10 Tips to secure your Joomla Site
Joomla is undoubtedly one of the best CMS available in the market. As more and more websites have started using Joomla, its important that the site is configured properly to prevent any security compromises. We have compiled 10 security tips to secure your joomla website.1. Change the Default Database Prefix (jos_)
While installation, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrive superadmin details from jos_users table.2. Disable FTP Layer
While installation, dont enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla.3. Change superadministrator username and Password
After installation, change the username for the super-administrator. By default, its admin. So change it something like ravi.chamria so that the username/password combination becomes difficult to guess or crack.
Always use strong password for the administrator accounts. An example of strong password is E@^M!$<9@k. You can use sites like www.strongpasswordgenerator.com to generate a strong password.
A good addition is to password protect the administrator folder. In apache web server, you can do this htaccess file or in cpanel, you can use Password Protected Directory option to setup a password. This will add another layer of username/password before someone reaches your Joomla admin details. Needless to say, have this password different from Joomla admin password.4. Restrict Administrator Area
You can restrict administartor area (http://domain.com/administartor/
)access using .htaccess. Always better to give access only to trusted IPs.5. Enable SEF URLs
Most hackers use the Google inurl: command to search for a vulnerable exploit. So enable SEF urls from site configuration if you are using Joomla 1.5. You can also use extensions like SH404SEF for both Joomla 1.0 and Joomla 1.5. This will prevent hackers from finding the exploits as well as benefit you in SEO perspective.6. Upgrade to latest release of Joomla
Always upgrade to the latest release of Joomla as soon as possible. The current release is 1.5.26. You can subscribe to http://www.joomla.org/announcements/
Always download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash7. Third party extensions
There are more than 4000 extensions available for Joomla many of which are non-commercial. But dont take this as an opportunity to install unnecessary extensions on your website. Remember that most hacking attempts occur due to vulnerability in these extensions. So, always use extensions which are popular, has strong community backing and development process. You can see the list of vulnerable extesions at: http://docs.joomla.org/Vulnerable_Extensions_List8. Proper file/folder permissions
The proper file/folder permissions for your joomla website is:
* PHP files: 644
* Config files: 666
* Other folders: 755
You can change permission of the files and folders using your FTP client or Web Admin Control Panel.9. Setup a backup and recovery process
Always rely on a strong backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues. You can use JoomlaPack, a non-commercial component native for both Joomla 1.0 and 1.5 for backup.10. Update Joomla regulary
When ever Joomla releases patches and updates, apply immediately. Also follow the security guidelines published by Joomla.