How to secure an outdated version of Joomla
It may be surprising to you to learn that more than 90 percent of the Joomla websites running on the web are outdated.. One report has it that more than a half of the top sites running on Joomla are still using Joomla! 1.5 versions. That could be attributable to the challenge on updating to a major version release, like moving from Joomla 1.5 to version 2..5 or 3.5. But running on old versions of Joomla carries security risks and should be avoided, we must strictly advice. In this post, we offer some tips that can help improve the security of your Joomla website that still run old Joomla! versions for some reasons.
What Should You Do First?
Many of the sites we have found to be running on old Joomla versions and using Joomla 1.5, 2.5 or earlier viersions of 3.5 series do not only run on that old version but are not updated to the latest minor version. For eample, you will find that most of the sites running on Joomla 1.5 do not even run the latest minor version of 1.5.26 . The sites are still running 1.5.12 or even 1.5.3. If you are among them, you should immediately update your site.
Joomla.org has closed access to 1.5.x downloads, so for those who have not yet decided to migrate to 2.5.x or 3.x, that can be a major problem.
If you are still using an old version of Joomla, then perhaps your site is already under vulnerable to attacks. You can use this free site check tool from Sucuri to check your site for known malware..
One of the serious security holes, which was closed since Joomla 1.6 and higher - default database prefix (jos_). Thus, the attacker always knows how tables are called in your database. In addition if one of the components installed on your site has a flaw that allows an SQL injection you will be hacked. To prevent this, change the jos_ prefix to any other. Do not forget to make changes in configuration.php file after you changed the prefix too.
After you have made changes to the configuration.php, it is not superfluous to impose restrictions on access to the file. This can be done setting putting permissions to 444.
Another security lack of Joomla 1.5 version is impossibility to change default super admin username and id. Therefore, you have to do it manually. Create another super admin (be sure to set username that is not so simple to guess – administrator, root, etc. are bad examples; password should be strong too – we recommend to use password generator to create a strong password. Login with your new super admin and block/delete super admin with ‘admin’ username.
Another step that should be done to protect the access to the admin panel of Joomla! is change the path to the panel, or block access using .htaccess file. A positive side effect here is that an attacker will not find out which CMS you have on your site, as admin panel did not respond from its usual place.
Another flag, which can help hackers identify what Joomla version is used on your site is meta tag "generator". If an attacker can determine CMS installed on your site and its version, it is not a hard task to find a ready-made exploit, simply by asking Google. For security reasons do not promote that your website is built on Joomla! and its version.
On previous steps we have mentioned the use of .htaccess file. This file is part of the standard package of Joomla! All you have to do is to rename htaccess.txt to .htaccess. But please note you should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.
Joomla! community has produced advanced master .htaccess file that can help prevent unauthorized activity on your site. However, be sure that you know what you do as some extensions that use non-standard entry points can stop working. Make sure you have read documentation carefully.
When you restore hacked site, you will often see that malware scripts have been hidden among long list of files, expecting that it is harder to find them. These are called backdoors. Therefore, it is a must that you track useless files on your server and delete them. It is also true for Joomla! extensions that you do not use anymore. If you do not update your extensions periodically, there is high chance that hackers will use security flaws that has become publically known and fixed in the latest versions.
Follow Best Practices
Many Joomla! developers and administrators are not aware that Joomla! has its own constantly updated Security Checklist. There you will find the most relevant information from community regarding development, testing and administration of Joomla! site. And this site for sure should be placed in your bookmarks.
If your site have been hacked or defaced, the first thing you should do is to check action list. And after that try to get things fixed. If you haveissues, tr to contact your web hosting firm for help. If you are a client of Todhost, use our client area support portal.
However, all of the mentioned steps are only temporary measures, by which you will get some extra time in battle with hackers. Get ready to migrate your site to the latest Joomla! version as a best security measure.
Please, do not underestimate the importance of the above security steps. We already had to deal with several severe hacker attacks due to failing to follow some of those tips.
Best Practices for Joomla Security
Even if you run the latest version of Joomla, there is still need to follow some best practices to add extra security to your Joomla website. Now here are some of the tips you should kkeep in mind and implement on your website to stay secure.
