Joomla is the most popular CMS software which is free to get and fully customizable. You can easily create a professional and full functinoal website using this platform. However, because of its powerful and complex structure, it's a big challenge to set perfect security protection. In order to minimize the chance to get hacked, we collected the following 8 tips to secure your joomla site. Please follow instructions and configure your website.
Keep core/extensions up to date
The basic but most important requirement for all website softwares. Every new release contains lots of bug fix from previous edition. So make sure to check regularly on your site and keep updated with most reliable release. How to upgrade joomla to new version? Just login to joomla administrator panel and new version notification will be shown under "quick links". Click "Update now" to proceed the upgrade.
To update extensions, just navigate to extension manager then click "update" link on left panel. It will show up all available extensions. Select all then click "update" button on left top to complete the update process.
Back up often
Backup is always your most reliable source in case something goes wrong. Joomla backup includes both website files and mysql database. For joomla files, just refer to hosting control panel file manager and zip your joomla website directory then download to local computer. As about mysql database, you need refer to phpmyadmin -> select your joomla database -> select all tables -> Click "export" to save the sql file on local computer.
Now you have successfully generated a full backup of your joomla site.
Set strong login credentials
Strong login id/password is always suggested. Not just about password, we can also edit its default user name "admin". To complete this, login to joomla admin panel then refer to user manager. Click the edit link and provide a new user name/password you prefered. This greatly reduces the chance to be hacked.
For further protection, we can also set password protection to "administrator" folder in control panel so users need to authenticate before get the login form. For some crucial sites, website admin even set IP restriction so just people from the specific IPs can access to it. It can be done by uploading a .htaccess to administrator folder and put following to this file:
Deny from ALL
Allow from 10.2.2.2
Just replace the 10.2.2.2 to the exact IP address you allow to access.
Set proper file permissions
Proper file permission will stop lots of potential hacking. Many people give 777 during setup and forget to change it back. It's a big security issue that we should avoid. From joomla official recommendation, following file permissions are suggested
- Joomla folders permission set to 755
- Joomla files permission set to 644
- configuration.php file permission set to 666
Joomla security extensions
There're lots of official and third party extensions to tight joomla security. Following names are highly suggested
- SH404SEF: Re-write urls to friendly ones and prevent url exploits by hacker.
- Akeeba Admin Tools: Automate the process of joomla update, maintain and optimization.
- jomDefender: Joomla security guard with lots of configurable parameters.
- jSecure: Similiar to above with whitelist/blacklist IP feature.
Lots of people today use control panel auto installer for joomla installation because it's simple and quick. However we highly recommend the manual option. Not just because the learning process but also about security. During installation we have lots of parameters to configure, especially the default database table prefix "jos_". It's used by every joomla installation by default. It's absolutely not good for secure site. Instead, we can change it easily during manual installation. By changing that, we can prevent most sql injection attempts.
Hide version details
It's good tactic to hide your website version so hackers can not determine the proper hacking attempts. We can now easily turn on/off the version details from joomla global configuration.
Log into Joomla administrator dashboard -> click Global Configuration -> click Site -> Click Yes / No beside "Show Joomla! Version" at the bottom -> click Save to reflect your changes
Use a secure hosting server
The most important part. Hosting server decides your joomla site security directly no matter how you configured from client end. Web server software, PHP variables and mysql servers etc are all critical to joomla security. A secure joomla hosting server must be setup to meet up with the script extreme requirements. Server hardwares/network must be powered from certified data center space. Based joomla expert experience and official recommendation, inmotion hosting is on top of the best joomla hosting provider list. Not just because their secure and blading fast server, their people are actually joomla enthusiasts that apear in various joomla events.