BlogRead the Latest News

Websites are hacked for a variety of reasons, and for many website owners the thought of it happening to them is quite daunting. But with these basic preventative measures, some of the risk can be minimised.

Here at WebSolutionZ we specialise in the Joomla Content Management System (CMS), so we've prepared this Joomla Security Top 10 Tips to help you get started. You don’t need to be a security professional to make your website safer!

server 150x1501. Server

If you do everything else right but the website hosting is sub-standard, your site is still likely to be compromised. So the first and most important thing to do is:

  • Choose a good, reputable web host!
    • In Australia - Whirlpool has a long-running review thread covering Australian web hosting providers
    • Research well, and don't automatically go with the cheapest hosting you can find. In the world of web hosting, you quite often get exactly what you pay for.
  • If self-hosting, ensure all web software is up to date. This includes PHP, MySQL, Apache, phpMyAdmin, SSH server, etc.
  • Ensure the website is running the latest PHP version (currently PHP7.x). PHP7 is more secure than previous PHP versions, and has the added bonus of being faster too.

 

joomla 150x1502.  Joomla Core

We can't stress this enough - keep your site updated! Joomla is really good at providing security patches in a timely manner but they're not much good if they aren't applied. According to the latest Hacked Website Report from Sucuri, 69.8% of Joomla websites are out of date. That's a lot! (Although apparently this figure includes websites which actively hide things like version number, so it's likely lower than this. But still!)

  • Disable unused core extensions and templates
  • Joomla! Core security fixes are released regularly. There are a variety of ways to be notified when this occurs:

 

joomla 150x1503.  Joomla Extensions

As well as keeping the Joomla core updated, it's also important to manage 3rd party extensions properly.

  • Remove unused extensions and templates. There's no point having them installed if they're not used - all it means is you have more stuff to keep updated.
  • Avoid extensions from unknown developers.
  • Only ever download extensions/updates from the developer. It's not worth using a "free" version of a commercial extension because it is almost 100% certain to be modified before it gets to you. There's a saying - "Download something for free, get something else for free".

 

permissionsfile_150x1504.  File & Directory Permissions

All files and directories should have the correct CHMOD/security permissions.

  • This can often be done via a hosting account's File Manager, or by FTP (depending on the host configuration)
  • On Apache servers, Joomla's preferred permissions are:
    • Folders 755
    • Files 644
    • configuration.php 444
    • NOTHING EVER 777
  • For IIS, check out JDocs

 

permissionspeople_150x1505.  Account Permissions

Joomla has core Access Control List (ACL) functionality which is very powerful.

  • Ensure all user accounts only have access to what they need.
    • J!Docs has a good Tutorial
    • If you need to set up complex ACL, you may like to consider purchasing ACL Manager, which uses core tables but presents the permissions in a single screen format.
  • Remove any old, unused or temporary accounts

 

admin 150x1506. Admin User & Password

Secure passwords are really important, especially on a website super-user account. Refer to our previous blog post for more information.

 

redirect 150x1507.  Protect the Admin URL

Many automated hacking scripts target the Joomla default administrator URL, so protecting this can help avoid some problems.

  • Hide the backend /administrator URL with a secret key
  • Visitors to the backend who do not know the secret key, are automatically redirected to the frontend
  • There are a number of ways to achieve this:
    • Configure a redirect in the site's .htaccess file
    • AdminExile is a free plugin which allows you to secure the /administrator area
    • This functionality is also available as part of Akeeba's AdminTools

 

admin 150x1508. Enable HTTPS

There are a number of good reasons to add HTTPS to your site, including:

The quickest way to add HTTPS to your site is to install an SSL certificate. Since 2016 LetsEncrypt have been providing free SSL certificates for any website user. Many decent hosting providers offer quick installation of a LetsEncrypt certificate from within the hosting control panel.

  • Once a certificate is installed in the hosting account, it is fairly simple to enable in the Joomla Global Configuration (Server / Force HTTPS - Entire Site)
  • You should also enable SSL redirection, so anybody coming to http: will be automatically redirected to https:. Some options to do this include:

 

firewall 150x1509.  Web Access Firewall (WAF)

A WAF monitors and blocks HTTP traffic to and from a web application. WebSolutionZ run a WAF on every managed website, and the number of notifications we receive on a daily basis is astounding! We definitely recommend this.

Some options:

 

backups 150x15010.  Backup Backup Backup!

Regular backups should be an essential part of your disaster recovery planning.

  • Ensure backups are regularly tested – an untested backup is a bad backup
  • Keep backup files offsite – if your site is hacked, the hackers are likely to try to target onsite backup files as well.
  • Automate as much as possible, to ensure backups are run even if you forget
  • Some options:
    • Akeeba Backup (if you only install one 3rd party extension, it should be this one!)
    • Akeeba Backup Pro – includes offsite processing
    • Hosting account backups

All WebSolutionZ managed websites are automatically backed up and stored offsite at Amazon S3, including regular testing.

 

bonus 150x150Bonus Tips (because 10 is never enough)

  • Lock down .htaccess
  • Think about encryption - FTP and email are not encrypted, so sharing passwords via either method means those passwords could be intercepted
  • Enable Cloudflare or another CDN, to protect the website against DDOS attacks. Cloudflare is often included in good website hosting accounts
  • Monitor website changes:
  • Utilise CSP (Content Security Policy). We haven't tried it yet, but this new plugin by the author of AdminExile apparently handles this.

 

Remember!

  • Even with the best of intentions, sometimes websites will still get hacked.
  • Keep calm!
  • If you have solid, tested offsite backups, life is easier.
  • Should the worst happen, this may be useful: Unhacking Your Site
  • If you can’t do this yourself, consider engaging a professional who can look after website security for you.

 

reading 150x150Further Reading & Information

If you require assistance, please contact us. WebSolutionZ offer a fully managed website hosting and maintenance package - let us do it all for you.

About The Author
Nicky Veitch
Author: Nicky VeitchWebsite: www.WebSolutionZ.com.au
B.A. (Internet Communications) | Joomla! 3.x Certified Administrator

Want More Tips Like This?