A Quick List to Increase Your Joomla Site's Resilience
Though Safer Internet Day may have passed, I propose that you make a similar small investment in time to do the same security audit for your Joomla site. Below I've lined out 5 tasks that will take less than 10 minutes to complete, but that dramatically strengthen your defenses against the disaster of being hacked.
#1 Check for Updates
In particular, you'll want to check your Joomla core. If it is less than 3.4.6 for the Joomla 3 series, then you are in danger. In the fall of 2015, there were several serious vulnerabilities discovered in the core that were fixed with the last "high" level of severity being patched December 21 with 3.4.6 (thanks Joomla Security Strike Team!) The current version at the time of this writing is 3.4.8. If you're reading this at a later date, you'll want to check the Joomla Security Center to make sure that your core version is safe.
#2 Sign Up for Security Alerts
If you weren't aware of the security vulnerabilities discovered last fall, it's probably because you're not signed up to the Joomla security alert email list. You can sign up here and will be alerted when major security issues arise that affect the application.
#3 Check Your Administrator Password Strength
Brute forcing and guessing administrator passwords is a common attack by hackers. An essential defense is a tough to crack password. Here is an online tool that will give you a good idea of how tough your password is:
I would aim to have your password be in the years to guess range.
#4 Check Your Administrators
While you're logged in, check your administrators to make sure that only the people who have an ongoing need to access the site as an administrator or super administrator are enabled. If someone is not actively contributing to your site as an administrator they should be disabled or removed.
If you have multiple administrators, shoot them an email asking them to check their password strength for your site and let you know how long it would take to crack it.
#5 Schedule Maintenance
There are two tasks that you should be doing on a regular basis:
- Updating your site core and extensions.
- Checking your backups. Backups that are not inspected to ensure that you can recover them are not backups.
The best way to make sure that these get done is to pay someone else to do it. The next best way to make sure these get done is to schedule them into your calendar.
If you're going to do it yourself, you want to check for updates at least once a month and recover a backup to make sure that it works every quarter. I recommend that you schedule these tasks on a recurring basis to occur on a Monday morning or a Friday afternoon. These are the time periods where most people have "lulls" in the demands on their time. Everyone is just getting into work and thinking about the coming week or checked out and thinking about the weekend. In either case, there are a few hours where you will likely not be distracted.
Either task should take you around half an hour or less, are easy to fit within these windows, and critical for protecting against disaster.
Future You and Past You
I have a running joke with our team at Blue Bridge about my decisions. It's about "Future John" and "Past John." Typically, it comes up when I've made a mistake or delayed something until it becomes urgent. The joke is that "Past John" screwed over "Future John." We'll be discussing a problem and I'll groan and say something like, "Past John was an idiot." Occasionally though, I'll anticipate trouble and plan around it. When I realize that this has occurred, I smile and say, "Past John threw Future John a bone."
I know it's weird to joke about yourself in the temporal 3rd person, but it helps me to remember that sometimes we make decisions like we won't have to live with them later on. We hope instead of plan for success. Plan for success. Throw future you a bone by taking a few minutes to prevent big problems down the road. Future you will thank you.