Simple Security Guide, Part 1
One of the most depressing things in the internet world is when you discover your website has been hacked. The uncertainty and mistrust can terrify administrators and worse - your customers. For that purpose we created this guide. It aims to provide simple rules for protecting your Joomla! websites.
This guide is the first of a series of security guides, and it’s written with blood, sweat and tears. The series is translated from Hebrew to help advanced users and especially beginners in the Joomla! world protect their websites from the greatest web fear - your site being hacked. This series was created after analyzing hacked websites in Israel, and how the hackers did it.
The series starts with the easy steps and goes on to the hard rules in the next installments. The hard rules are sometimes difficult to implement, but they are worth the payoff (and pain).
Tip: Before deploying a website, it is recommended to go over these security guidelines to avoid releasing an unsecured website.
The base assumption is that every website can be hacked. Therefore, the most important thing is to take care to backup frequently. I recommend the backup extension Akeeba Backup, which will backup your website with one-click. You must backup your website as often as your content is updated. This means if you add content on a daily basis you need to backup daily!
Lastest version of Joomla
It doesn't matter if you’re an experienced website builder, or if you use Joomla website as a hobby, the first thing you should do is take care to update Joomla to the latest version. Since version 1.6 you now have an icon in the admin control panel that lets you know the update release. Most of the releases are security releases and it’s critical to update ASAP. Since 1.6 the update and upgrade can be done with one-click. So don’t hesitate to do that.
Joomla back-end panel
The admin user
One of the most obvious things for hacker to try to do is get into the admin panel of Joomla. Therefore, you should prevent this by few simple rules. First, don’t use the default super admin user name (admin, administrator or root). Choose another name!
Don’t use the default admin user
The default admin user is well known and has a default id (42 for 1.6+ and 62 for 1.5). Hackers usually try to hack the default user of Joomla. When you install Joomla, just create new user, make it admin (with another name), and delete the old user.
Update & Disclaimer: since 2.5.5 the first user id randomizes on installation, so if you are using a fresh installation you should not need to bother with this issue. (BTW this feature was contributed by the author :)).
Block the admin panel
Every Joomla user knows how to access to the back-end easily. Hackers know this also, by surfing to yoursite.com/administrator. To avoid unwanted users to access your back-end login, there is an extension that prevents this access.
Disclaimer: The author of this article created a GPL non-commercial extension that does this trick - JLSecure My Site.
Joomla extensions are its added value, and the greatest advantage of Joomla over any other CMS. The extensions range is wide (more than 9000) and for any purpose there are at least 3 solutions.
But, and here comes a big but, you should watch your step. Some extensions are vulnerable. There is an organized list of vulnerable extensions, their exploits, and if there are fixes for those. It’s recommended to check the list before installing an unfamiliar extension.
Joomla is a very advanced content management system. On default installation, it comes with a lot of extensions. Some of them are useful (like content & users), but some others are not used on most websites. For example, components like banners, contacts, newfeeds, etc, are not a must for many websites. Even if there are no existing links in your site for those components, there are existing links with the component basic link, for example, try this one: index.php?option=com_search.
You can disable unnecessary extensions that your site isn’t using. You can do it from the admin panel->extensions menu->manage extensions->manage. Just disable the components by toggling the Enable icon. It is recommended not to remove extensions, in case you might want to use them in the future (unless you need to free up space in your hosting).
That's all for the first part, which is targeted for beginners. The next part will be for medium-advanced users.
Hope to see you soon in the next magazine issue release!