Improve security Joomla websites

  • By: Renato D.
  • Jan 23, 2013
  • 0
Share

This article will cover how to improve security on Joomla websites. Joomla has several security vulnerabilities. The measures recommended will harden your Joomla website, so that it doesn’t get hacked easily.

The first step is to identify your website has been hacked. Check below the symptoms of a hacked website. Hackers might not want you to notice it, as they are using your website to exploit other people, or spam emails across the world.

Symptoms of a hacked Joomla website:

  1. Malfunctioning: The Joomla website may be affected, and its functionality and design are not working property and normally.
  2. Unknown links: The hackers can install hidden links in a website to point to external websites. They could be using your website to re-direct customer to an external web page to exploit them (e.g: collect personal data).
  3. Unknown functionality: The hackers may inject some sort of script coding which will install a malware on your visitor’s computer.
  4. Google may remove the website from their search engine results for safety reasons. Traffic to the website will plummet.
  5. Hosting company might temporarily disconnect your emails or even suspend your website. Excessive spamming could cause the server IP to get black listed, hence marking even genuine emails as spam.
  6. Website gets unusually slow. This might be due to some unusual activity running on the background, slowing down your website.

8 Measures to improve the security on Joomla websites:

The following measures are some recommended security practices to improve security and protect your Joomla website.

If you are unsure about these steps, please speak with your web developer about it. Some of the steps listed below may disrupt your website if not done properly.

  1. Username: Change your Administrator username. Do not use “admin” or “administrator” as they are common user names. Use strong password. This website has a great free tool to generate strong passwords:  www.webdevelopmentmelbourne.org
  2. PHP Configuration: Make sure your configuration.php file is not writeable. This step is critical to improve the security of on Joomla websites. A writeable configuration.php file is an invitation to hackers. Through your FTP manager (eg.: Filezilla) or cPanel, you can select the configuration.php file and change the permission to the READ, WRITE and EXECUTE options.
  3. Upgrade Joomla: Always keep your version of Joomla upgraded to the latest version (we strongly encourage you to contact your web development firm to check if the upgrade will not disrupt existing custom functionality). Joomla 2.5 onwards has the upgrade API already built in it. Previous versions can be upgraded through the coding using FTP.
  4. We can hide the administrator page of your website, hence making it difficult for hackers to find your website administrator’s login page.
  5. Install a Joomla firewall. This is a highly recommended step to protect your website from attacks. Contact Light Media if you would like a Firewall installed and configured on your website.
  6. Change Permissions: Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Most FTP software should allow you to do this without having to use any scripts. Flex Web Hosting servers allow this protection (contact Flex Web to enquiry about these settings).
  7. Check with your hosting provider that the following PHP functions are disable on the server. They pose security risks: show_source, system, shell_exec, passthru, exec, popen, proc_open
  8. Avoid excessive number of plugins. Most plugins available are developed by beginners and without taking security into consideration. Plugins can open vulnerability on your website. Make sure you are using plugins/extensions from reputable sources and keeping them also updated.

If you need further assistance and advice on how to improve security on Joomla websites, you can contact Light Media.

Comments

Your email address will not be published.