Viktor Vogel took part this week in Joomla DE Hangout #5 – Security (German only). Afterwards we spoke briefly about how Viktor secures his Joomla! websites. This resultet in a list of recommendations and a tiny bit of Viktor Vogel self-pomotion. If you approach Joomla! security differently, we would love to hear your thoughts in the comments.
Most important: updates & backups!
Apply all updates promptly and back up your data regularly. These are two fundamental points that each CMS user has to follow!
You can create backups directly in Joomla! using Akeeba Backup or EJB (Easy Joomla! Backup, developed by Viktor Vogel). EJB offers a cronjob plugin and CLI script, with which it is very easy to create automated backups through cronjobs.
Easy Joomla! Backup features:
- Create quickly and easily backups in Joomla!
- Extension creates Backups of all files and the database
- 3 different backup types: Full, Database and File Backup
- All files and a database dump are packed into one ZIP archive
- Extended ACL settings: Configure, Access Administration Interface, Delete, Download, Full Backup, Database Backup, File Backup, Discover
- Easy recovery – files via FTP, database dump via a database tool, e.g. phpMyAdmin
- Exclude files from the backup archive
- Exclude folders from the backup archive
- Add ‘DROP TABLE’ order to the dump file
- Add additional tables from the database
- System Plugin: EJB Cronjob
Akeeba Backup features:
- It configures itself for optimal operation with your site. Just click on Configuration Wizard.
- AJAX powered backup (site and database, database only, files only or incremental files only backup)
- The fastest native PHP backup engine.
- Choose between standard ZIP or highly efficient JPA archive format
- able to exclude specific files, folders
- able to exclude specific database tables or their contents
- Unattended backup mode (CRON job scheduling), fully compatible with Webcron.org
- AJAX powered site restoration
- “Kickstart” restore: restore without unpacking backup
- Move your site between hosts without downloading/uploading anything (using the DirectFTP backup engine)
Choose secure, long passwords. General recommendations:
- Use passwords only once per installation
- Use a password manager (e.g. Keepass)
- Change your password regularly
User name and password complexity
Do not use default names, such as admin or test. Adjust the requirements for passwords in Joomla! user settings, to make sure that all users utilize complex passwords.
Joomla! User Manger: Password Settings
Disable user registration
Disable the registration for the Joomla! frontend, if not needed.
Activate and adjust .htaccess
.htaccess contains basic security rules for the Apache web server. To activate a basic protection, rename the supplied htaccess.txt as .htaccess. Activate the directory protection for the admin directory of your Joomla! website. Many providers will offer you a suitable option in the customer area:
Set up a protected directory in the 1&1 Control Panel (1&1 Help Center)
Access your web server via encrypted connections
- Use an encrypted connection via SFTP
- Use SSH with key pairs and disable the password login
- If you can configure your server freely, block ports that are no longer needed. This includes the FTP port.
Avoid 3rd party extensions as much as possible
Almost all major hacks were done in the past via extensions. Keep your installation simple and use only extensions that you need urgently. Uninstall extensions that are no longer needed.
Activate HTTPS / SSL encryption
Change your website to HTTPS with a SSL certificate. This increases the security, because all transmitted data are encrypted. Nice side effect: HTTPS has a positive effect on your ranking with Google.
Secure forms with CAPTCHAs
- Secure your forms with CAPTCHAs. reCAPTCHA is part of the Joomla! standard installation and is fully sufficient for this purpose.
- Disable forms that are no longer needed
- Offer uploads only if necessary and set customized access rights for these.
- If you are looking for a comprehensive, flexible protection for Joomla! Core Forms and Extensions, ECC+ – EasyCalcCheck Plus is a good alternative. However, it is not recommended for users with math handicap 😉
Adjust writing permissions
Set the correct permissions for files and directories
- Directories: 755
- Files: 644
- Some files require only reading permissions, e.g. index.php, configuration.php, .htaccess etc. -> Only reading: 444
Do not rely (solely) on security extensions
Security extensions, such as Admin Tools provide reliable features and a solid protection.
Admin Tools Dashboard
However, since the extensions are running at the same level as the system to be protected, they will never provide the same protection as a system set at a higher abstraction level. For example, the firewall of the server or the mod_security module in Apache.
Choose a reliable host
Choose a host that offers server-side filtering of malicious code requests (mod_security rules); rapid response to zero-day vulnerabilities and uses an optimized, up-to-date platform for software.