Joomla Security Overview
In this article we are going to be discussing way to improve the security on your Joomla website. Because Joomla has had multiple versions over the past few years, we are going to be talking about the top 2 versions currently being used in production sites.
Below we will outline the basics that will cover all versions of the website.
- Passwords
- Make sure you use strong, hard to crack/guess passwords on all of your sites. You should avoid using words as passwords and it should be a mixed set of characters with no less than 10 characters in length. It is also HIGHLY recommended that you do not use the same password for different aspects of your site. For example, do not use the same password for your administrator login as your MySQL password. Try to use different passwords whenever possible! This will help isolate breaches (if they happen) to just one or two services rather than your entire site/hosting account.
- For more information about secure passwords, please see our dedicated article on the topic here.
- Updates
- If Joomla is still releasing updates for your version, please install them! Most updates include security patches that fix vulnerabilities in the code. If you run an unpatched version of the site, you risk the chances of someone using a known security hole to compromise your website.
- For information on how to update your Joomla site, please see below.
- Plugins/Extensions
- If you use plugins for Joomla, make sure you keep your plugins up to date. Like Joomla itself, plugins could have vulnerabilities that could open security holes in your website. If an update becomes available, we recommend that you install it.
- Be aware that not all plugins are alike. Because plugins can be developed by anyone, the security and coding practices may not be the best. Because of this, we recommend that you only use plugins that have good reviews and no negative comments regarding security. You could also hire someone with experience to review the code for the plugin to help spot any security holes before you install it on your production site.
- Backup!
- Make sure you have an active backup plan. If for some reason your site were to be breached, it is possible that your data could be lost. You can prevent this by backing up your site often and storing it off site, either in your home, or at an online backup provider.
- Community
- Joomla has a very active community that can be helpful in times of need. Use their community site to search any problems you may be having with a plugin or a Joomla feature. Also keep an eye out for community members posting security issues for the version of Joomla you are using.
- Secondary Password
- Some hosts (including us) allow you to use server based authentication to help reduce the possibility of breaching your password through cracking. This works by having 2 login prompts. One login uses htaccess, while the other is the standard Joomla administrator login. You must enter your htaccess credentials before you even see the Joomla login form. For information on how to password protect your administrator directory, please see the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-how-to-password-protect-directories/
- cPanel: /control/cpanel/cpanel-password-protect-a-directory/
- Directory Index
- A good way we can help protect our files is to disable directory indexing. This makes it so that when people try to access just a folder they do not see the files inside of the folder. However, please keep in mind that they can still access them if they know what the full file path is. For information on how to disable indexing, please see one of the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-index-manager/
- cPanel: /control/cpanel/cpanel-default-index-page/
- htaccess
- htaccess files are very powerful It allows you to use fancy URLs; but in addition, the default Joomla htaccess file also helps prevent attacks on your site. Please click here for more information on how to enable the default htaccess file.
- FTP Settings
- In Joomla, you have the option to store FTP details for your server so that it can upload files. Unless you are specifically using an extension or setup that needs this functionality, we highly recommend that you do not enable this function. If your site were to be breached, the details for your FTP account would be exposed. If you do need this function, it is recommended that you create a new FTP account in SiteAdmin or cPanel that is limited to just the Joomla directory, or even better, just the folder you need to upload files too. For information on how to create FTP accounts, please see the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-how-to-create-an-ftp-account/
- cPanel: /ftp/cpanel-additional-ftp-accounts/
Joomla 1.5
In this section, we will link to specific topics reverent to Joomla version 1.5.
Joomla 2.5
In this section, we will link to specific topics reverent to Joomla version 2.5.