Websites are hacked for a variety of reasons, and for many website owners the thought of it happening to them is quite daunting. But with these basic preventative measures, some of the risk can be minimised.
Here at WebSolutionZ we specialise in the Joomla Content Management System (CMS), so we've prepared this Joomla Security Top 10 Tips to help you get started. You don’t need to be a security professional to make your website safer!
If you do everything else right but the website hosting is sub-standard, your site is still likely to be compromised. So the first and most important thing to do is:
- Choose a good, reputable web host!
- In Australia - Whirlpool has a long-running review thread covering Australian web hosting providers
- Research well, and don't automatically go with the cheapest hosting you can find. In the world of web hosting, you quite often get exactly what you pay for.
- If self-hosting, ensure all web software is up to date. This includes PHP, MySQL, Apache, phpMyAdmin, SSH server, etc.
- Ensure the website is running the latest PHP version (currently PHP7.x). PHP7 is more secure than previous PHP versions, and has the added bonus of being faster too.
We can't stress this enough - keep your site updated! Joomla is really good at providing security patches in a timely manner but they're not much good if they aren't applied. According to the latest Hacked Website Report from Sucuri, 69.8% of Joomla websites are out of date. That's a lot! (Although apparently this figure includes websites which actively hide things like version number, so it's likely lower than this. But still!)
- Disable unused core extensions and templates
- Joomla! Core security fixes are released regularly. There are a variety of ways to be notified when this occurs:
As well as keeping the Joomla core updated, it's also important to manage 3rd party extensions properly.
- Remove unused extensions and templates. There's no point having them installed if they're not used - all it means is you have more stuff to keep updated.
- Avoid extensions from unknown developers.
- Only ever download extensions/updates from the developer. It's not worth using a "free" version of a commercial extension because it is almost 100% certain to be modified before it gets to you. There's a saying - "Download something for free, get something else for free".
All files and directories should have the correct CHMOD/security permissions.
- This can often be done via a hosting account's File Manager, or by FTP (depending on the host configuration)
- On Apache servers, Joomla's preferred permissions are:
- Folders 755
- Files 644
- configuration.php 444
- NOTHING EVER 777
- For IIS, check out JDocs
Joomla has core Access Control List (ACL) functionality which is very powerful.
- Ensure all user accounts only have access to what they need.
- Remove any old, unused or temporary accounts
Secure passwords are really important, especially on a website super-user account. Refer to our previous blog post for more information.
- Change the default administrator account to something else
- Use a STRONG password
- Consider using a password manager (we've provided some suggestions)
- Consider enabling Two Factor Authentication (2FA)
Many automated hacking scripts target the Joomla default administrator URL, so protecting this can help avoid some problems.
- Hide the backend /administrator URL with a secret key
- Visitors to the backend who do not know the secret key, are automatically redirected to the frontend
- There are a number of ways to achieve this:
There are a number of good reasons to add HTTPS to your site, including:
- Protects the integrity of your website
- Protects the privacy and security of your users. Click here for more information via Google Developers
- HTTPS adds an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to your HTTP, making all traffic between a user and your website secure.
- It is necessary for ecommerce transactions anyway
- Google now uses HTTPS as an SEO ranking factor
- From October 2017, Google marks sites without HTTPS as “not safe” in all latest version browsers
The quickest way to add HTTPS to your site is to install an SSL certificate. Since 2016 LetsEncrypt have been providing free SSL certificates for any website user. Many decent hosting providers offer quick installation of a LetsEncrypt certificate from within the hosting control panel.
- Once a certificate is installed in the hosting account, it is fairly simple to enable in the Joomla Global Configuration (Server / Force HTTPS - Entire Site)
- You should also enable SSL redirection, so anybody coming to http: will be automatically redirected to https:. Some options to do this include:
A WAF monitors and blocks HTTP traffic to and from a web application. WebSolutionZ run a WAF on every managed website, and the number of notifications we receive on a daily basis is astounding! We definitely recommend this.
Regular backups should be an essential part of your disaster recovery planning.
- Ensure backups are regularly tested – an untested backup is a bad backup
- Keep backup files offsite – if your site is hacked, the hackers are likely to try to target onsite backup files as well.
- Automate as much as possible, to ensure backups are run even if you forget
- Some options:
- Lock down .htaccess
- Think about encryption - FTP and email are not encrypted, so sharing passwords via either method means those passwords could be intercepted
- Enable Cloudflare or another CDN, to protect the website against DDOS attacks. Cloudflare is often included in good website hosting accounts
- Monitor website changes:
- Admin Tools PHP File Change Scanner
- myJoomla.com / Watchful.li / PerfectDashboard
- Utilise CSP (Content Security Policy). We haven't tried it yet, but this new plugin by the author of AdminExile apparently handles this.
- Even with the best of intentions, sometimes websites will still get hacked.
- Keep calm!
- If you have solid, tested offsite backups, life is easier.
- Should the worst happen, this may be useful: Unhacking Your Site
- If you can’t do this yourself, consider engaging a professional who can look after website security for you.
- Nicholas Dionysopoulos Keeping your site safe at JoomlaDay UK 2016
- Viktor Vogel A Fast And Secure Joomla! website at Joomla World Conference 2017
- Dre Armeda The Gentle Art of Website Security Keynote at Joomla World Conference 2016
- Troy Hunt The 6-Step "Happy Path" to HTTPS
- Sucuri Hacked Website Report 2017
- Video of presentation to Melbourne Joomla User Group 18 April 2018
If you require assistance, please contact us. WebSolutionZ offer a fully managed website hosting and maintenance package - let us do it all for you.