40 security tips to protect your Joomla site
In our previous articles, we discussed how to tell and confirm if your site has been hacked and how to clean your website. This article describes the actions you must take to secure a hacked or newly installed Joomla! Site.
Rule of thumb
In general have these guidelines in mind:
- Make it difficult for the attacker to hack your site
- If hacked, downscale the scope of affection, act fast
- Review frequently, do not let site unattended
- Avoid common user names for privileged user accounts
- Use strong passwords
- Change passwords frequently
- Disable user registration if not needed
- Inspect users list
- Give users the minimum privileges they need
- Create a second account for your non-administrative everyday tasks
- Delete unauthorized accounts
- Use captcha for registration process and comments
- Disable comments if not needed
- Secure admin area with .htaccess
- Use proper folder/file permissions
- Always log out
- Evaluate extensions – Avoid outdated
- Turn on Search Engine Friendly URLs
- Keep the session length low
- Disable embedded Joomla FTP
- Do not store FTP password
- Ensure debug mode is disabled
- Disable error reporting
- Choose a quality hosting provider
- Use difficult table prefix and database name
- Do not install another Joomla site in a subfolder
- Do not use the same MySQL user for more than one database
- Green Installation checklist
- Remove installation folder
- Do not leave Akeeba kickstart in the root folder
- Check regularly Sucuri Site Check
- Use security and management tools
- Use a secure operating system on your personal computer
- Use an updated and trustworthy antivirus
- Always backup files and database
- Keep history of backups
- Test backups
- Visit your site regularly
- Update Joomla to latest version -keep up to date
- Update extensions
- Use stage environment
Avoid common user names for privileged user accounts
Do not use common user names such as admin, administrator etc for the superuser or other privileged accounts. They can easily be guessed and therefore compromised.
Use strong passwords
- Create passwords of more than 8 letters combining upper/lower case, numbers and symbols using complex combinations. Avoid using words you can find in dictionaries. Hacking algorithms are very intelligent today to guess and compromise passwords
- Use a pattern to memorize your passwords and not have to write them down.
- Avoid storing passwords to browsers or at least secure them with browser’s built-in master password or other tools
- Use unique passwords for each account. Avoid using the same password for many accounts.
Change passwords frequently
Change your passwords frequently. It’s a good habit that lasts a few seconds. Don’t wait until you get hacked.
Disable user registration if not needed
If you don’t run a registration user site, there is no need to allow users to register. Disable New User Registration functionality:
Users > Manage and on the top right-hand corner select
allow user registration to
Inspect users list
Inspect regularly your users’ list for unauthorized user accounts. If you haven’t disabled Joomla’s default registration functionality and left the site unattended, you will end up with a batch of registered users and some of them will have uploaded malicious content.
Give users the minimum privileges they need
- Give your users the minimum privileges they need to accomplish their tasks, not more. There is no need e.g. to give author permissions to registered users whose task is simply access to restricted content.
- The above applies If you run extensions such as K2, that allow you to set user access rights to specific content e.g. categories. Limit the access of your users to the content they actually need to view or edit, nothing more.
- Be very careful especially with administrator and superuser privileges. Give privileges to persons you trust and they know how to keep safe their account. Disable the accounts if they are not used
Create a second account for your non-administrative everyday tasks
There is no need to log in to your site as a superuser if your daily tasks can be done with a less privileged account e.g just posting articles. Instead, create for yourself another account restricted to the privileges you need. If this account gets compromised, the loss is significantly less than having your superuser account compromised.
Delete unauthorized accounts
Delete all user accounts that have been created without knowledge/permission. Unauthorized/potentially fake or malicious accounts are created if you forget disabling registration or allowing registrations without captcha confirmation, so your site is exposed to bots.
Use captcha for registration process and comments
Captcha confirmation is a security technique used to confirm that action taken in a site, e.g. article comment, course enrollment, site registration etc, has been requested by a real person (human) and not by bots (automated scripts) used to find security holes and take advantage of them.
Disable comments if not needed
If you run extensions such as K2 or others which allow visitors to add comments, disable the comments functionality unless you actually needed. Alternatively, secure comments with the captcha option (see the previous paragraph).
Secure admin area with .htaccess
Adding .htaccess file to prevent unauthorized access to administrator folder benefits double: You are protected from brute force attacks (attempts to find out your password) and reduce server load because the attack has been pushed back at a very early stage and server resources usage has been kept to a minimum.
You can create manually the .htaccess file or use third-party extensions e.g. Akeeba Admin Tools.
Hands up: Do not try to add .htaccess file unless you have FTP access to webserver! If your web server is not configured properly (and probably is not) you will lock yourself outside of your site.
Quick tip: One possible reason for locking yourself out is that error redirection pages on webserver have not been configured. Login to web server control panel and set up these pages, then apply .htaccess policy.
Use proper folder/file permissions
Recommended default permissions for Unix/Linux based servers are:
- 755 for directories
- 644 for files
These settings determine who has read, write and execute rights on your folder/files on the webserver. You can apply the default permissions very easily using Akeeba Admin Tools or manually using your control panel file manager or an ftp client such as Filezilla.
Don’t use extensions that require 777 permissions!
Always log out
Always use the logout link to close your session, especially when you use a public client or network (actually you should avoid connecting to your back end using public pc/networks; usernames and passwords can be hacked). If you just close the browser window, there is no guarantee that your session has been closed. It depends on the browser’s configuration. Consider logout.
Evaluate extensions – Avoid outdated
Joomla and other cms – WordPress, Drupal, can extend their functionality by extensions. You can browse extensions at JED (Joomla Extension Directory) where you can find valuable information for them.
