Do you have a site with Joomla, and now you are wondering what steps you must take to protect your Joomla site from all the online threats?
If your answer is yes, then you have come to the right page. In this article, I am going to share the ultimate Joomla security guide with you. So you can keep your Joomla safe and away from all the threats online.
So let’s just head into the topic without wasting much of the time:
Why do you need to secure your Joomla Site?
You may think that your website is safe and away from hack attempts. However, the truth is that there are hackers who are continuously compromising Joomla websites. Most of the times the hacker does not want to steal your data or want to create any other issue to your website. In fact, they try to hack websites to use your server for a temporary time to use it as an email relay for spam or to serve files of an illegal nature.
And whenever such things happen it can affect your website. Hence, you have to think of securing your Joomla website. However, in case if you are wondering how can you do so, then you can follow this checklist:
Checklist to Secure Your Site
Keep your Joomla up to date
The first thing that you can do is make sure that you are keeping your Joomla website up to date. Hackers continuously looking for different options to get into Joomla websites and to prevent that Joomla developers are keep coming with more complicated code structure which is hard to break and by updating your Joomla website, you are simply moving to the new version of the Joomla and the hackers will need to start looking for a loophole from scratch.
Install Joomla Security Plugin
The second thing that you can do is install the Joomla security plugin. A security plugin will help you to prevent most of the security threats. Like they come with built-in malware and security scanner that helps you to identify any security risks, malicious codes, spam, virus, SQL injection, and security vulnerabilities. Even if your websites get login through a different IP address then the security plugin will let you know about it. So you can take quick actions. Even there are quite a lot of Joomla security plugins are available such as R Antispam, Centrora Security, Brute Force Stop, and so on.
Use a Reputed Hosting
The second must thing that you need to do is use a reputed hosting for so many reasons. One of the main reasons is that they often run a security check in their servers. As a result, they block most of the threats before they attack your website. Along with that, a reputed hosting helps you to get maximum performance. So you can run your website pretty smoothly. I will recommend you to use SiteGround hosting for your Joomla website.
Avoid Using Nulled Templates or Extensions
You must avoid nulled templates or extension on your Joomla website. There are quite a lot of websites available which offers paid themes and extensions free of cost. However, the drawback is that these themes and extensions are nulled or you can say hacked. This kind of files often has major loopholes, and hackers can use these loopholes to get into your website and as a result, they can harm your website, which is something you don’t want to happen with yourself. we have a detailed article about why you should avoid using nulled templates or extensions.
Use Strong Password
For your Joomla website, you must use a strong password. After installing Joomla, do not use the default login details. Instead, go ahead and change them. As the first thing that hackers try is to use the default login details. So you better change them to reduce further risks. Even for a strong password, you can use some password generate tools which will help you to create a strong password for your Joomla website.
Enable Two Factor Authentication
To tighten the security level more, you can enable two-factor authentication. Two more authentications add another layer of security. If you enable two-factor authentication on your website, then whenever you enter your password and try to login to your website. It will ask for additional confirmation. It might ask you to enter an OTP that it has sent to your phone number or email account or you have to use apps like Google Authenticator or Authy.
Uninstall Unnecessary Joomla Extensions
Do you have `a lot of extensions on your Joomla website? If yes, there is a high chance that there are quite a lot of Joomla extensions that you do not use and if that is the case, then you better uninstall them. Why?
In case any of those extensions gets compromised, then the hackers will be able to enter into your website and the consequences would not be something you would like. Hence to minimize the threat to the max you better uninstall unnecessary Joomla extensions.
Take Regular Backup
At one side, securing your website is extremely important. On the other hand, you must take regular backup of your website. So in case if any hacker ever compromises your website. You will be able to restore your website back to normal using a backup. Even if you ever mess up your website, backup helps a lot. Generally, your hosting provider takes a regular backup. But if they are not providing so, then you better take a backup by yourself only. Here we have mentioned some of the best Joomla backup extensions.
Protect your Administrative Page
To lower down the risk to the maximum level, you must protect your administrative page and how can you do so? Simply by creating a strong password and by making some changes in the .htaccess file. However, the steps are a bit complicated. But thankfully there are quite a lot of guides available online including Joomla’s official documentation. So it will not be an issue for you.
Disable FTP Layer
To be honest, FTP is a great feature to have especially when your PHP does not run under user permission and by doing so, you will be able to allow file operations without having to make all the folders and files writeable. This makes the site admin's life a lot easier and increases the security of the site.
