Joomla CMS, despite its several security features, can be easily hacked. Most of the time, hackers are more likely to exploit a misconfiguration than a bug present in the code. Hence, a careful application of Joomla security measures can prevent most attacks. These Joomla security tips are easy to apply and go a long way in protecting your site.
Follow these Joomla security tips to make sure your installation is secure:
Almost daily, a CVE (Common Vulnerability and Exposure) is dropped that can be exploited if not updated/patched.
Always be prompt with security patches and updates.
To update your Joomla Installation, follow the following steps:
Login into Joomla Dashboard as administrator and got to Components
Then go to Components->Joomla!updates.
Check for the latest updates for your Joomla installation and install the update. For this, go to Extensions->Manage->Update.
Sometimes the new updates may break some features in your Joomla Installation or its extensions. To avoid such a situation, backup your Joomla site before you push an update.
For this purpose, you can use an extension called Akeeba CMS Update. It can backup and update your Joomla installation.
Follow these steps to set up the extension.
1. Download the Extension from the provided link
2. Login into Admin Panel and then Extensions -> Manage->Install.
3. Upload the extension and then install it.
4. Once you have installed it, go to Components-> Akeeba Backup. From the drop-down menu, select the option you want to proceed with.
5. Click on backup to create a backup for the current installation and Follow the wizard.
The Akeeba extension will create backups for your site. A functional backup can quickly restore your site in case of a hack or a backup gone astray.
Files and folder permissions are the most important configuration on your Joomla installation. Wrong file & folder configurations pose a huge security risk. In typical Joomla installations, file permissions are listed in the form of numbers (just like in Linux filesystem). You should be able to understand them to configure them.
Here are some common Joomla files permissions:
0755: only the owner of the file can read write execute to it, rest can only read and execute.
0644: The owner can read and write to them; the rest can only read them.
0444: Nobody can write to it, all can read them.
Never set file permissions to 0777 as it gives all access (read, write, and execute) to all users and can be exploited by the attackers. Secure file permission on your site improves your Joomla security like no other.
The internet can be a very hostile place. Various botnets and hackers are trying to access your site every second. To protect your website, it is important to deploy a Web Application Firewall to monitor and protect your Joomla website in real-time.
A firewall scans all the incoming network traffic coming to your site. It also blocks attacks like brute force, SQL injections, XSS, spam, CSRF, etc. One recommended Joomla Security extension is Astra Joomla Security Suite.
Besides monitoring and blocking attacks, you can also use this extension to scan your site for malware. With this, you also get a pack of other security features such as login protection, one-click malware removal, IP & IP range blocking/whitelisting, Country blocking/whitelisting, ready-made GDPR compliance bar and more.
To use this extension, sign up from here. Next, install the Astra extension on your Joomla site after following a couple of simple steps, and you have a guard set up on your website.
The Joomla CMS is primarily written in the PHP language. PHP, if not configured properly, shows bugs that can be exploited. Thus configuring the PHP setup is an essential step towards enhancing the Joomla Security. To do so, edit your php.ini file with the following changes.
PHP version info can be used to find relevant bugs to that version by the attacker, hence make sure it is hidden.
expose_php = 0
Allow access only to those directories that are needed by the user. Deny access to everything else, including the sensitive ones.
open_basedir = "/var/www/yoursite.com/tmp/"
Note: You must allow access to those directories that PHP needs access too. Else, it may hinder the workings of your website.
Errors that reveal more than the required information are also a threat. Customize those errors so that no crucial information is given away.
display_errors = 0
In most cases, the remote code execution is caused by misconfigurations in the installation rather than bugs in the codebase. Thus properly handling the events that may cause them on your site is essential.
If your site doesn't use functions that result in executing code on the server, it’s recommended to disable them in the config file in order to stop potential RCE (Remote Code Execution) on the site.
disable_functions = exec,passthru,shell_exec,system, proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec, show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog
While at it, it is recommended to disable the following too, to stop LFI/RFI.
allow_url_fopen = 0
allow_url_include = 0
You should always follow the principle of least privilege while assigning permissions and roles to members on your site.
Assign a minimal set of privileges to a user to perform an action.
Allow privileges only for that exact action to be performed.
The following guidelines are recommended to improve the Joomla security.
Assign the lowest permission to the new user roles.
Revoke privileged permission when not required by the role.
Remove roles that are not being used.
Ensure that the default role is with the lowest permissions.
A correctly configured htaccess file can improve the security of your website by a huge margin. Most third-party vendors will configure your htaccess file when hardening your Joomla security.
Joomla ships with a pre-configured htaccess file named htaccess.txt. To use it, rename the file to .htaccess and place it in your site's root directory.
Using Captcha on login forms is an effective way to protect your site's login form from attacks like brute force, bot spam, etc. Recaptcha is a Captcha implementation by google and can be easily deployed on your Joomla installation(v2.5 and above). Follow the Official Joomla guide to install it
Thus, with these simple steps, you can protect your Joomla site from attackers. These simple Joomla security tweaks can improve your site's security significantly. Joomla Site offers a variety of Joomla security tips to improve your Joomla security.