Making Your Joomla! 3 Website More Secure

How safe is your Joomla website? You’ll probably answer this question with “pretty safe, I guess”. Even though the ‘pretty safe’ part is actually quite good, it’s the ‘I guess’ part where this ebook can help you. In fact, if you’re not aware of the best practices discussed below, your website probably won’t be as safe as you think it is.

Why it’s important to keep your Joomla! website secure

Joomla is used by millions of websites worldwide. Actually this is both a good thing and a bad thing at the same time. On one hand the high usage numbers are a strong signal that Joomla! is very likely a safe tool (if it weren’t, many Joomla! websites would get hacked and ever fewer people would start using it). On the other hand, these high usage numbers make it a juicy target for hackers. If they find and exploit a bug in the code, they can hack thousands of websites at the same time.

Making and Keeping your Joomla! website secure

The process of making and keeping your Joomla website secure is a combination of several factors. For example, there is the application of general security best practices, the usage of a proper web server, and the tweaking of several Joomla specific options and variables. In this ebook you’ll learn how to use most of these factors in order to improve the security of your Joomla website. For your convenience, the ebook has been split up in two parts: ‘Making a Joomla! website secure’ and ‘Keeping a Joomla! website secure’.

Desc Taxi Hire Reading including The Berkshire towns Maidenhead, Slough, Newbury,Bracknell

Making a Joomla! website secure

Server and Hosting

The company at which your website will be hosted is one of the most important factors in the process of making sure you’ll have a secure Joomla website. Do note that this doesn’t just mean that their servers are properly set up, but for example also includes fast and knowledgable customer support.

Cheap or good?

When selecting the company to host your website at, keep in mind that there is not necessarily a direct connection between price and quality. For example I know of a Dutch hosting company that charges about $40 per month for some of the worst hosting and customer support I’ve ever had the ‘pleasure’ to deal with. On the other hand there are hosting companies that are charging less than $5 per month while at the same time offering top quality servers and customer support.

Software versions

The first thing you should verify before signing up with a hosting company is whether or not their servers are capable of (properly) handling Joomla websites. At the time of writing, your web server is preferably running PHP 5.3.1+, MySQL 5.1+, and a recent version of Apache, Nginx or IIS.

PHP settings

Another important thing to keep in mind is that several PHP settings can greatly influence how well your Joomla website will run and how secure it will be. Variables to keep in mind:- register_globals: This feature has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0. With this setting enabled you could use variables from (for example) HTML forms or URL parameters interchanged with your internal PHP variables. – allow_url_fopen: This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.- magic_quotes_gpc: This feature has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0. Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

File Permissions

Incorrectly set file permissions are one of the most commons problems with Joomla websites. Problems range from the inability to upload extensions to having gaping security holes in your website. Possessing some knowledge about what file (and directory) permissions are and what they do can help you to fix these problems or even prevent them from occurring in the first place.

Chmod and suPHP

What Chmod effectively does is regulating what groups of users are allowed to Read, Write and Exectute a file, or the files in a given directory. Providing a detailed description of how the different levels of permissions work is outside the scope of this article and can be found in the Wikipedia listing about Chmod. What’s most important to know about Chmod is that you want to make sure every user has the least amount of access required for their duties. Therefore, the perfect permissions are 0644 for files and 0755 for directories. If you’re on a shared host, these values can unfortunately cause your Joomla website to stop working. How can you fix this? The short anwer is to ask your web host to enable ‘suPHP’ for your domain. When the website is served through suPHP, the user permissions will automatically be set correctly, therefore allowing you to use the aforementioned values of Chmod for your files and directories. More information about file permissions and Joomla can be found in the excellent article 777: The number of the beast by Joomla security expert Nicholas Dionysopoulos. If you’re curious about whether Joomla currently is or isn’t able to write to certain directories, check out ‘Administrator > System > System Information > Directory Permissions’. Each of these items should show up as ‘Writable’.

Database

Virtually all the critical information about your Joomla website is saved in your database. It therefore makes a lot of sense to secure your database as well as you possibly can. Special attention should be paid to the following factors.

