Websites are hacked for a variety of reasons, and the thought of it happening can be quite daunting. But with these basic preventative measures, some of the risk can be minimised.
Recently we presented Joomla Security Top 10 Tips to the Joomla Australia User Group. Most of these tips apply to Wordpress as well. You don’t need to be a security professional to make your website safer!
1. Server
If you do everything else right but the website hosting is sub-standard, your site is still likely to be compromised. So the first and most important thing to do is:
- Choose a good, reputable web host!
- In Australia - Whirlpool has a long-running review thread covering Australian web hosting providers
- Research well, and don't automatically go with the cheapest hosting you can find. In the world of web hosting, you quite often get exactly what you pay for.
- If self-hosting, ensure all web software is up to date. This includes PHP, MySQL, Apache, phpMyAdmin, SSH server, etc.
- Ensure the website is running the latest PHP version (currently PHP7.x). PHP7 is more secure than previous PHP versions, and has the added bonus of being faster too.
2. CMS Core
We can't stress this enough - keep your site updated! Joomla and Wordpress are really good at providing security patches in a timely manner but they're not much good if they aren't applied.
- Disable unused core extensions and templates
- CMS Core security fixes are released regularly. Find the best ways to be notified when this occurs:
- Enable notification plugins within the CMS
- Follow Wordpress or Joomla social media accounts
3. CMS Third Party Software
As well as keeping the Core updated, it's also important to manage the 3rd party software installed in the CMS.
- Remove unused software. There's no point having it installed if it's un-used - all it means is you have more stuff to keep updated.
- Avoid software from unknown developers.
- Only download software/updates from the developer. It's not worth using a "free" version of commercial software because it is almost certain to be modified before it gets to you. There's a saying - "Download something for free, get something else for free".
4. File & Directory Permissions
All files and directories should have the correct CHMOD/security permissions.
- This can often be done via a hosting account's File Manager, or by FTP (depending on the host configuration)
- On Apache servers, Joomla's preferred permissions are:
- Folders 755
- Files 644
- configuration.php 444
- NOTHING EVER 777
5. Account Permissions
Joomla has core Access Control List (ACL) functionality which is very powerful.
- Ensure all user accounts only have access to what they need.
- Remove any old, unused or temporary accounts
6. Admin User & Password
Secure passwords are really important, especially on a website super-user account. Refer to our previous blog post for more information.
- Change the default administrator account to something else
- Use a STRONG password
- Consider using a password manager (we've provided some suggestions)
- Consider enabling Two Factor Authentication (2FA) or Multi Factor Authentication (MFA)
7. Protect the Admin URL
Many automated hacking scripts target the default administrator URL, so protecting this can help avoid some problems.
- Hide the admin URL with a secret key
- Visitors to the backend who do not know the secret key, are automatically redirected to the frontend
- There are a number of ways to achieve this:
- Configure a redirect in the site's .htaccess file
- Install a plugin/extension which allows you to secure the backend admin URL
8. Enable HTTPS
There are a number of good reasons to add HTTPS to your site, including:
- Protects the integrity of your website
- Protects the privacy and security of your users. Click here for more information via Google Developers
- HTTPS adds an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to your HTTP, making all traffic between a user and your website secure.
- It is necessary for ecommerce transactions anyway
- Google now uses HTTPS as an SEO ranking factor
- From October 2017, Google marks sites without HTTPS as “not safe” in all latest version browsers
The quickest way to add HTTPS to your site is to install an SSL certificate. Since 2016 LetsEncrypt have been providing free SSL certificates for any website user. Many decent hosting providers offer quick installation of a LetsEncrypt certificate from within the hosting control panel.
- Once a certificate is installed in the hosting account, it is fairly simple to enable in the Joomla Global Configuration (Server / Force HTTPS - Entire Site)
- You should also enable SSL redirection, so anybody coming to http: will be automatically redirected to https:.
9. Web Access Firewall (WAF)
A WAF monitors and blocks HTTP traffic to and from a web application. WebSolutionZ run a WAF on every website, and the number of notifications we receive on a daily basis is astounding! We definitely recommend this.
10. Backup Backup Backup!
Regular backups should be an essential part of your disaster recovery planning.
- Ensure backups are regularly tested – an untested backup is a bad backup
- Keep backup files offsite – if your site is hacked, the hackers are likely to try to target onsite backup files as well.
- Automate as much as possible, to ensure backups are run even if you forget
- Some options:
- 3rd party software
- Hosting account backups
All WebSolutionZ managed websites are automatically backed up and stored offsite at Amazon S3, including regular testing.
Bonus Tips (because 10 is never enough)
- Lock down .htaccess
- Think about encryption - FTP and email are not encrypted, so sharing passwords via either method means those passwords could be intercepted
- Enable Cloudflare or another CDN, to protect the website against DDOS attacks. Cloudflare is often included in good website hosting accounts
- Monitor website changes:
- Admin Tools PHP File Change Scanner
- myJoomla.com / Watchful.net
- Utilise CSP (Content Security Policy).
Remember!
- Even with the best of intentions, sometimes websites will still get hacked.
- Keep calm!
- If you have solid, tested offsite backups, life is easier.
- Should the worst happen, this may be useful: Unhacking Your Site
- If you can’t do this yourself, consider engaging a professional who can look after website security for you.
Further Reading & Information
- Nicholas Dionysopoulos Keeping your site safe at JoomlaDay UK 2016
- Viktor Vogel A Fast And Secure Joomla! website at Joomla World Conference 2017
- Dre Armeda The Gentle Art of Website Security Keynote at Joomla World Conference 2016
- Troy Hunt The 6-Step "Happy Path" to HTTPS
- Sucuri Hacked Website Report 2017
- Video of presentation to Melbourne Joomla User Group 18 April 2018
If you require assistance, please contact us.