Websites are hacked for a variety of reasons, and the thought of it happening can be quite daunting. But with these basic preventative measures, some of the risk can be minimised.

Recently we presented Joomla Security Top 10 Tips to the Joomla Australia User Group. Most of these tips apply to Wordpress as well. You don’t need to be a security professional to make your website safer!

server 150x1501. Server

If you do everything else right but the website hosting is sub-standard, your site is still likely to be compromised. So the first and most important thing to do is:

  • Choose a good, reputable web host!
    • In Australia - Whirlpool has a long-running review thread covering Australian web hosting providers
    • Research well, and don't automatically go with the cheapest hosting you can find. In the world of web hosting, you quite often get exactly what you pay for.
  • If self-hosting, ensure all web software is up to date. This includes PHP, MySQL, Apache, phpMyAdmin, SSH server, etc.
  • Ensure the website is running the latest PHP version (currently PHP7.x). PHP7 is more secure than previous PHP versions, and has the added bonus of being faster too.

 

joomla 150x1502.  CMS Core

We can't stress this enough - keep your site updated! Joomla and Wordpress are really good at providing security patches in a timely manner but they're not much good if they aren't applied.

  • Disable unused core extensions and templates
  • CMS Core security fixes are released regularly. Find the best ways to be notified when this occurs:
    • Enable notification plugins within the CMS
    • Follow Wordpress or Joomla social media accounts

 

joomla 150x1503.  CMS Third Party Software

As well as keeping the Core updated, it's also important to manage the 3rd party software installed in the CMS.

  • Remove unused software. There's no point having it installed if it's un-used - all it means is you have more stuff to keep updated.
  • Avoid software from unknown developers.
  • Only download software/updates from the developer. It's not worth using a "free" version of commercial software because it is almost certain to be modified before it gets to you. There's a saying - "Download something for free, get something else for free".

 

permissionsfile_150x1504.  File & Directory Permissions

All files and directories should have the correct CHMOD/security permissions.

  • This can often be done via a hosting account's File Manager, or by FTP (depending on the host configuration)
  • On Apache servers, Joomla's preferred permissions are:
    • Folders 755
    • Files 644
    • configuration.php 444
    • NOTHING EVER 777

 

permissionspeople_150x1505.  Account Permissions

Joomla has core Access Control List (ACL) functionality which is very powerful.

  • Ensure all user accounts only have access to what they need.
  • Remove any old, unused or temporary accounts

 

admin 150x1506. Admin User & Password

Secure passwords are really important, especially on a website super-user account. Refer to our previous blog post for more information.

  • Change the default administrator account to something else
  • Use a STRONG password
  • Consider using a password manager (we've provided some suggestions)
  • Consider enabling Two Factor Authentication (2FA) or Multi Factor Authentication (MFA)

 

redirect 150x1507.  Protect the Admin URL

Many automated hacking scripts target the default administrator URL, so protecting this can help avoid some problems.

  • Hide the admin URL with a secret key
  • Visitors to the backend who do not know the secret key, are automatically redirected to the frontend
  • There are a number of ways to achieve this:
    • Configure a redirect in the site's .htaccess file
    • Install a plugin/extension which allows you to secure the backend admin URL

 

admin 150x1508. Enable HTTPS

There are a number of good reasons to add HTTPS to your site, including:

The quickest way to add HTTPS to your site is to install an SSL certificate. Since 2016 LetsEncrypt have been providing free SSL certificates for any website user. Many decent hosting providers offer quick installation of a LetsEncrypt certificate from within the hosting control panel.

  • Once a certificate is installed in the hosting account, it is fairly simple to enable in the Joomla Global Configuration (Server / Force HTTPS - Entire Site)
  • You should also enable SSL redirection, so anybody coming to http: will be automatically redirected to https:.

 

firewall 150x1509.  Web Access Firewall (WAF)

A WAF monitors and blocks HTTP traffic to and from a web application. WebSolutionZ run a WAF on every website, and the number of notifications we receive on a daily basis is astounding! We definitely recommend this.

 

backups 150x15010.  Backup Backup Backup!

Regular backups should be an essential part of your disaster recovery planning.

  • Ensure backups are regularly tested – an untested backup is a bad backup
  • Keep backup files offsite – if your site is hacked, the hackers are likely to try to target onsite backup files as well.
  • Automate as much as possible, to ensure backups are run even if you forget
  • Some options:
    • 3rd party software
    • Hosting account backups

All WebSolutionZ managed websites are automatically backed up and stored offsite at Amazon S3, including regular testing.

 

bonus 150x150Bonus Tips (because 10 is never enough)

  • Lock down .htaccess
  • Think about encryption - FTP and email are not encrypted, so sharing passwords via either method means those passwords could be intercepted
  • Enable Cloudflare or another CDN, to protect the website against DDOS attacks. Cloudflare is often included in good website hosting accounts
  • Monitor website changes:
  • Utilise CSP (Content Security Policy).

 

Remember!

  • Even with the best of intentions, sometimes websites will still get hacked.
  • Keep calm!
  • If you have solid, tested offsite backups, life is easier.
  • Should the worst happen, this may be useful: Unhacking Your Site
  • If you can’t do this yourself, consider engaging a professional who can look after website security for you.

 

reading 150x150Further Reading & Information

If you require assistance, please contact us.