Note: We have not included any security extensions in the tips we listed below. As rule of thumb, anything you install in Joomla could be potentially vulnerable code, even if it’s an extension focused on security.
After installing your website, don’t keep the default admin username and password. Make sure to set up a strong password so that a hacker can’t guess his or her way in using a list of most commonly used passwords.
Joomla is such a powerful platform because it’s so easy to extend its functionality in a few clicks. But with great power, comes great responsibility! Most Joomla hacks happen because of third party extensions that fail to follow best practices.
Test new extensions in a staging or local environment first to assess their value and stability. You can test your Joomla site on your local machine using the Joomlatools Vagrant box.
Make sure to uninstall extensions that you don’t need any longer. More code in your website only increases the number of potential vulnerabilities.
Alternatively you can build your application using Joomlatools Platform. This is a modern Joomla stack with a slimmed down Joomla codebase and improved directory structure. Only public assets are exposed by the webserver while the core PHP files and extensions are moved outside of your document root.
And finally, regularly review the official Vulnerable Extensions List.
An all too common problem is incorrect file permissions. You should only grant write access to those directories and files that actually require it, such as upload and cache directories. Everything else should be locked down once your extensions and templates have been installed.
The required permission model is very different for each site and depends heavily on your setup. We usually start with these permissions and evolve it from there:
- Directories set to 0755: only the owner of the file can write to it, the rest can read and execute them.
- Files set to 0644: only the owner can write, the rest can read.
configuration.phpset to 0444: only read is allowed.
And finally, never ever use 777 permissions. It allows your files to be viewed and modified by anyone! This is especially important if you are on shared hosting. Any other user will have full access to your files.
You can require a password in the admin login area to further improve security. You can do this manually by creating a .htaccess file in the administrator directory as described in the Joomla documentation.
A web application firewall (WAF) acts as a filter and monitor for HTTP applications. You can either install one on your own server yourself, such as ModSecurity, or use a cloud-based solution. Using a web application firewall will give you the following features:
- Spambot protection
- Brute-force attack protection
- Backdoor protection
- DDoS protection
- SQL injection protection
- and more..
To protect the communication between your visitors and your website, you need to encrypt it using SSL. Even if you are not running e-commerce sites or payment gateways, running on HTTPS and having an SSL certificate adds to your site security by protecting your username and password when you or your colleagues log into your website. Otherwise these login details are sent over the internet in plain text.
How do you know your site is still up and running? You need to monitor your website continuously to make sure it has not been hacked. If a problem occurs, you will get an email or SMS.
The most important part of managing a Joomla website is applying regular updates. Most Joomla and extension releases contain security fixes, so it’s never a good idea to skip them.
Luckily, Joomla has a built-in version checker and will notify you when a core update is available. A lot of extensions now support the Joomla Update System which will also notify you of new extension releases.
Be sure to make a backup before you update!
PHP is the language Joomla is written in. To improve your Joomla security, we recommend you change the following PHP directives in your php.ini file:
expose_php = 0
Hide the PHP version to your response headers so attackers don’t know which known vulnerabilities might be hiding in your version.
open_basedir = "/var/www/yoursite.com:/tmp/"
Tell PHP to whitelist the given directories. This prevents attackers from accessing any other part of your file system. Note that you must include every directory PHP needs access too, including the temporary file upload directory and session storage location.
display_errors = 0
Errors should never be displayed to the end-user as they might give away important information about your setup to attackers.
disable_functions = exec,passthru,shell_exec,system, proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec, show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog
Disable dangerous PHP methods so that attackers cannot use them to compromise your system.
You might also want to consider disabling the following options:
allow_url_fopen = 0
allow_url_include = 0: Don’t allow PHP to open remote URLs because remote content cannot always be trusted.
file_uploads = 0: Disable file uploads if your website does not need them.
However, if you do need file uploads for a document manager such as DOCman or a file and media manager like FILEman, you should leave these options untouched.
Finally, the same rules apply to your PHP installation and web server as your Joomla and extensions: make sure to keep your PHP version up to date or choose a hosting company that proactively does this for you.
You can find a list of PHP versions that are out of date here: php.net/eol.php. If you are running any of the versions in this list your Joomla site is very likely at risk.