Security: some tips to secure your Joomla! site

(Dutch version)

Security is important. But like the locks on your house, everything you do will not make it 100% secure.

However, every lock or 'bump' that makes it harder for a cracker to hack your site is one extra step in preventing havoc.

The amount of time and money you want to invest in protecting your site is ultimately up to you. But it should be somewhat in relation to the value of the site itself.

Here are some relatively simple tips on making your Joomla! site more secure...

• Get yourself a decent host
  Your host is a very important part of the entire security of your site. The way your host sets up the server and the software running on it (apache, php, admin panel, etc) is critical.
  Unfortunately a lot of hosts (especially the cheaper ones) don’t invest much time and knowledge in keeping stuff up-to-date and secure. So do some research in what host does offer you this.
• Watch yourself
  Even more important in security is the person reading this: you. If you lock the door, don’t leave the key under the door mat. Don’t tell people what password you use. And don’t use the same password for everything. Don’t write your passwords down on (digital) pieces of paper that can come into the wrong hands.
• Watch others
  If you need people to have access to your site for whatever reason, don’t give them your admin account details. Just make a (temporary) new account for them which you can remove after they are done. Don’t give them more access than they really need.
• Make backups
  This isn’t really to increase security, but is important for if something does happen. If someone does hack into your site, you will need a way to get it back up and running. A good host will make automated backups of your database and files for you. But keep backups on your own computer too.

Now some more technical tips:

• Change the database prefix
  By default Joomla! will create the database tables with the prefix ‘jos_’. Many url hack attempts will try to do stuff based on the use of ‘jos_’ tables.
  You can choose to change this prefix during installation. With ‘can’ I mean: You HAVE TO change this.
  To change the prefix after installation will need some more work. See here for more on this subject:
  http://magazine.joomla.org/topics/item/108-the-prefix-has-nothing-to-do-with-telephony 
• Change the Super Admin
  By default the first user will be the Super Administrator and has user id 62. Make sure user 62 is not a Super Admin.
  You can change this number via the database. But needs some changes in multiple tables.
  An easier option is to create a new user and make it a Super Admin. Then downgrade the first user (62) to a registered user.
  Also, change the login name. Don’t use ‘admin’ for your Super Admin account.
• Remove redundant files from your site
  There are some files in your root that are dangerous to leave there. If you get hacked then often these files are changed without you noticing.
  So remove all uppercase files in the root. The only files you really need are: index.php, index2.php, configuration.php, robots.txt and the .htaccess file.
  Also remove the templates you do not use. So remove the folders in the templates folder: beez, ja_purity and rhuk_milkyway
• Use the .htaccess file
  The .htaccess file has some rewrite rules to prevent common security problems regarding url hacking attempts. Also uncomment the ‘Deny access to extension xml files’ part to enable that.
• Stay up-to-date
  Although it is common sense to keep your site up-to-date, a lot of sites are not using the latest releases.
  So make sure you are running the latest version of Joomla!
  But also check regularly if your extensions are up-to-date.
• Be cautious with extensions
  There are thousands of Joomla! extensions out there. And these are made by all sorts of people with varying levels of expertise. Extensions are and will stay a weak link in your security chain. Unless you are a top notch programmer and read through all the code, you cannot be sure it is truly safe to use an extension.
  Look around a bit before installing an extension. Search through forums or Google to see if there are any known security issues with the extension.
  But also don’t install extensions you don’t need. And uninstall any you are not using anymore.
  Once installed - like mentioned above - make sure you are using the latest release.

These are just some of many tips you can apply. But I think this is a good starting point.