect your folders. Head on to the Cpanel and highlight the password protect directories button. You will notice a collection of directories in your account. Next, choose the directory that you need to password protect followed by a username and password for the user.
Choose a name that will be visible on the login screen and then hit save to make the protection active. Once these changes are made you will be required to have an extra password so that you can see the ordinary log in form.
More protection can be realized through the .htaccess by restricting your specific IP address access to the administrative page. If you do not have a .htaccess file you will have to create one and upload it. If it is present then you need to place this code
Deny from ALL Allow from x.x.x.x
Now it’s necessary to note that you should replace the x.x.x.x with the real Ip address you wish to restrict to.
Remove unused extensions
Oftentimes, Joomla users install varying extensions and forget to remove them once they are done testing. Even though these extensions are disabled, it’s advisable to remove them since they pose a security threat to the site. In short, once you are done with test extensions you should remove them immediately to avoid forgetting about them.
Stop user registration
By default, Joomla allows user registration so you have to disallow user registration for security purposes. Head on to the Joomla admin panel click on users > users manager and click on the options tab. Next you will notice a setting allow user registration. Change the icon from Yes to No followed by the hit button on the top right.
Activate a two factor authentication
Under the two factor authentication, a user is required to insert the username and password and a number that is randomly generated as a onetime password. In such kind of two tier security method a hacker might guess your username and password but then brought to a halt once he get to the second factor authentication.
How do you enable the two factor authentication in Joomla 3.2 or higher?
First, you log in to the administrative area press components >post installations messages. Then press the enable two factor authentications. Note you need to install a Google compatible authentication client for your device.
Activate search friendly (SEF) URL support
The search friendly URLs do not only make your URLs friendlier for the search engines but also hide information that hackers can exploit to hack into your site. You achieve this through the administrative area then click on site >>global configuration, click on site again then select yes next to the Search engine friendly URLs.
Make use of SSL certification
You can use SSL and force the same for most logins. However, you need to have a rightly configured SSL for your Joomla site.s domain. The good thing about using SSL certification is that the user’s browsers first encrypt their log in credentials before they are forwarded to your server. This feature can be enabled in your Joomla site through the following procedure:
- Press extensions > module manager
- Find and open up the logins module
- Click on the “options” button and highlight the Encrypt log in form
Protect the session’s cookies
Normally, when a user gains access to the administrative panel of your Joomla site there is a unique cookie that monitors his movement to help in identification of the user once they log in again. This cookie is transmitted every time there is a page load –this allows Joomla to identify the user. The downside to this is that if hackers intercepted this cookie they will have similar control like an admin or any registered user.
As another layer of security you can enforce this command on for all users for the entire session which in turn will prevent the cookie from being intercepted by a 3rd party user interested in committing malicious damage to the site.
If this option is enabled for all visitors that mean that all the data such as images, javascripts, shared will be encrypted. Therefore, you can place this restriction to affect only the administrative area alone.
If you follow these steps, you will be able to ensure that your Joomla site is secure from brute force attacks from hackers. Of course, you can always hire the services of a security expert for a better diagnostic of your Joomla site.