Joomla security is important as attacks increase following an increase in Joomla popularity As of September 16th, 2019, Joomla powers 2.8% of all websites online. Among open-source CMS platforms, it maintains a 4.9% market share.
While that number may sound small, that’s still a lot of sites. It’s important to realize that attackers will not discriminate when it comes to a website’s size or the CMS they’re using. Malicious users are prone to launch large-scale attempts in order to exploit a vulnerability.
Joomla Security Checklist
So here are 12 best practices to improve Joomla! security:
1 – Update your Joomla Core & Extensions
A tale as old as the internet: update everything! Using outdated software significantly exposes a website to risk. It not always easy to upgrade to the latest version of Joomla, but it’s a risk you need to be aware of, first and foremost.
In most releases, Joomla fixes some security issues. If you don’t upgrade your website, you’re likely keeping a vulnerability around to be exploited by bad actors.
Here is some guidance on where to find out which Joomla version your site is running:
Core: Login to Dashboard > System > System Information
Extensions: Login to Dashboard > Extensions > Manage > Manage
Joomla can notify when a vulnerability is discovered in the core file system or within an extension.
2 – Use It or Lose It (Extensions/Templates)
Joomla is an open source technology, meaning the code is public and anyone can contribute. Many of the extensions or templates are produced in the same way. This leads to some unfortunate issues. Not every extension is built with the same attention to security.
New features and better tools are always fun to work with. However, installing an extension can introduce threats in your website environment. Make sure the extensions you’re using are trustworthy and recently updated. You want to know the developer is actively maintaining the extension.
Similarly, keep checking for updates to ensure you have the latest version on your Joomla website.
If you stop using an extension or template, remove it. It doesn’t make sense to keep a plugin that may have a vulnerability and cause damage your website. Less code = less potential problems.
If you cannot keep your Joomla installation updated for any reason, use a website firewall to virtually patch vulnerabilities and shield the website from exploits.
3 – Hide the Joomla Admin Panel
The Joomla administrator URL should be changed to prevent attackers from getting in. By default, Joomla users log in to:
Attackers can gain unauthorized access by launching brute force attacks against the /administrator URL. These attacks can guess thousands of passwords in minutes.
There are free Joomla security extensions such as AdminExile that you can use to append the default administrator URL with a unique string for strengthening.
Caution: We recommend testing in a development environment, as renaming the administrator URL can break some functionality in some sites if not implemented correctly.
4 – Use Strong Access
We encourage users to keep all access points secured and change default settings.
In the same way that an attacker would presume to try the “administrator” URL, they’ll likely test a common brute force tactic: Use of admin as the username
The best practice is to change the default username from admin to something unique. This can be accomplished from the User Manager area within Joomla.
You should also use strong passwords. Password managers are excellent tools to maintain and generate long, complex password combinations. Just remember not to use the same password multiple times. Unique, long, and complex is key!
5 – Enable Multi-Factor Authentication
Multi-factor authentication is an extra layer of security beyond your password. To log in to accounts, this feature requires something extra to verify the user identity – usually a 6-digit code sent to an email, text, or time-based authentication app.
2FA (two factor authentication) is the most common multi-factor authentication method and Joomla supports the use of Google Authenticator just for this purpose.
To take advantage of the 2FA feature, you’ll need to use Joomla 3.2.0 or higher.
Here’s how you enable 2FA in Joomla:
- Login to your Administrator Panel
- Go to Components, then Post-Installation Messages
- Click on Enable two-factor authentication.
- You will be taken to your user profile page
- Install a Google Authenticator client for your device
- Scan the QR Code with your phone via Google Authenticator
- Go back to Activate Two-Factor Authenticator field and enter the six digit code seen on your phone.
- Click on Save & Close.
If you no longer have the Post-Installation Messages, you can navigate directly to your user profile page then to the Two-factor Authentication tab to continue the process.
If the Two-Factor Authentication tab doesn’t display, it’s possible that the associated plugin hasn’t been enabled. Go to the Plugin Manager and find the two-factor plugin for Google Authenticator. Enable it, then return to your user profile page and try again
6 – Practice the Principle of Least Privilege
Remember that Joomla offers three distinct permissions groups:
- Have the least access to the back end of Joomla.Managers can create and edit categories and articles.
