10 security tips for Joomla

Even if you may think that your site has nothing worth stealing, there are for sure tens of attempts daily that you are not even aware of. A lot of so called "script kiddies" are running automated intrusion attempts on lists of sites, lists that may include your website. Securing your Joomla website is a blend of careful planning, making sure you run the latest software versions, and always keeping up with the latest community announcements. There are some tips that help you secure your website and allow you to have a better protection against attackers.

The '90s supposedly made the world a better place for all of us. Most of us which are now in their late 20s and early 30s have witnessed the dawn of the Internet, mobile phones and MC Hammer.
In 1995, two iconic movies were released, giving the modern outlaw a new shape and purpose. 'The Net' and 'Hackers' perfectly depicted the idea of conflict between new technology/new risks. Other than the fact that we all remember the sexy, short haired version of Angelina Jolie and the young, fresh Sandra Bullock, these two blockbusters introduced the world to a new type of villain: the hacker.

So, what is a hacker? A super nerdy kid who has been constantly suffering from getting bullied, finding peace and comfort in RPGs, 4chan boards and hentai? Or an intelligent young man, underpaid, unappreciated, possibly still single? The truth is somewhere inbetween; hackers come in all shapes, sizes and backgrounds. They can be the quiet dude in Chemistry class, but a real riot on IT forums, the chubby part timer at Starbucks, intentionally misspelling your name on the cup because he got bored. They can even be the 30 year-old virgin, still living with his parents after dropping out of high school. These are merely a few stereotype examples Hollywood is using to portray hackers, but the truth is anybody with Internet connection and basic to medium IT&C knowledge can find the back door to your website. You don't have to be a genius to learn a few things about how they work, especially since they are getting easier and easier to build and manage.

See Related Article:

How to fix the security vulnerability in Mijoshop and Aceshop
Browsing the web, you will notice that people are categorising hackers, according to their skill level or benevolent/malevolent intentions. (For more information, feel free to read these descriptions: http://www.secpoint.com/types-of-hacker.html).
After analysing the above categories, a question arises: can we always make the difference between white hats and black hats? For example, if someone shows up on your virtual doorstep and tells you they just breached the security of your website, should you really alert the authorities? Invite them in, offer them a cup of tea and start talking about how you could improve your site's vulnerable parts. Indeed, many hackers out there don't just test out the security levels for fun, their main focus is how many accounts they can render penniless. Theft is theft and it should be punished accordingly, however the modern interpretation of the Robin Hood concept seems to fall in a rather grey area. This is true mostly because the victims of hacker attacks or cyberterrorism are people or organizations which do not have a clean agenda.

If you are the administrator of a Joomla! website, your concerns with security can easily be solved if you respect a few basic principles:
  1. When searching for either free or paid components, make sure you pursue a trustworthy source, like well established software developers. Downloading random kits from dodgy sites or Warez type sites can be risky, in most of the cases resulting in trojan infections or code alterations that turn your site into an easy target.
  2. Pay extra attention to whom you assign the task of site development. If you run a small online business and cannot afford to pay someone on a regular basis to be your web developer, carefully study the options on freelancer sites. Some people may not finish the task, other people may modify the original code too much and you will end up spending more resources to fix the occurring issues or you will not be able to update you Even though dedicated professionals may ask for a more significant compensation, making your website bloom should remain your top priority!
  3. Before setting up your live website, always perform a series of tests for your extensions on a separate server, thus ruling out potential bugs or time-consuming complications on the live server. Ideally, this step should be completed by an experienced developer, however if you possess the required knowledge, you can do it yourself, thus saving time and money.
  4. Properly configure your database and file permissions - 755 is the magic number. For a more technically accurate 'To Do' list, feel free to visit the official Joomla! security documentation http://docs.joomla.org/Security_Checklist/Hosting_and_Server_Setup
  5. Always schedule regular backups! Some hosting providers offer backup services as a bonus on your monthly subscription, and you can customize the period range between two sessions. Choosing wisely your hosting provider is, perhaps, one of the most important aspects of security.
  6. Blacklist the IPs which are hammering your website and make your site traffic heavy and sluggish.
  7. If you host your site on a VPN think about using an intrusion detection system like OSSEC
  8. Stay in touch with the community - check joomla.org and vel.joomla.org regularly for any updates on the CMS or reported vulnerable extensions - just yesterday we found a security hole in two popular opencart extensions and reported it to vel
  9. Password protect your administrator folder. On most installation this i no problem, most extensions don't access in the frontend ulr's from backend. This measure alone will reject more then 70% of scripted attacks
  10. Always, and I mean ALWAYS keep your website updated, from CMS version to components, templates and so on. Older versions rarely extend their support period, thus making them obsolete. In order for the process to run smoothly, any modifications performed on the live site need to be clean and simple, using separate scripts and files for components and Joomla! updates.