The Joomla! Community Magazine™

10 Minutes to Protect Against Disaster

Written by | Wednesday, 02 March 2016 21:00 | Published in 2016 March
February 9th was Safer Internet Day. Google offered Gmail users an extra 2 GB of space to perform a quick security audit on their account. The tasks were easy: a quick review of the account recovery information and the connected applications. Even though it took only a few minutes and many will never realize it, the audit will have a big impact for thousands of users who dodged a bullet with their name on it.  Small things can make a big difference. It's the magic of preventative care.
Rows of keys on a wall. Rows of keys on a wall. Photo by Kris Krüg. Original at http://is.gd/PsuUXj. Distributed under Creative Commons 2.0 https://creativecommons.org/licenses/by-sa/2.0/

A Quick List to Increase Your Joomla Site's Resilience

Though Safer Internet Day may have passed, I propose that you make a similar small investment in time to do the same security audit for your Joomla site. Below I've lined out 5 tasks that will take less than 10 minutes to complete, but that dramatically strengthen your defenses against the disaster of being hacked.

#1 Check for Updates

In particular, you'll want to check your Joomla core. If it is less than 3.4.6 for the Joomla 3 series, then you are in danger. In the fall of 2015, there were several serious vulnerabilities discovered in the core that were fixed with the last "high" level of severity being patched December 21 with 3.4.6 (thanks Joomla Security Strike Team!) The current version at the time of this writing is 3.4.8. If you're reading this at a later date, you'll want to check the Joomla Security Center to make sure that your core version is safe.

#2 Sign Up for Security Alerts

If you weren't aware of the security vulnerabilities discovered last fall, it's probably because you're not signed up to the Joomla security alert email list. You can sign up here and will be alerted when major security issues arise that affect the application.

Joomla Core Security Notifications

#3 Check Your Administrator Password Strength

Brute forcing and guessing administrator passwords is a common attack by hackers. An essential defense is a tough to crack password. Here is an online tool that will give you a good idea of how tough your password is:

How Secure is My Password

I would aim to have your password be in the years to guess range.

#4 Check Your Administrators

While you're logged in, check your administrators to make sure that only the people who have an ongoing need to access the site as an administrator or super administrator are enabled. If someone is not actively contributing to your site as an administrator they should be disabled or removed.

If you have multiple administrators, shoot them an email asking them to check their password strength for your site and let you know how long it would take to crack it.

#5 Schedule Maintenance

There are two tasks that you should be doing on a regular basis:

  1. Updating your site core and extensions.
  2. Checking your backups. Backups that are not inspected to ensure that you can recover them are not backups.

The best way to make sure that these get done is to pay someone else to do it. The next best way to make sure these get done is to schedule them into your calendar.

If you're going to do it yourself, you want to check for updates at least once a month and recover a backup to make sure that it works every quarter. I recommend that you schedule these tasks on a recurring basis to occur on a Monday morning or a Friday afternoon. These are the time periods where most people have "lulls" in the demands on their time. Everyone is just getting into work and thinking about the coming week or checked out and thinking about the weekend. In either case, there are a few hours where you will likely not be distracted.

Either task should take you around half an hour or less, are easy to fit within these windows, and critical for protecting against disaster.

Future You and Past You

I have a running joke with our team at Blue Bridge about my decisions. It's about "Future John" and "Past John." Typically, it comes up when I've made a mistake or delayed something until it becomes urgent. The joke is that "Past John" screwed over "Future John." We'll be discussing a problem and I'll groan and say something like, "Past John was an idiot." Occasionally though, I'll anticipate trouble and plan around it. When I realize that this has occurred, I smile and say, "Past John threw Future John a bone."

I know it's weird to joke about yourself in the temporal 3rd person, but it helps me to remember that sometimes we make decisions like we won't have to live with them later on. We hope instead of plan for success.  Plan for success. Throw future you a bone by taking a few minutes to prevent big problems down the road. Future you will thank you.

Read 2699 times
Tagged under Administrators, English
John Hooley

John Hooley

I'm the author of the popular online guides:

  • How to Fix a Hacked Joomla Website (http://www.bluebridgedev.com/joomla-hacked)
  • Speed Up Joomla (http://www.bluebridgedev.com/speed-up-joomla)
  • Joomla Best Practices Checklist (http://www.bluebridgedev.com/joomla-checklist)

I also write on business for the freelance web developer on my blog at Knight Errant (knighterrant.co)

I've contributed to the Joomla project as a bug squasher, JUG leader, JCM author, and extension developer.