Joomla Security Tips
From Lunarpages Web Hosting Wiki
Joomla is a very powerful and popular script and like any script, there are things you can do to make it more secure.
- Create a brand new super-administrator using a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user. Hackers know the default username and ID number so this will help stop brute-force password attacks.
- See the Joomla Security Checklist for recommended changes for security from the makers. There are some things they suggest such as using subversion for rollbacks or changing the overall server php.ini file which will not be possible on a shared server but we do support custom .htaccess and php.ini files so you can control many settings on your account.
- See Securing Your Joomla Website and follow the recommendations.
- If you don't have a .htaccess file in your Joomla folder, you should rename the htaccess.txt file that comes with your Joomla installation package to .htaccess. His file contains both SEF functionality and blocks for many hacks. You may want to add the contents to an existing .htaccess file anyway.
- Block the access to all files except index.php and index2.php. You can do this by adding the following code to .htaccess:
deny from all <FilesMatch "index.php"> allow from all </FilesMatch> <FilesMatch "index2.php"> allow from all </FilesMatch>
- It is possible this may block a component or module you have added so if you see part of the website disappear, you can check for what files they need and add those files to the above. Most will still work fine.
- Register_Globals – The latest versions of Joomla no longer need them so disable them. They are disabled by default on our servers but if you have enabled them previously, please set them back to Off in php.ini. See http://wiki.lunarpages.com/Create_php.ini . Command would be “register_globals = Off”.
- Password protect the administrator directory in Cpanel and LPCP with Password Protect Directories. Even though you normally have to login to the admin area when browsing it, that only provides minimal protection. Password protecting the folder blocks access to it directly.
- Change the default database prefix jos_. This will help stop MySQL injection attempts from automated scripts. You can set the database prefix when installing your Joomla website if installed manually. If you've already installed Joomla or used Fantastico or Softaculous to install it and want to change your prefix, you can use the following to help with this: DB Set Table Prefix . To manually change it:
- Backup your database.
- Log on to your Joomla Administrator area.
- Go to your global configuration and search for the database.
- Change your database prefix (Example: rthf_) and press Save.
- Go to phpMyAdmin to access your database.
- Go to export, leave all default values and press Go. This may take some time so be patient.
- When done, select all code and copy it to notepad (or any other text editor).
- In phpMyAdmin, select all tables and drop them.
- In Notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: rthf_). Press "Replace all".
- Select everything in your Notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Go.
- Install the jSecure Authentication plugin.
- Install the Joomla Tools Suite.
- Don't install modules, components, or templates you won't use regularly and don't leave any installed that you don't use. Delete the files for them entirely.
- Keep Joomla as well as all components, modules, and templates upgraded to the latest versions at all times. Backup before making any changes.
- Backup your files and databases regularly and download the backups to your own computer for safekeeping. Customers are responsible for their own backups. Since databases change far more often than files do, you should backup just databases more often in Mysql, Phpmyadmin. If you need any help with restoring from your backups, please email firstname.lastname@example.org . To automate the backup tasks, see this Lunarforums post.
Our last 'bit of advice would be to follow the advice in our other security articles.