Database user

Make sure the database user that is linked to your Joomla installation only has access to that particular database. All too often people are using a database user that has access to the full set of database that are managed via a tool such as phpMyAdmin. This means that if the credentials for one database user are discovered, the hacker immediately has access to all those database. Having a unique database user per database prevents this from happening.

phpMyAdmin

Preventing access to your web based database management tool (such as phpMyAdmin) is a critical factor in keeping your database secure. Firstly you might try some ‘security through obscurity’ by placing the tool in a folder that isn’t named ‘phpmyadmin’. After all, this will be the first folders hackers will check when they want to gain access to your database. Secondly you should consider having an IP-whitelist for the folder in which phpMyAdmin is placed. Every IP trying to gain access to your folder is then screened against a (manually managed) list of known IP addresses for your organization. If for whatever reason such a whitelist isn’t an available solution for your website, you might want to look at protecting your phpMyAdmin folder using .htpasswd and .htaccess files.

.htaccess

Setting it up

A freshly downloaded package of Joomla comes equipped with a file named htaccess.txt. By renaming this file to .htaccess you can increase the security of your website significantly and as a bonus you can use neatly rewritten URLs as well! Renaming should be done by opening the file with a text editor and using ‘Save as’ to rename it to .htaccess. Do take note that this is a special file and is also specific to Apache servers, therefore users of Nginx or IIS won’t be able to benefit from the benefits that using this file offers.

Blocking attacks

By enabling the .htaccess file you’ll automatically filter out various malicious ways to access your website. The code tries to block the most common type of exploit ‘attempts’ to Joomla For example block out any script trying to base64_encode data within the URL, block out any script that includes a <script> tag in URL and block out any script trying to set a PHP GLOBALS variable via URL.

Rewriting URLs

As mentioned earlier, activating .htaccess also allows you to switch on the ‘Rewrite URLs’ setting in the Global Configuration of Joomla. Doing so will actually increase the security of your website pretty significantly. Rewritten URLs don’t show most of the variables anymore that are included in the code (www.example.org/index.php?id=123&hash=abc vs. www.example.org/123/abc). Because of this, hackers will now have to figure out these variables before they are able to manipulate them in an attempt hack your website.

FTP Layer

To solve problems related to the aforementioned file permissions, Joomla has a feature called the FTP layer. Enabling this feature allows you to upload and install extensions on servers where you otherwise wouldn’t be able to because of incorrectly set file permissions. However, the major downside of having to use the FTP layer is that it puts your FTP details unencrypted in your configuration.php file. This poses a big security risk to your website. Now when somebody manages to gain access to your configuration.php file, not only will they have access to your Joomla installation, but to your entire FTP account instead.

ACL

Not necessarily a security measure per se, but a great reducer of potential security risks for your website nonetheless. By using the ACL (Action Control List) functionality that the Joomla core offers, you can restrict what areas of the Administrator certain user levels can or can’t access. For example, you can limit the access the Extension Manager or the Global Configuration to users of the level superadmin only. No longer will Administrators of your website be able to change critical settings on the website or be able to upload any files. As long as you make sure ordinary Administrator can’t upload any files, you’ll be fairly sure they can’t create any significant security risks either.

Passwords

One of the classic security problems for any software system: weak passwords. No matter how tight the security on the software level is, if you password is still ‘password’ or the name of your spouse, you’re begging for your website to be hacked. Countless articles have been written on proper password hygiene, therefore only a short summary will be presented here. Make sure your passwords are long (12+ characters is recommended), are unique per website (use a password manager like LastPass or 1Password to prevent having to remember them all), aren’t written down on a sticky note next to your computer and don’t relate to any of your personal data (so the name of your pet, the place you grew up and your high school sweetheart’s name should all be avoided).

Error reporting

The level of error reporting defines what level of errors are handled (either written to file or displayed on the screen, handled by the PHP variable display_errors) by the server. When developing your website, you want as many errors reported and displayed on the screen as possible. After your website went live, you still want as many errors to be reported, but instead of displaying them on the screen, you want them to be written to file. After all, if you display errors on the screen, you might give away information that can be used by a hacker to gain (more) access to your system.

Setting the level of error reporting

You can set the level of error reporting either via the php.ini file (which is often not available if you are using a shared server), via the .htaccess file or via the Global Configuration of your Joomla Administrator.

Comments are currently closed.