Joomla Security Tutorial
How to improve the security of your Joomla site
In this tutorial we'll make some suggestions on how to make your Joomla site more secure.
Admin name and password
Change the administrator name from the default admin to something more complex and difficult to guess. You can change the administrator name from your site's backend (admin panel). After you log in either click on the button Edit Profile on your backend's control panel/home page or go to the Site menu in the upper left corner and select Edit Profile. Then in your profile (Super User) delete the default admin name in the Login Name field, type your new name and save the changes:
From there you can also change your password and email address. For your password it's advisable to use a random string of lower and upper case letters, combined with numbers and symbols (e.g. U4w&0c#f7N). You can also change your admin name and password directly from the database used by your Joomla installation. It's useful in case you forget your username or password, or you have some other problems with your site. To learn how to do it, visit the article on changing the Joomla admin name and password through phpMyAdmin.
Something also very important is to make regular backups of your Joomla files and of the database used by your Joomla installation. In case something happens to your site, you'll be able to restore it using the most recent undamaged backup. You can backup the files on your account by downloading them on your local computer using an FTP client (or through SSH).
You can back up the database through phpMyAdmin. To access phpMyAdmin, log in to the Pixie control panel, go to the Databases section, there's a link phpMyAdmin on the right side. Inside phpMyAdmin click on the name of your Joomla database in the left frame. This will display the database tables in the right frame. Mark the checkboxes in front of the tables, then from the With selected drop-down menu at the bottom of the page select Export to download the SQL dump file on your local computer.
When there's a new stable version update don't wait too long to update your Joomla. Among other things, new versions include useful security improvements. If you have installed any extensions, check occasionally whether there are new stable updates for them.
When it comes to extensions, there are also some other things worth mentioning, besides updating them. Vulnerable third party extensions are one of the ways your site might get hacked. So don't hurry to install any extensions. There is a list with identified vulnerable extensions on Joomla's official site.
There are some things that might be useful to check before you install an extension. Make sure the extension has a stable version and also check whether it's still supported, meaning that it's still updated regularly. If, for example, the last version was released half a year, a year ago, it's better not to install the particular extension. You can search for another one that performs the same function.
It's also useful to check the comments of other users for the particular extension to see whether they are satisfied and whether there are too many bugs reported. If there is an extension on your site that you don't use any more or it's not supported, it's better to remove/uninstall it. Don't just unpublish it but rather remove it completely from your site (you can also use the backend's installer to uninstall extensions). Some extensions might also have tables in the database; you can remove them too.
Check the Joomla files on your account for world-writable permissions (777). By default, your files (e.g. php files) should have permissions of 644 and the directories of 755. HostKnox clients can check file and folder permissions from the Pixie control panel. It has a special feature that will do this automatically for you. After you log in to the control panel go to the Files section, on the right side there's a link Fix incorrect permissions. When you click on it all the files and directories inside public_html will be scanned. If there are 777 permissions, they'll be changed automatically, removing the world-writable bit.
Block Access to the Administrator Directory
Another thing you can do is to block the access of all IP addresses, except yours, to the administrator directory of your site. This can be done by creating an .htaccess file in the directory you wish to protect and then adding a rule inside the file. The administrator directory holds the files needed for the functioning of your site's backend (admin panel) and so it's good to add additional protection to it.
The administrator directory is in the root Joomla directory on your hosting account. Let's say you have installed Joomla in a folder called joomla on your account, then the path to the administrator folder would be public_html/joomla/administrator.
To protect the administrator folder using this method you have to create an .htaccess file inside the folder. You can do this from the Files section of the Pixie control panel. Just open the administrator folder, click on Create File on the right side of the screen and name it .htaccess (don't forget the dot). You can also create the file on your local computer with a text editor (e.g. Notepad), put the necessary rules in it and upload it with an FTP client (e.g. FileZilla) or with the control panel. Inside the .htaccess file put the following rule:
Order Deny,Allow Deny from all Allow from 126.96.36.199
Change the example IP with your own IP address. You can check to see what your IP is from the login page of the Pixie control panel or from sites such as whatismyip.org. If you want to give privileges to other people to access the backend of your site just add their IP addresses to the allow directive. There should be a single space between the IP addresses. For example:
Order Deny,Allow Deny from all Allow from 188.8.131.52 184.108.40.206
Block Access to PHP Files
Using an .htaccess file you can also block the access to all your Joomla .php files, except for index.php and index2.php. Your site will function with the .php files blocked, you only need to give access to the index.php files. By blocking the access to the rest of the .php files you add an extra level of security. This is especially important for files such as configuration.php which holds sensitive information. To block the access to all the Joomla .php files, you'll need an .htaccess file in the root Joomla directory.
Every Joomla installation package comes with a file htaccess.txt in the root directory. So, if you have installed Joomla in a folder called joomla on your hosting account the path to htaccess.txt would be public_html/joomla/htaccess.txt. What you need to do is to rename htaccess.txt to .htaccess (don't forget the dot).
If you are a HostKnox client, you can rename files from the Files section of the Pixie control panel, just mark the file by clicking next to its name and then click on the Rename link on the right side of the screen. After you rename it click on the file's name to open it and make the changes.
Alternatively, if you prefer it you can download the file to your local computer with an FTP client. Then open it with a text editor (e.g. Notepad) and save it as .htaccess. You can either make the necessary changes in the .htaccess file with the text editor or you can directly upload it back and then make the changes inside the file through the Files section of the Pixie control panel. You need to put the following rules inside the .htaccess file in order to block the access to the .php files:
<Files *.php> order deny,allow deny from all </Files> <Files ~ "(^index.php|^index2.php)$"> allow from all </Files>
The default .htaccess file already has some rules in it; you can put the above rules at the end of the file, for example.
Disable Dangerous PHP Functions
By adding some rules to the php.ini file dangerous PHP functions that you don't need for your site can be disabled. HostKnox servers are configured to work with one global php.ini file per account. This means that for your account there's one global php.ini file that affects all the PHP settings on your account. At this point customers don't have access to the php.ini file, so if you want to use this security measure inform us by sending a ticket to the support team. We'll make the necessary changes for you.
When you install Joomla or any other web-based application it's better to install each application in a separate database with a different user and password. It's possible to install more than one Content Management System (e.g. Joomla, WordPress, Magento, etc.) in a single database but if something goes wrong with the particular database all the applications that keep their data in it might be damaged. So, it's advisable to keep each on a separate database.
If you have more than one application in a single database it's possible to move the tables for the Joomla application to a new database. Through phpMyAdmin you can export the tables for the particular application from the old database and then import them to the new one. Then, however, you'll also have to change the database settings in the configuration.php file.
Another important thing when it comes to databases is the database table prefix. Older Joomla versions (1.5, 1.6) have the default prefix jos_. This means that by default each Joomla installation is installed in the database with the prefix jos_. This makes it easier for people who want to hack your site because they don't have to try and guess the table prefix, if you installed Joomla with the default one.
The prefix can be changed during the installation process. With newer Joomla versions (1.7), however, this is not a problem any more and you don't need to change the prefix during the installation because for each installation Joomla uses a different random string of letters and numbers for the database table prefix. Of course, if you wish you can change the prefix to whatever you want.