How to make a Joomla website more secure

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
N4ndee
Joomla! Apprentice
Joomla! Apprentice
Posts: 49
Joined: Sun Nov 04, 2012 3:21 pm

How to make a Joomla website more secure

Postby N4ndee » Sun Nov 25, 2012 12:29 pm

Unfortunately, I have discovered, that the official Hungarian Joomla website has been hacked ( http://www.joomla . org.hu/). It had been offline for a few weeks, a message said that they were updating the site, and yesterday, I saw that it had been hacked. Since then, I'm a bit worried about my Joomla site's security too (using the latest version, 3.0.2).
So I have searched around, read the security checklist, and all related docs. I have also installed the Admin Tools free component. With this component I have set a password to protect "administrator" (well, you can also do that in cPanel), and set up a unique super admin id. What other steps should I take (or components should I install) to make sure my site can't be easily hacked?
Also, I see that if you try to access http://www.joomla.org/administrator , it redirects you to the main page. How is that possible? Is it a safer method, than protecting it with a password?
Last edited by mandville on Sun Nov 25, 2012 4:52 pm, edited 1 time in total.
Reason: broke link

User avatar
mfauzirizal82
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 187
Joined: Mon Jan 11, 2010 9:23 am
Location: Cibeureum Cibatok 2 Cibungbulang
Contact:

Re: How to make a Joomla website more secure

Postby mfauzirizal82 » Tue Nov 27, 2012 11:45 am

N4ndee wrote:Unfortunately, I have discovered, that the official Hungarian Joomla website has been hacked ( http://www.joomla . org.hu/). It had been offline for a few weeks, a message said that they were updating the site, and yesterday, I saw that it had been hacked. Since then, I'm a bit worried about my Joomla site's security too (using the latest version, 3.0.2).
So I have searched around, read the security checklist, and all related docs. I have also installed the Admin Tools free component. With this component I have set a password to protect "administrator" (well, you can also do that in cPanel), and set up a unique super admin id. What other steps should I take (or components should I install) to make sure my site can't be easily hacked?
Also, I see that if you try to access http://www.joomla.org/administrator , it redirects you to the main page. How is that possible? Is it a safer method, than protecting it with a password?


Have you try Jsecure? If you broke, you can still use Admin Excile.

Oh, BTW, There's impossible to make our site 100% Hack free. So, Just take it easy and have a good preparation. :pop
Mudah-mudahan bermanfaat
http://enigmawebinc.com >> Jasa Web Joomla Profesional

N4ndee
Joomla! Apprentice
Joomla! Apprentice
Posts: 49
Joined: Sun Nov 04, 2012 3:21 pm

Re: How to make a Joomla website more secure

Postby N4ndee » Tue Nov 27, 2012 3:40 pm

Thank you for your reply. I know it's impossible, I'm just trying to make my site a bit harder to hack. I'm going to check them out.

hostking
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sat Sep 01, 2012 7:02 pm
Contact:

Re: How to make a Joomla website more secure

Postby hostking » Thu Nov 29, 2012 10:03 am

Also ensure you are with a Web Host that can offer secure hosting. Symlinking, weak FTP passwords on any account on some servers can compromise a whole server.
Top Joomla and CMS Hosting And Domains Provider In South Africa
https://www.hostking.co.za/web-hosting

User avatar
darb
Joomla! Guru
Joomla! Guru
Posts: 993
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden
Contact:

Re: How to make a Joomla website more secure

Postby darb » Tue Dec 04, 2012 2:17 pm

Also put in a secure htaccess master file like this one from Nicholas https://akeeba.assembla.com/code/master ... access.txt

If you get that to work after some tweaking its more secure..
Success in the long run Its not about the code its about the people and community that's make it!
Its not what you say its what you do that matters!

Darb - aka ssnobben

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: How to make a Joomla website more secure

Postby PhilD » Tue Dec 04, 2012 5:07 pm

Warning
The use of custom htaccess files such as the one in the Joomla documentation site:
http://docs.joomla.org/Htaccess_examples_%28security%29

and the one here
https://akeeba.assembla.com/code/master ... access.txt

is at a users own risk. These htaccess files are NOT plug and play and will cause your site to cease working until properly configured. The files also contain code that may be enabled by default that is not relevant for every site and will cause issues. If a site already contains an htaccess file, then replacing that file with a 'master' file may cause the site to stop working or stop working properly. Examples would be an existing htaccess that includes code to enable php 5.3 which Joomla 3.0.xx requires or a site with a permanent redirect in the htaccess file.

For most websites and purposes, the default included Joomla htaccess file is more than sufficient. The Joomla htaccess file file is not enabled by default as some sites already have a default htaccess file with specific commands set by their host or by the site developer. To enable the Joomla htaccess file rename the file htaccess.txt to .htaccess The file generally does not require any configuration. If there is an existing .htaccess file, then add the Joomla code to the existing file or if unsure ask us to help.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

shirke
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun Dec 23, 2012 12:53 pm

Re: How to make a Joomla website more secure

Postby shirke » Sun Dec 23, 2012 1:07 pm

I highly recommend Incapsula plugin for both security issues as it provides you a real good protection from hacking and also makes the site fast. I use it for my clients and it works like a charm.
free download from jed. good luck

http://extensions.joomla.org/extensions ... tion/22609

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 16246
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: How to make a Joomla website more secure

Postby leolam » Mon Mar 04, 2013 1:18 pm

N4ndee wrote:Also, I see that if you try to access http://www.joomla.org/administrator , it redirects you to the main page. How is that possible?
Done with a directive in htaccess-file

Leo 8)
-- Joomla Professional Support Services : https://gws-desk.com --
-- Joomla Specialized Hosting Solutions: https://gws-host.com --
-- Joomla Professional Web Development & Design :www.gws-studio.com
-- Member Joomla Bug Squad --

johnclr
I've been banned!
Posts: 12
Joined: Thu Feb 21, 2013 6:37 am
Location: USA
Contact:

Re: How to make a Joomla website more secure

Postby johnclr » Fri Apr 19, 2013 5:20 am

Step 1. Install the component and go to Components > DB Admin.

Step 2. Using the intuitive interface, change the default "jos_" prefix of your Joomla 1.5 tables to a different value.

Step 3. Modify the configuration.php file in your main Joomla folder. In it locate the following line:

var $dbprefix = 'jos_';

You will have to edit it to correspond to the new table prefix you have set. For example, if you have changed the table prefix to "smth_" the line in the configuration.php file should look like this:

var $dbprefix = 'smth_';

The default table prefix of your Joomla database is now changed. This should block the majority of attacks against your database.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: How to make a Joomla website more secure

Postby PhilD » Sat Apr 20, 2013 8:46 pm

Joomla 3.0+ randomizes the database prefix automatically upon site creation and no longer uses a default jos_ prefix. It is no longer necessary to manually change the prefix.

As Leo said it is easy by using a directive in the site htaccess file to redirect all but specific ip addresses to the home page when access to the the admin url is attempted.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: JAVesey and 8 guests