- They have access to the media manager and can upload and remove media. Managers cannot install or remove extensions.
- Have all the rights Managers have, along with a few additional permissions.
- They also have access to User Management, Menu Manager and Extension Manager. However, Administrators don’t have access to Global Configuration.
- Super Users
- Have complete access. They have all the rights of Managers and Administrators, along with access to the Global Configuration.
- Only Super Users can add, edit, and remove Super Users.
It is important that you distribute these roles carefully to your group of users. Anyone with a Super User is able to perform every action within your Joomla system.
If you delegate tasks to a team member that requires fewer permissions, grant the minimum access required.
Note: The principle of least privilege also applies to your file and directory structure. Never set a file path with CHMOD 777 permissions.
7 – Use It or Lose It: Redux (Users)
Old, unused accounts are another attack vector to be aware of.
It’s common for website to generate a growing number of Super Users & Administrators. This happens with old developers who have access to a website even after leaving the project.
You may have forgotten that you set up a temporary account so a developer could debug a problem you are having with one of their extensions.
These scenarios can lead to a hacker successfully brute forcing their way into the account to distribute malware.
So, what’s the best way to avoid this?
Go to your User Manager, and filter by administrators and super administrators.
Then delete (or modify) accounts that no longer require high-level access.
Remember: someone you once trusted with Super User access could come back with nefarious intentions.
Its extremely important that once a certain access is no longer needed, it is immediately revoked. This applies to every type of access that is granted.
8 – Monitor Your Site
Visibility is key. It’s important to install tools or procure a vendor to help you achieve visibility into your website environment. Monitoring offers an early warning system for indicators of compromise. The solution you choose should perform the following functions.
Integrity checks: File integrity monitoring tools should normally be installed on a server where they can create a baseline of your files. If a file or record is modified in any way, you’ll receive a notification of the changes.
Website auditing: Auditing tools give you visibility into user activity on the website. As the administrator of your website you should be asking questions like these:
- Who is logging in my Joomla website? Should they be logging in?
- Why are they changing that post?
- Why are they logging in when they should be sleeping?
- Who installed that plugin?
- Why are they taking that action?
We cannot stress enough the importance of logging activity. Use a tool that logs and alerts you of any actions taken on your website. This can help you identify the initial break in, even before the bad actors inject their malicious payload.
9 – Have Joomla! Backups
Maintaining website backups is one of the most important recurring tasks for a website administrator.
A good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files or corrupts your site files with their buggy scripts, the damage can be undone simply by restoring your site from your backups.
One of the most popular backup tools for Joomla is Akeeba.
10 – Use HTTPS / SSL
With an SSL certificate, your website will use the HTTPS protocol to securely transfer information between point A (browser) and B (web server).
This is crucial when communicating sensitive information like credit card data on checkout pages and Personally Identifiable Information (PII) on login and contact forms.
In addition to security benefits, Joomla websites using SSL get better rankings on Google and improved performance through the use of HTTP/2. It’s also important to understand that SSL does nothing protect your website from being hacked. It protects data in transit, and is very important for ecommerce websites.
11 – Use a Joomla Web Application Firewall
A Joomla! Web Application Firewall (WAF) is essential for any Joomla! website to protect from DDoS attacks and the OWASP vulnerabilities.
By detecting and stopping known hacking methods and behaviors, a WAF keeps your site protected against infections in the first place. It will also quickly block against an attempt to exploit vulnerabilities in extensions and templates; even emerging exploits (called zero-days).
Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
12 – Restrict Public Access
Additionally, you can also restrict access to the /administrator directory (or any other file path) to only select IP addresses. To find your IP, try What Is My IP.
If there isn’t a file named “.htaccess” in the /administrator directory, create one. Then just add the following lines at the end of the .htaccess file:
Deny from ALL. Allow from [insert whitelisted IPs here]
If you’re using a cloud-based WAF, you should also add the IPs from the firewall vendor to ensure traffic is filtered and the WAF can communicate with your server.
Stay vigilant and eep in touch with updates in Joomla. Is there any practice we missed, do let us know in the comment box.