15 Best Practices for Joomla Website Security
Many organizations are under the impression that implementing all the latest innovations on their Joomla site makes it resilient to any kind of cyber attack. But the question is: are the measures good enough? Is modern technology implementation enough to protect the privacy and confidentiality of data? Unfortunately, the answer is no!
And the recent attack on the Federal Depository Library Program’s (FDLP) website is proof. Despite being built on Joomla and despite having all security measures in place, the US Government Publishing Office site was hacked – which proves that when it comes to Joomla security, there is still a vast scope for improvement.
Below, we have detailed some 15 tips to keep your Joomla site secure
1. Follow basic security practices.
Use robust login credentials with uncommon passwords to make it difficult for hackers to gain access to your Joomla site. If possible, incorporate two-factor or multi-factor authentication to improve security posture further.
Here is a guide to password protection.
Adopt Long Passphrases
For years, businesses and individuals have adopted the practice of combining numbers and symbols to create stronger passwords. However, it didn’t take long for cyber criminals to catch on to the practice of substituting some letters in the word with certain numbers or symbols, like ‘e’ with ‘3’ and ‘s’ with ‘$’. There are many automated tools out there that will easily crack simple substitutions like that.
To mix things up even more than substituting special characters, the US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember but difficult to crack. According to Special Publication 800-63 Digital Identity Guidelines, a best practice is to create passwords of up to 64 characters including spaces. The popular web comic XKCD compared the strength of a complex password—”Tr0ub4dor&3”—and a long passphrase—“correct horse battery staple”. They found that it took only 3 days to guess the password created in with special character substitutions, while the passphrase would take 550 years to crack.
Avoid Periodic Changes
A popular password security practice over the years has been to force users to change passwords periodically. However, more recent guidance from NIST advises not to use a mandatory policy of password changes. One reason is that users tend to transform their old passwords or just repeat ones they had used before. You can implement policies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. While they comply with company policy, their passwords are still easy to guess or crack. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise.
Create Password Blacklist
Hackers usually start their attacks with attempts to guess a password by using a database of the most popular passwords, dictionary words, or passwords that have already been cracked. NIST encourages enterprises to also arm themselves with these sources of common passwords in order to create their own blacklist. Comparing new passwords to this list, enterprises can prevent the usage of weak passwords by employees. Moreover, it is quite effective to add a limit on the number of failed login attempts in order to detect and reject brute force or dictionary attacks.
Implement Two-Factor Authentication
Two-factor authentication has already become a de facto standard for managing access to corporate servers. In addition to traditional credentials like username and password, users have to confirm their identity with one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor if you want to add additional factors) authentication, guessing or cracking the password alone is not enough for an attacker to gain access. This type of authentication is effective for enhancing identity validation when employees try to access critical endpoints, sensitive data, or confirm transactions and other critical actions. For these purposes, you can use user monitoring solutions like Ekran System with in-built two-factor authentication options. Such solutions will also keep you updated about user’s activity on your business network.
Add Advanced Authentication Methods
While passwords are still widely used for authorization, there is an increasing tendency to shift to non-password based, advanced methods. Instead of passwords, users can be authenticated through the use of biometric verification—like logging in to an iPhone using a thumb print with Touch ID or authenticating on a Windows 10 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats. Moreover, there are also behavioral biometrics that create a unique profile of each user by analyzing their interactions with the system (typically used applications, unique keystroke and mouse dynamics).
Apply Password Encryption
Encryption provides additional protection for passwords even if they are stolen by cyber criminals. There is a popular tendency to use reversible encryption or apply only one-way encryption. However, these methods are ineffective—if an attacker obtains the password database they can easily crack and compromise the passwords it contains. Instead, the best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network. Moreover, it’s dangerous to store password files in a plain text. There are many cases where hackers have compromised an enterprise’s password database and walked away with unencrypted passwords.
Protect Accounts of Privileged Users
Accounts of privileged users require additional protection as they provide access to sensitive data and other privileged actions. The best practice is to provide these users with a different login URL and allow only a single sign-on attempt. In case of a failed login attempt, you can lock out a privileged account in order to prevent unauthorized access.
Ensure Secure Connection
Nowadays, there is a wide range of devices and places that can provide access to your corporate networks. However, hackers can easily steal passwords if employees use unsecured Wi-Fi connections or devices that don’t belong to them. For securing your Wi-Fi network, you can use a Wi-Fi Protected Access (WPA) 2 that applies stronger wireless encryption methods than its predecessor.
If you have remote workers, you can consider providing a secure VPN connection. After authentication to which, users can securely connect to corporate servers, as all the traffic is protected through a VPN tunnel.
2. Customize, but don’t overdo it
It is natural for you to want to customize your Joomla site based on the needs of your business. But when extending your site, make sure to use only trusted third-party extensions that comply with standard security requirements.
3. Delete unused and unwanted extensions
Joomla makes it very easy for you to install as many modules and extensions as you want. Therefore, constantly revisiting your add-on list is important to delete unused, unwanted, and insecure add-ons and maintain the functionality of your site.
4. Have strong access control measures in place
You might want to provide seamless access to your Joomla site to all your users. Despite the temptation, build strong access control measures that only allow authorized and approved users to edit or share content.
5. Use appropriate file permissions
In addition to access control, having appropriate file permissions is a great way to restrict read, write, and execute access to Joomla files and folders.
6. Restrict access to the admin page
Another measure you can take to improve the security of your Joomla site is by restricting access to the admin page. Make sure to password-protect the admin page and allow only users from your IP address to access the admin page.
7. Implement a robust firewall
Having a robust firewall in place is a great way to constantly monitor access, ensure a basic level of cyber protection, block malware, and viruses and keep hackers out of your network.
8. Install SSL certificate
No matter what kind of Joomla website you have, installing an SSL certificate can protect your confidential data, affirm your identity, comply with the required regulations, and improve end-user trust.
9. Periodically backup data
Have a reliable disaster recovery strategy in place, so when things go wrong, you can quickly and easily restore your site – without impacting business operations or customer experience.
10. Implement powerful security extensions
There are several security extensions available in the market that can help you improve the security level of your site. Implement them on your Joomla website to fight against spam, known vulnerabilities and common brute force, SQL injections, and DDoS attacks.
11. Harden PHP
Given that Joomla is built using PHP, hardening it is a measure that is highly recommended. Hardening PHP can allow your Joomla site to operate in a safe mode, which means better management of permissions and stricter rules for editing.
12. Make your site search-engine friendly
Security is no longer just your headache; search engines, as well as customers today, demand a high level of security. Making your Joomla site search-engine friendly requires you to take certain security measures, so it becomes difficult for hackers to install malicious code, glean credit card data or pull down your site completely.
13. Ensure secure hosting
Irrespective of whether you are hosting the Joomla site on your internal data center or in a private or public cloud, make sure necessary security measures are implemented that reduce the likelihood and impact of an attack.
14. Update and patch
Since Joomla constantly works towards improving the level of in-built security, make it a habit to implement the latest updates and patches to safeguard your Joomla site from new and improved attacks.
Irrespective of the precautions you take to enable and ensure the security of your Joomla site, monitoring the site 24/7 is indispensable. Use tools for continuous monitoring, get alerts the minute an anomaly is spotted and take immediate corrective action.
Given the fantastic capabilities, Joomla is one of the most downloaded content management systems in the world. Unfortunately, it is this popularity that also makes Joomla vulnerable to attacks and breaches. Embracing best practices is the only way you can protect your Joomla site against attacks and ensure the safety and security of your business and your customers.