How To Secure Your Joomla Website
Written by Steve Floyd Thursday, January 14 2010 18:00
Joomla!, when used correctly, can actually be one of the most stable, secure CMS platforms you can use, but to the average end user, it can be a long way to getting there. Beginner users find it very complicated and cumbersome to run updates at first, as they should. To understand how to truly secure Joomla! from top to bottom is to take a crash course in server security.
It is one thing to simply set up and even administrate a Joomla! site, but to truly secure your site you really have to stay on top of updates, both with your core installation and with all your other components, extensions and plugins you may be using. This should go without saying if you are using Joomla. With that said, here are a few tips and resources for anyone just getting started with Joomla! on the path to effectively securing their website:
- Perishable Press
- Permissions, Permissions, Permissions...
- PHP Anti-Hacker Component
- Protect the Admin Area!
- Server Logs
- BACKUPS!!!
I couldn't say enough good things about this guys work. His 3G Blacklist and Stupid .htaccess Tricks have probably single handedly saved my websites. .htaccess is one of your first lines of defense to harden your website's security. You also get the benefit of spiffy, search engine friendly url's like yoursite.com/about.html.
This has been said so many times in the Joomla! forum it is ridiculous, but I am going to reiterate it one more time... FILE PERMISSIONS. If you give these jokers an inch, they will take a mile. The moderators here aren't kidding when they say use Joomla! Tools Suite. It really is a simple, straightforward way to check all the file permissions and possible security holes you may have.
This little slice of goodness by the guys at Open Source Excellence will harden you security even more, adding 3 separate layers of firewalls for would be script kiddies to contend with. It also makes you aware of security holes.
I use JSecure as an added layer of security to access the admin area. JSecure requires registration and a $5 donation, but the ability to track and block IP addresses that try to access your admin area are well worth it. I also recommend going as far as to password protect your admin directory, or adding a Secured Socket Layer (SSL) to the logins. In addition to JSecure, there is also kareebu Secure Plugin which is totally free.
Scumbags always leave a footprint. At least once a week I try to identify suspicious behavior in my server logs and ban any relevant IP's. Better safe than sorry! If some douchebag wants to get in, they will eventually if you don't stop them from snooping around.
One of the best ways to protect yourself from data loss is to make sure you have regular backups. Many hosting providers offer automatic weekly and daily backups. I would recommend BLUEHOST, they have a superb backup system, both weekly and monthly! You may check with your hosting company to see if they provide automatic backups. EVEN IF THEY DO, it is a good practice to have your own regular backups just in case.
Conclusion
I also advise anyone new to Joomla read the Security Checklist VERY CAREFULLY. If your site gets hacked because you have overlooked any of these practices, you will find little sympathy from the community. The thing people need to wrap their head around more than anything else is that security is an entire practice within itself. This is why people hire a professional, to get them past these learning curves so they can take their product to market. Sure, you can learn to do it yourself... but by the time you really do, your idea will probably be an afterthought. Until next time... stay righteous.
Subscribe to our tuts
