Joomla! is one of the most popular Content Management Systems (CMS) used to build websites, together with other CMS such as WordPress, Drupal and Magento. This makes the life of hackers looking to compromise websites much easier, as they can simply concentrate on exploiting vulnerabilities in it, or in one of its popular plugins and extensions.
Based on the reports by the Securi’s Incident Response Team and Malware Research Team, Joomla! sites are usually hacked for SEO spam, drive-by-download infections, exploit or DDoS tools and phishing. In over two-thirds of cases, the cleaning team found backdoors in the websites – the attackers want to make sure that they will be able to get back in if web administrators attempt to clean up the site.
There is much controversy about the security of Joomla! On the one hand, some people opine that, as Joomla is a free CMS and uses third party extensions, it is clearly vulnerable but, on the other hand, a great part of the Joomla! community uphold its CMS as one of the most secure due to the overall security staff continuously checks the problems reported by the own Joomla! community.
In this article, some tips are given to improve the security of a website built by Joomla.
Keep the server updated
The server where Joomla! is installed must be updated to the last stable versions of PHP and MySQL, but having in mind the technical requirements recommended by Joomla! for the CMS version which is installed… that should be the latest!
Configure PHP properly
It is highly recommended to configure properly some PHP directives. They are the following:
Don’t give clues about the database
Everybody knows the table names of the databases in Joomla! and the subsequent structures. But what nobody should know is the prefixes of “your” tables. Don’t use as prefix anything that identifies your website. It is better to use a prefix of 3 random characters, starting with a letter.
Avoid using typical usernames and passwords
Avoid using usernames and passwords such as admin, joomla, etc. Protect the Superadmin user with a password (at least of 6 characters long) which combines letters and numbers in a not obvious way.
Install only what is in JED
JED stands for Joomla! Extensions Directory, and it is the official directory for Joomla components, modules and plugins. Different components available in JED are tested by the security staff. Install only these components. You will feel well… and so your website!
I’m not Joomla!
Many bots and other automatic tools usually scan the Internet looking for websites built with Joomla! to attach them. Try to delete in the source code any reference to Joomla! to reduce the attacks.
You are not useful. Go away!
Delete from the server everything that you don’t needed. Third-party extensions or languages that are not going to be used, files, etc … It is a very common practice to install components in the development step that, afterwards, they are not used in production. So, go away!
“Configuration.php” in the VIP Lounge
Move the “configuration.php” file outside the public part in the server, that is, it is not accessible via URL. This is the most sensitive file of Joomla!, as it contains critical information about the database, the FTP, the file structure…
Permissions 755 for folders and 644 for files
Once the website is properly configured and is stable, you must set the permissions for folders and files, protecting them against writing. The best choice, whenever is possible, is to set 755 for folders and 644 for files.
We are people, not machines
Include a captcha in all the forms of the website. So, you will avoid automated and massive attacks through these forms.
Secure, secure and secure all that you can
Add all the extra security in the Apache configuration file (through a .htacess file). Some examples are the following:
# Protect the own .htaccess file
deny from all
# Protect the configuration.php file
Deny from all
# Avoid the execution of scripts into the “images” folder
Deny from all
# Hide the folders structure
Options All -Indexes