Recommended Security Checks For Your Joomla Website
Website security is important but it is far more important to learn how to prevent attacks than understanding how to fix them. Joomla is a very popular content management system widely used by over 200million websites around the world as at September 2020 and accounts for about 5.7 percent of CMS marlet share accourding to W3Techs. It is also the second most installed script, after WordPress, on the Todhost web hosting platform.
Joomla! has definitely established itself as one of the most popular content management systems (CMS) in the world, powering almost 3% of the web and exceeding 100 million downloads as at September 2020 and an estimated 300+ websites are created with Joomla everyday. The popularity of Joomla increases the chances that during your day, you will most likely browse at least one website built with Joomla!. Many businesses rely on Joomla! for their web presence, but often business owners are not so knowledgeable about what they need to do to ensure that their website is secured from external exploitation and running with the latest security patches. One fundamental thing to do to keep your Joomla site safe is to use the latest and updated version of the website.
Today, we will show you some of the quick checks and fixes that will keep your Joomla website running safe on the web.
1. Change the default admin username
By default, Joomla admin username is "admin" and the admin url is yourdomain/administrator. It is important to change these two parameters to forestall primary attacks on your Joomla website. Advanced attackers would still have a way of detecting your administrator login url but this is a strongly recommended measure towards securing your website.
If someone is trying to compromise your website and they know that an account exists with the user ID of #62 or #42 which has full access to your site, this is the first thing they will attempt with any vulnerabilities - to gain access to that account so that they can log into your site with administrator privileges (and effectively do whatever they want, including defacing your site or installing malicious code).
1.1 How to deal with default administrator accounts
The best thing to do is to disable this account, and use a separate account to do your administrator tasks.
The basic rule of thumb is to have the absolute minimum number of administrator accounts that you require, and ensure they have strong passwords. If you create an administrator account for somebody to work on a part of your site, remember to disable it afterwards.
Think of the administrator account as the keys to your house which you would most definitely not want to be in the wrong hands!
If you can browse to www.mysite.com/administrator so can anybody who knows (or suspects) that your website is using Joomla! - it’s one less barrier in the way of them being able to compromise your website.
1.2 How do I hide my administrators portal?
There are several ways in which you can hide this part of your website, the most popular being to use a ‘secret word’ which must be appended to the URL in order to access the administrators login screen. An example would be www.mysite.com/administrator/?mysecretword. This way, if the user doesn’t have the secret word, they can’t even get to the login page for your administrator portal.
Admin Tools has this facility built in, or you can use any number of other extensions which provide this facility in the Joomla! Extensions Directory.
2. Keep Your Joomla Installation Updated.
This is as important as maintaining your web hosting account. If you have un-updated plugins, components, modules and other extensions, then you are surely at risk of an exploitation. Your web host will possibly suspend or place some restrictions on your account if it ceates issues for other users and these issues will likely arise from poor maintenance. Keep your installation clean and safe by updating the extensions.
2.1 How do I update?
Updating your site need not be a cause for concern, however it is important to back up your site first before you start. You can either download the patch files manually from the Joomla! website and upload these to your site using FTP, or you can use Admin Tools to update with a single click!
3. Be Mindful of Extensions you Install
Please take note that not all extensions are safe for install. We have come accross lots of Joomla extensions with issues ranging from compatibility with design frameworks to issues with Joomla versions. Some extensions and poorly developed and create issues which sometimes can breakdown your Joomla installation. You will need to verify the integrity of every plugin, module, component and any extension you wish to use before you go head wth installation. A good way to do this is to probe user experiences. Avoid extensions that you are required to write a favourable review before you can install them.
Many site compromises are due to vulnerable extensions rather than Joomla! itself - and in almost all cases the site owner has not applied patched provided by the extension developers. If a vulnerable extension is identified and reported, it is tested by security experts and added to the Vulnerable Extensions List with details of the type of vulnerability and versions affected, alongside updates from the developers of the extension. Those displayed in red have not yet been resolved.
3.1 How do I update Joomla! extensions?
Updating extensions should be a case of simply installing the new version - in Joomla! 2.5.x and later you can automatically update extensions (if the extensions support it) via the update facility.
The best way to find out about new extension updates is to sign up for the developer's mailing lists - most developers will send out an email whenever a new version is available.
4. Follow Strong Password Rules
A strong password should have at least 1 special character (|#*\), at least 1 numerical character(1256778), combine lower and upper caes characters(SDecHYnniO) and be at least 12 digits. We recommend you use the cPanel password generator and safe a copy somewhere. Nevertheless, if you forget your password, you can always rest it. Better to change and rest often than be vulnerable. These combination will help protect you from brute force attacks. You will need to keep this rule as a password attack could be very devastating.
