Securing Joomla

Last time I blogged about penetration testing and how this can help to protect your online platform. Since one can’t neglect the effort of pen testing everyone has to decide herself if that is worth on a smaller site. But what you absolutely need to do is secure your Joomla installation, which is also called hardening.

Joomla is next to WordPress the second largest Content Management System (CMS) with about 68 million installations. This is a reason enough to harden your Joomla installation. There are a lot of bad guys, which want your website either to deface it, use it as spam deliverance platform or attack other systems with your CMS. All this experience unnecessary, just believe me.

Update your CMS with security patches


Updating every software with the latest security patches is one of the main concerns of computer security. So it is with Joomla, too. Have a regular visit at the admin page. I would suggest a weekly visit to /administrator/.

If Joomla notice you that an update is available, install it.

joomla asks for update

If you log in at the administrator page you will see on the left side this message:

joomla asks for update

If you click on the entry, you will get a new page with a detailed description.

joomla update process

Use a strong password

That’s nothing new and I guess you already have heard this. You just have to do it. But what is a strong password?

  • Use passwords with at least 14 digits
  • Use characters, lower and upper case, numbers and special characters
  • Use a password which can’t be found in *any* dictionary
  • Don’t recycle your password, for every login in any application or system use another password
  • If you can’t remember them, use KeePassX as password manager

Take regular backups

If something went wrong your backup is your insurance. Take this one seriously. Test the recovery process. Believe me, this is done in minutes, you just have to start the process and can have a cup of coffee. After a major change do a backup.

Keep several versions of backup, you never know. The last version may have a bug or already been hacked. This is just several megabytes of data, so really nothing to worry about.

Protect your administrative page

Usually Bots (hacked computer combined in a network) are trying to brute force Joomla logins. The attacking computers can change their IP address after 3 logins, so there is no use of blocking trials. There is a possibility to protect your admin page with an extra layer of security. It’ called htaccess. Just google for htaccess and you will get a lots of very useful information on that.

Delete extensions not needed

Unneeded extensions sprawling around may be a gateway for hackers. Just install those you need. If you are testing some new extensions, don’t forget do delete them if you don’t use them anymore.

Test your Joomla installation for security

There is a Scanner to test your Joomla installation for security: joomscan. But be aware: if the scanner says everything is fine, It could be, that you are not really safe. Because it checks only the known vulnerabilities which are saved in the vendor’s database. If something new comes up, or if there might be a misconception in the hosting server this will not be covered. But nevertheless this is a valuable tool to be informed if your installation contains any howlers.

In the next blog I will show how to use joomscan.

There is many good stuff on the joomla site concering security. Just take a look on it.