13 Tips for Better Joomla CMS Security
As Joomla grows in popularity as an open source CMS more and more individuals and businesses of all sizes rely on the platform to get their products and services online. In fact, more than 2.5 percent of websites are running on a Joomla CMS -- and for good reason.
Joomla is free and there are more 8,600 extensions that allows it to do almost anything you want a CMS to do. Add to that a robust developer community and you've got a compelling product. Being so popular it's no surprise that malicious hackers continue to find new and innovative ways to gain access to your data. With that in mind, here are ways you can prevent these attacks and strengthen the walls of your CMS.
There are all kinds of hacks and attacks that the bad guys can use to infiltrate or bring down your site. These range from remote file inclusion to cross site scripting to the ever-popular SQL injection. Making your site more secure and resilient is a full-time job. For the most part a properly configured instance of Joomla on a properly configured server is about as secure as any other off-the-shelf solution. So why is it that Joomla gets the rap that it's among the most vulnerable open source CMS projects? To answer that question you need only to look in the mirror.
An infrastructure is only as secure as its weakest link and as it turns out a vast majority of security issues related to Joomla are not caused by Joomla's core code. Most security issues stem from old unpatched versions of Joomla or insecure, out-of-date and poorly written third-party extensions.
As the admin you have the daunting task of ensuring your CMS is properly patched, updated and secure. To help you achieve this goal, we've compiled this list of things you can do to improve your Joomla security.
1. Servers and Hosting
No decision is going to be more critical than hosting and servers. Many a server errors can be attributed to unpatched servers, open ports or weak shared hosting. On shared hosting your site could be set up properly and still be hacked through another site on the shared server. If your current host has problems with basic server configurations than you should most likely look for a new host. So step 1 make sure you are using a well-known secure host and that you stay current with your server patches.
Host your site on a server that runs PHP 5.2 or better in CGI mode with Su_PHP. Su_PHP is to PHP scripts what Su_Exec is to Perl files; basically it allows the execution of scripts under your specific user account as opposed to default Apache account. This allows you to more easily identify and track security breaches.
Ensure that you are using the latest Apache version and that your Apache configuration doesn't allow browsing/indexing. IT managers also need to ensure that the proper settings are in place for the .htaccess, serverconfig and php.ini files.
2. Enable and Use the htaccess File
By default the htaccess file is not in use. Make sure you rename it from .htaccess.txt to .htaccess. Then it needs to be placed in your root folder. You can also add some rewrite rules to it to prevent common exploits. You can find directions on how to edit the htaccess file here. This will add an additional layer of protection to your system.
3. User Accounts and Permissions
Joomla is good right from the start when installed on a properly configured web server. They should be set but make sure that all of your files CHMOD to 644 and your folders to 755. There are some exceptions to this rule like the configuration.php, which will CHMOD to 640. Ensure that nothing is set to 777.
The default administrative username is "admin" You should change this to something else. It will make it a little more difficult for a hacker to discover account details.
4. Backups and Incident Management
The time to consider an incident management plan is before your site is hacked not after, so take the necessary time to outline what will happen should you fall victim. As the saying goes, "Back up early and often." When this step is well-planned it takes a lot of the pressure off your shoulders should your site be hacked. Make sure back-ups are done daily to ensure you can restore your site without significant downtime or loss of data. This will allow you to focus on the real problem of how your site was penetrated.
5. Manage Your Extensions Carefully
Third party extensions are what make Joomla so wildly popular but these same extensions are what many times lead to an attack on your site. Every extension is another item that you have to ensure is updated / patched. This is the reason it's important to install only the extensions you need. You should be sure to take the following steps:
-- Do a code review on any extension you use
-- Run a test suite (there are many out there) and review your results
-- Update or patch your code as necessary
Remember, even one insecure extension can bring down your whole site.
6. Remove Extension Version Numbers
Often times, exploits are specific to a particular version of an extension. That's why it's a good idea to remove the version number from any installed extension. Removing the version number can thwart an attack before it happens.
You can edit your extensions to show only the name by using a tool like Dreamweaver. Perform a global search and replace in the respective extension folder. You can then remove any version numbers from your code.
7. Remove Unused Files
How many times have you installed an extension and then wound up not using it. You're less likely to pay attention to these because well& you're not using them. These can lead to unseen vulnerabilities down the road. Don't just unpublish these, uninstall them completely.
8. Password Protection
Brute force attacks are very common and target weak passwords. Joomla passwords out-of-the-box are MD5 encrypted + SALTED. That said, it's surprisinghow many companies both large and small don't have mandates in place regarding passwords. Craft a password that uses numbers, upper and lowercase letters, and symbols if possible and make sure to change them every 30 days.
Your database has all your important data in it. An SQL injection or any type of hack on your database can ruin your whole month. Make sure your database access is password-protected at the MySQL level. Try using tools like Nikto or NMap that scan your system for open exploits and weaknesses. This information can help tighten your database security.
Password protect your Joomla administrative area at the folder level. Password protecting this folder adds an additional layer of security. It should be a different username and password than your Joomla credentials otherwise you're wasting your time. This will cause admins to have to login twice but such is the price of security.
9. Change Default Table Prefix
Most SQL injections try to gain access to the jos_users database table. Once hackers have access to this file they have all your username and passwords, including super admin. Using a more random name can prevent a majority of database attacks.
If you are security savvy, this is something that you have already done during the Joomla installation process. If you didn't, and you are using Joomla 1.5, you can use the DB admin component to do this. If you are using Joomla 1.6 and didn't make the changes during installation, the process can still be done, but it's much more complicated. Full details can be found in the SnagJag blog entitled Change Joomla Table Prefix.
In other versions of Joomla, including Joomla 1.7, random table names are used during installation to fend off these types of attacks.
10. Use SSL Certification
Use SSL on your site and force Joomla into SSL mode for all logins. Just be aware that you must have a properly configured SSL certificate for your site's domain (shared SSL certificates will not work), or you will not be able to enable SSL in Joomla without running into additional problems.
11. Shut Down the Joomla FTP Layer
The FTP layer often has to be turned off anyway to allow some third-party extensions to work, and many servers use suEXEC instead, so it's no longer as useful as it once was. Disable the Joomla FTP Layer and ensure it has not stored your login details.
12. Turn Off Register_globals
Switch off register globals--but be aware that doing so can disable some PHP scripts from working, and may affect other programs that your site uses from working. To do this you just need to edit your site's php.ini file in the root directory for your domain.
13. Search Engine Friendly URLs
Always use search engine friendly URLs. Not only will this help your Google ranking but it will prevent hackers from finding exploits using Google search and other tools.
Keep Your Guard Up
As you can see Joomla security is not dependent on one thin. Security is a moving target that changes from day to day. There are a number of things that have to be maintained and updated on a regular basis. You can't just set it and forget it. To stay on top of it you need to know your site and stay current with patches and extensions, as well as cleaning things up from time to time. Good luck and always keep your guard up.
As always we are striving to improve, your comments and feedback help us to do that. Please contribute to the conversation.