Friday, January 28, 2011

10 tips to secure your joomla site

Proper Hosting Environment
A properly configured server is highly recommended for your joomla website. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777.

a. Set register_globals OFF
b. Disable allow_url_fopen
c. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
d. Don’t use PHP safe_mode

Change the Default Database Prefix (jos_)
While installation, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrive superadmin details from jos_users table. Disable FTP Layer
While installation, dont enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla. Change superadministrator username
After installation, change the username for the super-administrator. By default, its admin. So change it something like ravi.chamria so that the username/password combination becomes difficult to guess or crack. Strong password
Always use strong password for the administrator accounts. An example of strong password is E@^M!$ <9@k. You can use sites like to generate a strong password.

A good addition is to password protect the administrator folder. In apache web server, you can do this htaccess file or in cpanel, you can use Password Protected Directory option to setup a password. This will add another layer of username/password before someone reaches your Joomla admin details. Needless to say, have this password different from Joomla admin password.

Enable SEF URLs
Most hackers use the Google inurl: command to search for a vulnerable exploit. So enable SEF urls from site configuration if you are using Joomla 1.5. You can also use extensions like SH404SEF for both Joomla 1.0 and Joomla 1.5. This will prevent hackers from finding the exploits as well as benefit you in SEO perspective. Upgrade to latest release of Joomla
Always upgrade to the latest release of Joomla as soon as possible. The current release is 1.5.11. You can subscribe to or our blog feeds to get updates about the latest security releases.

Always download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash

Third party extensions
There are more than 4000 extensions available for Joomla many of which are non-commercial. But dont take this as an opportunity to install unnecessary extensions on your website. Remember that most hacking attempts occur due to vulnerability in these extensions. So, always use extensions which are popular, has strong community backing and development process. Proper file/folder permissions
The proper file/folder permissions for your joomla website is:
* PHP files: 644
* Config files: 666
* Other folders: 755

You can CHMOD the files and folders using your FTP client.

Setup a backup and recovery process
Always rely on a strong backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues. You can use JoomlaPack, a non-commercial component native for both Joomla 1.0 and 1.5 for backup.

View the original article here

No comments:

Post a Comment