Install SSL Certificate
SSL is also one of the important things that you must install on your website. SSL helps in establishing a secure connection between your website and the users. Even if you consider SEO factors, then SSL is extremely important. Without SSL, you will find a hard time getting your website ranked in Google. Even, Chrome and some other browsers block those sites which are not using SSL certificates. So if you are not using an SSL certificate for your website, you must do it now. If you dont know how to install a free SSL certificate on your Joomla site, consider reading this article.
Disable File Editing Permissions
You should also disable file editing permissions. One of the most common problems is incorrect file permissions. In fact, you should only grant write access permission to those directories that require file editing option. Such as upload and cache directories. Apart from that, you need to disable file editing permission.
To make you understand in a better way, here is how the ideal Joomla setup should look like:
- Directories set to 0755: only the owner of the file can write to it, the rest can read and execute them.
- Files set to 0644: only the owner can write, the rest can read.
- PHP set to 0444: nobody can write to the file.
Also, you must never use 777 permissions. As it allows your files to be viewed and modified by anyone. Even this is the most important thing you must keep in your mind if you are using shared hosting to host your website.
Use the secret key to login into Joomla Admin
Whenever you want to make any changes in the Joomla database or want to disable any settings or enable it, you will require a secret key. Although, you can disable this option on your Joomla website. But I would recommend not to. As it adds an additional layer to the overall security of your Joomla website.
Keep an Eye on your Joomla Site
You need to keep an eye on your Joomla site from time to time. You never know when your website is going down unless you are keeping an eye on your Joomla website. You need to check your Joomla site from time to time and make sure that everything is working fine.
But, this can be quite frustrating to check the website again and again. However, this is where the StatusCake comes into play. The tool will let you know whenever your website is going down by sending you an SMS or email.
Enable SEF URL
You must enable the SEF URL. SEF URL helps in masking URLs of your Joomla website more search friendly. Even a good SEF component also offers your website additional tough of security to your website. It helps in making the information and makes it harder for the hacker to find eventual security vulnerabilities.
To enable the option, you have to follow these steps:
- First of all, login to your Joomla Administration.
- Then click on site>>global configuration.
- After that, click on site and select Yes next to the Search Engine Friendly URLs option.
Consider reading this detailed article about making your URL more seo & user-friendly.
Use Appropriate File/Folder Permissions
You also need to make sure that you are using appropriate file and folder permissions and proper chmod configuration. However, in case if you are not sure what the perfect combination should be, then you can follow these details:
PHP files – 644
Config Files – 644
Other folders – 755
17. Use Web Application Firewall
Furthermore, you must use a Web Application Firewall application for your website. As they are one of the essential tools that you must have on your website. As Web Application Firewall helps you to protect your website from top OWASP 10 security, known vulnerabilities, and malware.
Even in case if you are using Joomla website on VPSS, then you can try out the ModSecurity. The tool is free to use and works like a charm. Moreover, if you are using shared hosting for your Joomla website, then you can check out the cloud-based web application firewall.
Also, to help you understand in a better way, here are the things that the Web Application Firewall will protect you from:
- Login protection
- DDoS protection
- XSS attack
- Bot protection
- SQL injection
- Brute force attack
- Backdoor protection
Harden Your PHP Configuration
Joomla is written on PHP. However, in order to increase Joomla’s security you must change the following PHP directives in your php.ini file:
expose_php = 0: hide the PHP version to your response headers so attackers don’t know which known vulnerabilities might be hiding in your version.
open_basedir = “/var/www/yoursite.com:/tmp/” : Tell PHP to whitelist the given directories. This prevents attackers from accessing any other part of your file system. Note that you must include every directory PHP needs access too, including the temporary file upload directory and session storage location.
display_errors = 0: Errors should never be displayed to the end-user as they might give away important information about your setup to attackers.
disable_functions = exec,passthru,shell_exec,system,
proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec,
show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid,
posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog
Disables dangerous PHP methods so that attackers cannot use them to compromise your system.
You might also want to consider disabling the following options:
- allow_url_fopen = 0
- allow_url_include = 0
- file_uploads = 0 Disable file uploads if your website does not need them.
Change Joomla Database Prefix
In the end, you must focus on changing Joomla database prefix. It is one of the essential steps that you must take and change your database prefix into something else. Otherwise, hackers can target this for malicious purposes. However, changing the Joomla database prefix is not as complicated as it seems. Even there is quite a lot of guide are available online. Check out the detailed Joomla tutorial about changing the Joomla Database Prefix.
So these are the few tricks you can try to make your Joomla site secure. Let me know if you have any suggestions to make this article more useful to Joomla users.
