PDA

View Full Version : Enhancing Joomla Security



Max
December 28th, 2009, 01:31 PM
At Hostek.com, we maintain security on our servers at an optimal level. If you are running Joomla, there are some additional things you can do to increase the security for your individual site.

Rename the Joomla admin account
One of the simple things you can do to harden the security of your joomla website is to rename the Joomla admin account and having a strong secure password

Secure configuration.php file
Make sure you configuration.php file is not writeable! If this file is writable the attacker can potential comprise your site. You can make this non-writable from within Joomla. Go to Site > Global Configuration, Click on the Make Non-Writable after saving checkbox and Save. Any changes after this would require you to click the Overrite write protection while saving checkbox.

Additionally, save your configuration.php and other configuration files outside of public_html directory. On our Linux hosting, you can save these files in your home directory (parent directory of pubLic_html) and access the files using a php function:
require_once('../configuration.php');
However if you decide to keep your configuration files within the public html directory, create a password protected subdirectory and store them there.

Stay on top of Joomla releases
Make sure you are always running the latest version of Joomla. Each release hardens security and fixes vulnerabilities and exploits.
If there are any additional Components, modules or templates that you have installed, periodically check for any available updates.

Secure file permissions
Once you have a stable site, you should change all file permissions to write protected using CHMOD (644 for files, 755 for directories). Any good FTP software should allow you to do this without having to use any scripts. If you require scripts follow this FAQ. You can also use the Global Configuration to apply the default permissions to all files and folders. Go to Site > Global Configuration > Server tab. Scroll down until you find File Creation. Click on CHMOD new files to 0644, and CHMOD new directories to 0755, and click on the Apply to existing files checkbox to run this setting on all your current files. Once this is done, make sure that the configuration.php file is still unwriteable. If it is Writeable, click on the Make Unwriteable after saving to make it not writeable

Unnecessary Files
-Remove unnecessary files/components/modules/templates
If there are files are any files, components, templates or modules that are not being used, remove them!

Additional tools:
JDefender - http://joomlaequipment.com/content/view/2/5/

Ultimate Joomla Protection. Component that protects Joomla from Flood, PHP Injections, MySql Injections for any component.

Joomla Diagnostics - http://www.joomla-addons.org/joomla-tools/joomla-diagnostics.html

Joomla Diagnostics is a tool that allows you to scan your Joomla installation for core changes. It compares file hashes of your local Joomla installation to the default Joomla installation hashes. If these hashes are not the same, it will display a list of files that did not match.
With Joomla Diagnostics you can easily scan your Joomla install for core changes or see if your Joomla installation was uploaded successfully.

Joomla Tool Suite - http://joomlacode.org/gf/project/jts/

Security check for your Joomla site