Review extension before using it; read other users’ comments, check it’s score and especially avoid extensions that have not been updated for a long time.The last one is a sign that developer may dropped further development so security holes and bugs cannot be fixed. Third-party vulnerable extensions are a common security hole.
Hide as much information as possible from public view. Minimize the information exposed so as not to be stolen or used. Consider applying the following on your configuration file.
- Log in to backend
- Go to System -> Global Configuration
- Select appropriate tab
Turn on Search Engine Friendly URLs
Search Engine Friendly URLs (SEF) is a Joomla! build in feature used for SEO (Search Engine Optimisation), but it can enhance security as well. Urls can reveal critical information about you site structure and can be used by attackers to add malicious content, so it is better to enable SEF and hide the real links.
Read more on Joomla documents
Keep the session length low
The more time the session is open the more time-sensitive information is exposed if the cookie is stolen. The default is 15 min. Keep it as it is on live sites.
Disable embedded Joomla FTP
Ftp functionality is needed is some servers environment. Unless you need it, keep it disabled.
Do not store FTP password
In case you need FTP functionality, is a good practice not to store the password. In general, do not store passwords so as not to be stolen.
Ensure debug mode is disabled
Debug mode is used by developers or administrators to accomplish specific tasks (testing, debugging etc). If enabled, sensitive information is revealed in all front and back end pages in public view. It is not advisable to use it in a live site. If you need to enable debug, it is better to create a stage (testing) environment and enable debug mode.
Disable error reporting
There is no need to reveal in public view sensitive information.
On System -> Global Configuration, select error reporting to none.
Choose a quality hosting provider
Choose a web hosting provider that follows quality security guidelines. Price shouldn’t be your first concern but security and flexibility. Choose among providers who keep OS and software up to date, offer the option to upgrade PHP to the latest stable and secure version, offer professional support and joomla enhancement etc. Do not compromise with security. It will cost you much more later.
Use difficult table prefix and database name
Consider using a complex table prefix and database name, something difficult that can not be easily guessed by intruders.
Do not install another Joomla site in a subfolder
Avoid installing other instances of joomla in the subfolders or your root folder. If you host more than one site in your public_html folder consider using subdomains, or create same level root folders for each site and isolate them but you actually need a hosting plan that gives you such capabilities. Share hosting accounts are handy to start with but consider upgrading to plans with better security options.
Do not use the same MySQL user for more than one database
If you host multiple databases in your server, isolate them by creating different database usernames for each one of them. Do not use the same database user, otherwise if user account is compromised then attacker will have access to related databases.
Green Installation checklist
Before installation, Joomla! checks server security compatibility and suggests PHP recommended setting. Ensure all settings are enabled (green).
Remove installation folder
Never use Joomla’s installation folder, especially in a live site. You do not want others to use it!
Do not leave Akeeba kickstart in the root folder
If you have used Akeeba backup kickstart utility for any reason, remove it after the job is done. You don’t want to be used by someone else, too.
Check regularly Sucuri Site Check
Sucuri Site Check Is a free free website malware and security scanner. It checks the website for known malware, blacklisting status, website errors, and out-of-date software. Use it frequently to have a clear report about your site’s health.
Use security and management tools
Use secure operating system on your personal computer
Linux and macOS are considered (almost) virus-free. Using such OS platforms you minimize the potential to upload malware affected files to your live site.
Use updated and trustworthy antivirus
Even if you are a linux or mac user, use antivirus to scan the files before uploading to server or to download and scan your sites occasionally. Malware may be hidden in downloaded files or files copied from other computers, usb sticks, etc. There is even viruses designed to spread from your pc to your site through site text editors! Always keep up to date your virus definitions.
Backup always – both files and database
Always BACKUP UP your site
Every day, before updating, before making significant changes, after making changes. Keep copies on your server, on another server -if possible, and download and store them locally. It is handy but not safe to keep backups only on your server. They may be hacked, or even deleted by a mistake from you or your provider. If you backup manually, remember you have to back up both files and database. Actually, database holds the content data and changes more frequently than files.
Keep a history of backups
Don’t keep only last days backups. They may be hacked, malfunctioned, whatever. You should have choices to revert your site to a timestamp days before the infection took place. You could keep the last 30 daily backups or even better keep the last 7 daily backups, the last 4 weekly backups and the last 12 monthly backups. This way you can have yesterday’s and 1-year-old backups, using few files occupying minimal storage.
Do not trust the backups you have taken. Restore them on a stage environment to check their integrity. There is nothing worse than realising at the moment you need it that the backup is corrupted…
Once per month you should check your backups.
Visit your site regularly
Visit regularly your site -both front and back end. Inspect media folder for suspicious uploaded files (eg .php). Check for unauthorized users. Ensure everything works as it should
Update joomla to latest version -keep up to date
Always update Joomla! core files to latest version. Apply security updates as soon as possible. Latest security updates contain bug fixes and repair security holes. Never neglect to update because the time in between is enough for attacker to take control of your site.
Always backup before updating!
Always update extensions to the latest versions, for the reasons mentioned in the previous paragraph. Also, avoid using extensions that do not release security updates frequently – unless they are error-free coded (!), or they do not keep up with Joomla version updates.
Use stage environment
Before making any changes, use a stage (test) environment, where you should have an exact copy of your site. If changes work as expected, then apply changes to live site. Never using your live site to test extensions or make changes. The danger of breaking your site is possible.
In case you have hacked and blacklisted by google or other service, but now your site is fixed, request a review from google and the other services. It may take up to 1-2 days to get whitelisted.
Do not request for a review if you are not 100% clean. If malicious code is found again, you may have to wait 1 month for another review request.
Spread security, not malware. If you found this article useful, please share it on social media.
If you have any questions, arguments, corrections to suggest please leave your comment below.