5. Disable Error Reporting in Global Configuration.
For Joomla 3.x this is found under Global Configuration > Server > Error Reporting. Just set it to "none" This will ensure that errors do not display on your Joomla frontend.
6. Enable Captcha - ReCaptcha
To do this, you need to check two settings. Go to Global Configuration, under the site settings, enable Captcha - ReCaptcha. Then go to plugin manager and click Captcha - Recaptcha - Enter the required settings and make sure it is set to "enabled". You will need to get a site and secret key for your domain from https://www.google.com/recaptcha/intro/v3.html
7. Enable Cache on Your Website
Caching speeds up your website. We have emphasized the need for caching in several other articles in our knowledgebase. In Joomla, to enable your cache settings, go to Global configuration > System > Cache Settings and choose a preferred setting. For small and moderately sized websites, i recommend the you choose "Conservative Caching". You can choose the progressive caching for large websites.
Next, go to plugin manager and locate "System - Page Cache". Make sure it is enabled.
8. Install a HackGuard Plugin
We have found the Siteground JHackGuard to be very helpful and effective here. So, make sure you have it installed and enabled under plusin manager.
9. Maintain a Healthy Backup
Keep in mind that anything can happen and so a healthy backup would be the sure way to recover. To avoid overloading your server space, maintain not more that two recent backups. We suggest you download the backup to your local computer.
These are our recommended steps to ensure your Joomla website is safe. Let's have your comments on any additions you know could help keep Joomla safe for users.
Why Website Security So Important
We have often emphasized website security and have dwelt much on how to safeguard websites from vulnerabilities. We will again in this section provide a run down on the relevance of website security.
Website security is not necessarily the use of strong and safe passwords. It does not actually mean protecting your website username and password. There are lots of vulnerabilities that can jeopardize the security of any website. Keeping your website safe means you must block all these loopholes. Here are a couple of reason why we emphasize website security.
1. Hackers are Heartless
Website attackers are not necessarily attracted by the pecuniary benefits of gaining access to your website. They will attack you even if it is just to test their skills or test the capacity of their software. You wouldn't want to have a well designed website that has started attracting visitors and suddenly it gets defaced by an attacker. You need to take security seriously because the attackers our there are serious and heartless.
2. Websites Are Attacked From Multiple Points
An attacker does not need to get your username, password or any clue to them to be able to gain entry and cause havoc. A vulnerable plugin, module or extension is enough to cause the havoc. However, if you have built your website with plain HTML pages like Dreamweaver or Photoshop, then you will not be worrying about plugin and extension vulnerabilities.
If you have developed your website with a Content Management System(CMS) like WordPress, Joomla, Drupal or any other CMS, then you need to really worry about your website security.
Plugins Are The Biggest Risk to CMS Websites
One report by WordFence puts plugins as the biggest risk to a WordPress website. Website security experts, Sucuri, in a report on How Websites Are Hacked also noted the leading role of software vulnerabilities in putting a website at risk.
How to Avoid Plugin Vulnerabilities
According to WordFence, the following recommendation will help protect your website from plugin vulnerabilities:
Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. We recommend that you check for updates at least weekly. In addition we recommend that you pay attention to the alerts generated by Wordfence scans. Wordfence alerts you when your plugins need to be updated.
Don’t use abandoned plugins
You are relying on the plugin developer to insure that their code is free of vulnerabilities. If they are no longer providing updates there is a high likelihood that there are vulnerabilities that have not been fixed. We recommend avoiding plugins that have not been updated in over 6 months. For plugins you have already installed we recommend you conduct an audit at least quarterly to make sure none of your plugins have been abandoned by their authors.
Only download plugins from reputable sites
If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised or ‘nulled’ plugin.
WordFense also recommends the following tips to help determine whether a site is a reputable source or not:
Eye Test – Is the site itself professionally designed and uses clear language to describe the product? Or does it look like it was thrown together quickly by a single individual?
Company Information – Does the site belong to a company with the company name in the footer?
Contact Info – Do they provide a physical contact address on the contact page or in their terms of service?
Domain Search – Google the domain name in quotes e.g. “example.com“. Do you find any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the quoted domain name in your search and see what that reveals.
Name Search – Do a Google search for the name of the plugin and see if any malicious activity is reported. Add the phrase “malware” or “spyware” to the search which may reveal forums discussing a malicious version of the theme being distributed.
Vulnerability Search – Do a search for the theme or plugin name or the vendor name and include the word “vulnerability”. This will help you find out if any vulnerabilities have been reported for the product you’re interested in or for the vendor. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible vendor who is actively maintaining their product when problems arise.