As a popular open source and CMS, Joomla is subjected to attack by hackers. There is no perfect security, but It is important to take all possible measures to protect your Joomla site and improves its security. Follow our guide on how to harden your security and prevent your site from being hacked.
1. Do not use admin as your administrator login to your Joomla account.
Be sure to change the username from phpMyAdmin in cPanel to something else and reset the password. Here is a step by step procedure to effect the username change: - Access the cPanel area - Click phpMyAdmin - Navigate and click the site default database (You can verify the site the current database from the configuration.php file) - Click the Users table (tablePrefix_Users) - Edit the administrator account and rename to something else (ensure the username is not renamed to “admin”) - Change the password and encrypt accordingly (Use md5 function). A very secured password string should be deployed. - And finally, click “go” to save the changes
2. Update your Joomla installation to the latest version: (The latest updated version of Joomla is 3.8.3) The update could be applied at the administrative end. Joomla is usually http://domainname/administrator
Here are few security Tips on Joomla Security:
- Secure Administrator login with Strong password
- Don’t leave default administrator account as “admin” and bad password; this is probably the biggest risk in Joomla. By keeping default “admin” and guessable password, you are helping Hacker in their job. Change default administrator login “admin” to something else, which is not easily guessable.
- Use the latest version of Joomla & Extensions. Most of the website owner don’t upgrade to the latest version which is a big risk. Almost every release, you will notice some security fixes so not upgrading to the latest version means keeping your website vulnerable. Review vulnerable extension list provided by Joomla and update the outdated extension. Review the change log each time Joomla release and upgrade if you see any critical fixes.
3. Use a secret key to login into Joomla Admin- Hide your administrator backend from potential hackers and allows those that have secret URL to access the administration area.
- Use login protection extension like KSecure who helps you to add a secret key. This means whenever you need to access admin login page you need to enter the secret key after administrator?. For example: example.com/administrator?testing (testing is the secret key here. If you don’t use this key, then you will be redirected to home page.)
4. Enable Search Engine Friendly (SEF)
SEF make the URLs of your Joomla website more Search Engine Friendly. And good SEF component also gives security benefit. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.
Solution: Enable Search Engine Friendly URLs into Joomla Administration area.
- Login into Joomla Administration
- Click on Site >> Global Configuration
- On-Site, tab selects “Yes” next to Search Engine Friendly URLs
5. Keep file/folder permission appropriate
All files should have good CHMOD configuration. Preferably,
- PHP files – 644
- Config Files – 644
- Other folders – 755
6. Use Web Application Firewall
Web Application Firewall (WAF) is essential for any website to protect it from top OWASP 10 most critical web application security risks, known vulnerabilities & malware. If you are hosting your Joomla website on VPS, then you may use ModSecurity which is free. However, if you are on shared hosting or don’t have time, then you may consider cloud-based web application firewall. Using WAF will help you from following.
Bot protection
Login protection
Backdoor protection
DDoS protection
SQL injection
XSS attack
Joomla specific vulnerabilities
7. Monitor your Joomla site
How do you know when your website goes down or defaced? Get notified by email, slack or SMS when your website is not reachable so you can take necessary actions immediately.
Solution: Use a free tool like StatusCake which monitors your website and notifies you when it goes down.
If you follow this guide, the chances are that your Joomla site is more secured. I hope this helps you.