Securing your Joomla Installation

Written by Tabaré Patiño

Hackers


We know how handy Joomla can be when you need to develop a website for a customer (or for your company) and you don't have much time to do it from scratch. Joomla is one of the most used CMS' (Content Managment System) in the world, however as with any other application which has the ability to add plugins/extensions, it also has its security weaknesses.


As talked about in other posts, we take security seriously at Kualo, and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites - unfortunately there is no guaranteed way to protect your websites from being exploited due to vulnerabilities that are the result of not upgrading to the latest releases, poorly coded extensions or custom code.

This tutorial aims to provide some tips and suggestions that will help you add an extra layer of security to your Joomla installations.

Important Points

  • Always keep your Joomla installation up to date, including (crucially!) any extensions that you have installed
  • Create a new admin user with a custom username, and then delete the default 'administrator' user as many attacks will target standard usernames
  • Change your admininistrator account password regularly
  • Only install extensions that are well reviewed by the Joomla community, and are actively developed
  • When installing Joomla, change the default database prefix. All default Joomla installs use the database prefix of "jos_" which makes any exploiter's job much easier. You can change this prefix to something unique during installation, and if you've already installed then the following plugin can easily help you changing your Joomla database prefix with a few clicks: http://extensions.joomla.org/extensions/hosting-a-servers/database-management/14895

Securing Joomla

Below is a list of recommended modifications or adjustments to make to your Joomla installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.

1) Remove components or extensions that you don't use. If you tried an extension or a component and you found that is wasn't what you expected, don't keep it disabled. Delete it.

2) Use a SEF component. One of the most common techniques from hackers is to use Google inurl: command to search for a vulnerable exploit. We strongly recommend the use of a SEF extension to re-write your URL's and prevent the hackers from finding the exploits. This should also benefit your website rank search engines by the use of friendly URL's. Check the available SEF extensions at Joomla: http://extensions.joomla.org/index.php?option=com_mtree&task=listcats&cat_id=1803&Itemid=35

3) Add the following lines to your .htaccess file to block out some common exploits.
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

4) Protect your "tmp" folder. Add cron to delete the content of the tmp folder regulatory. Most of the recent attacks we have seen on Joomla have been done due to files previously uploaded to the tmp folder. What we recommend is to setup a cron job to delete on a daily basis the content of this folder, you can use the following command:
nice -n 15 /bin/find /home/YOUR-CONTROL-PANEL-USER/public_html/tmp/ -type f -mtime +1 -exec rm -rf {} \;

You should also disable the web access to the tmp folder by adding a .htaccess file in it containing the following line:
deny from all

5) Install a security extension. There are plenty of security extensions offered at the Joomla extensions directory. Some of them have commercial licenses, some of them are free. Review and choose the one the one with more positive rating or the one that suits you best: http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection

6) We have recently seen several brute force attacks to the Joomla administrator folder. You can protect the administrator folder with an initial password prompt before the standard Joomla login page - just use the "Password Protect Directory" option in your hosting account's control panel and add that second security layer to protect yourself from this attack.

Official security documentations

We'd also recommend you reading the following articles:
We hope you enjoyed this tutorial. If you have any questions, our technical team are on hand to assist!

Don't miss out!

Get our updates on web development, online marketing, customer support and (of course) web hosting!

About Kualo: Jo

About the Author

Tabaré is a systems administrator at Kualo. He's primarily responsible for making sure that our servers purr along, and has worked tirelessly to improve automation at Kualo.