Joomla! for Web Developers: How to Secure Your Joomla! Installation
WEBINAR: On-demand webcast
How to Boost Database Development Productivity on Linux, Docker, and Kubernetes with Microsoft SQL Server 2017 REGISTER >
Security is one of the most important issues facing both web users and web developers. It becomes even more important when you're using a CMS such as Joomala!. Whether you realize it or not, a hacker attack can cause major damage to your Joomla! CMS. I had firsthand experience of this a few years ago with another open souce CMS, Wordpress. A colleague informed me that one of my sites had been hacked (I had four at the time). Essentially, a hacker had inserted some malicious code on my sites.
I was unable to deal with the problems so I had to hire a technician to fix it. I was able to save one site. The others were so badly damaged that I had to shut them down. You don't want this to happen to you.
In this article you'll find out how to secure your Joomla! websites. Be aware that these solutions aren't perfect, but doing something is better than doing nothing at all.
One of the first things to do is to make sure you don't type your passwords manually. If you have a keylogger infection on your computer, that information will be revealed to a hacker. It's better to have a master list of passwords that you copy and paste when you need them and to encrypt the drive that uses that master list. [Editor's note: taking care of security on your local computer should be your first concern; anti-spyware and anti-virus software can virtually eliminate the risk of such infections.]
Another option is to use Roboform to store your passwords. If you use multiple computers, consider getting Roboformtogo, which you can load on a USB stick.
Next, it's a good idea to have your site hosted with a company that offers security. Here's a list of providers from the Joomla.org site.
If you're using shared hosting, here are some steps you can take:
First, make sure you have Secure FTP (SFTP) for logging into your site(s). The reason for using SFTP is that it uses SSH for file transfer and it also encrypts commands and data. You can only use SFTP with a server that supports it. One good SFTP program you can use is WinSCP. It's is a free program which you can download. Even with this service it's a good idea to change your passwords every 1-2 weeks and to use a strong password, as well.
Next, on the Joomla! website, have a look at Security Checklist 2 - Hosting and Server Setup.
Of the many options here, I'll cover some of the settings you should use if you're on shared hosting.
Joomla comes with an htaccess.txt file, but it needs to be renamed to .htaccess in order to use it. This is done on your local computer, or on the server side once you have moved it over. Also, there is a fair bit of iformation within this file to help protect your site. You can upload the htacccess file as it is,
or you can use the Suggested Master htaccess file settings. Before you use these, make a backup of your original htaccess file in case anything goes wrong. If you get 500 page errors, that may be the result of that additional code. In my case, I encountered a server error. Once I removed the code and reloaded the original .htaccess file that shipped with Joomla!, that fixed the problem.
Secure Your Database
The MySQL database can be vulnerable and needs to be secured. This is done with the php.ini file. This will only work for sites where you can administer your own servers. This doesn't applied to shared hosting. In this case you're dependent on the provider to set the security.
As a case in point, you'll want the register_globals setting to be OFF, as it is in this snapshot of the php.ini on my host.
Use PHP 5
When you install Joomla!, make sure you use PHP 5. Note that all current versions of Joomla! are PHP 5 compatible.
These can have vulnerabilities. It's wise to not use too many of these with your installation and if you do, make sure they come from trusted sites.
Back Up Your Databases Regularly
If you're on GoDaddy, this is the document you'll need to access.
If you use a different host, but you do use cPanel, backing up the database is a cinch. Once you've logged in, go to the Files section and click on the Backup Wizard icon.
Choose the MySQL databases.
Choose the database(s) that you wish to back up and download them.
The reasons for backing up your site are many, such as recovering from a hacking attack, crashed servers, migrating to a new server, errors during an upgrade, etc. A good practice is to run a backup every 1-2 weeks.
You now have some practical knowledge to secure your Joomla! site. If you have any questions about what's written here, leave a comment below or on the WebDeveloper.com forums.