Securing your Joomla Installation

So you’ve gone and developed your website, installed and configured extensions, entered content and built up a membership. You have a wealth of time invested in this project.

One day you visit the website and and notice the dreaded “This site contains malware do you want to proceed” notice in your browser or even worse you’re website has been compromised, used to attack other machines and nobody is any the wiser. You and your readership are now at risk and there is very little that you can do to be sure the website is clean unless you rebuild it – that’s right, it is almost impossible to clean a hacked website up and be sure that it is indeed clean.

With the advent of more advanced attacks and with packages readily available to “script-kiddies” the global information superhighway is not the safest of places for an unsecured website. Luckily there are steps you can take to protect your website. I’ve listed some that I carry out on most of my sites below:

• Rename your admin user – do this in the administrator
• Use a proper password with lowercase, uppercase and digits
• Use a SEF urls extension (like joomsef, sh404, etc) – no need to advertise to everyone that you are using joomla
• Optional: Install Akeeba Admin Tools and use the htaccess builder to protect against common exploits
• Make sure you’re folder structure is protected from public access, i.e. no 777 folders or 666 files!!!!!!
• Make proper use of the permissions, i.e. only give people as much access as they require
• Keep your scripts updated
• Remove any compromised scripts – regularly check the inj3ctor database here http://www.1337day.com and the Joomla Vulnerable Extensions list here http://docs.joomla.org/Vulnerable_Extensions_List
• Make sure register_globals is OFF
• Install jsecure or some other tool to protect your admin
• Uninstall any extensions that you aren’t using
• Disable any plugins that you don’t want to uninstall but aren’t using
• Maintain regular backups (e.g. using Akeeba Backup)
• Always protect publicly facing forms from injection attempts and please install a captcha for them
• Regularly check your logs!!!
• NB: Keep your local machine protected with a firewall and antivirus. Never let browsers remember your password to your email, ftp or websites and don’t store passwords in your ftp client

If you are lucky enough to be on a dedicated server there are many more things you can do to improve security (disabling ftp, using suhosin, denyhosts, monitors, etc, etc.). This goes beyond the scope of what I am trying to do here but I will write a post on how to do this in the System Administration section of this website when time permits.