Page 1 of 1

How to make a Joomla website more secure

Posted: Sun Nov 25, 2012 12:29 pm
by N4ndee
Unfortunately, I have discovered, that the official Hungarian Joomla website has been hacked (http://www.joomla. org.hu/). It had been offline for a few weeks, a message said that they were updating the site, and yesterday, I saw that it had been hacked. Since then, I'm a bit worried about my Joomla site's security too (using the latest version, 3.0.2).
So I have searched around, read the security checklist, and all related docs. I have also installed the Admin Tools free component. With this component I have set a password to protect "administrator" (well, you can also do that in cPanel), and set up a unique super admin id. What other steps should I take (or components should I install) to make sure my site can't be easily hacked?
Also, I see that if you try to access http://www.joomla.org/administrator, it redirects you to the main page. How is that possible? Is it a safer method, than protecting it with a password?

Re: How to make a Joomla website more secure

Posted: Tue Nov 27, 2012 11:45 am
by mfauzirizal82
N4ndee wrote:Unfortunately, I have discovered, that the official Hungarian Joomla website has been hacked (http://www.joomla. org.hu/). It had been offline for a few weeks, a message said that they were updating the site, and yesterday, I saw that it had been hacked. Since then, I'm a bit worried about my Joomla site's security too (using the latest version, 3.0.2).
So I have searched around, read the security checklist, and all related docs. I have also installed the Admin Tools free component. With this component I have set a password to protect "administrator" (well, you can also do that in cPanel), and set up a unique super admin id. What other steps should I take (or components should I install) to make sure my site can't be easily hacked?
Also, I see that if you try to access http://www.joomla.org/administrator, it redirects you to the main page. How is that possible? Is it a safer method, than protecting it with a password?
Have you try Jsecure? If you broke, you can still use Admin Excile.

Oh, BTW, There's impossible to make our site 100% Hack free. So, Just take it easy and have a good preparation. :pop

Re: How to make a Joomla website more secure

Posted: Tue Nov 27, 2012 3:40 pm
by N4ndee
Thank you for your reply. I know it's impossible, I'm just trying to make my site a bit harder to hack. I'm going to check them out.

Re: How to make a Joomla website more secure

Posted: Thu Nov 29, 2012 10:03 am
by hostking
Also ensure you are with a Web Host that can offer secure hosting. Symlinking, weak FTP passwords on any account on some servers can compromise a whole server.

Re: How to make a Joomla website more secure

Posted: Tue Dec 04, 2012 2:17 pm
by darb
Also put in a secure htaccess master file like this one from Nicholas https://akeeba.assembla.com/code/master ... access.txt

If you get that to work after some tweaking its more secure..

Re: How to make a Joomla website more secure

Posted: Tue Dec 04, 2012 5:07 pm
by PhilD
Warning
The use of custom htaccess files such as the one in the Joomla documentation site:
http://docs.joomla.org/Htaccess_examples_%28security%29

and the one here
https://akeeba.assembla.com/code/master ... access.txt

is at a users own risk. These htaccess files are NOT plug and play and will cause your site to cease working until properly configured. The files also contain code that may be enabled by default that is not relevant for every site and will cause issues. If a site already contains an htaccess file, then replacing that file with a 'master' file may cause the site to stop working or stop working properly. Examples would be an existing htaccess that includes code to enable php 5.3 which Joomla 3.0.xx requires or a site with a permanent redirect in the htaccess file.

For most websites and purposes, the default included Joomla htaccess file is more than sufficient. The Joomla htaccess file file is not enabled by default as some sites already have a default htaccess file with specific commands set by their host or by the site developer. To enable the Joomla htaccess file rename the file htaccess.txt to .htaccess The file generally does not require any configuration. If there is an existing .htaccess file, then add the Joomla code to the existing file or if unsure ask us to help.

Re: How to make a Joomla website more secure

Posted: Sun Dec 23, 2012 1:07 pm
by shirke
I highly recommend Incapsula plugin for both security issues as it provides you a real good protection from hacking and also makes the site fast. I use it for my clients and it works like a charm.
free download from jed. good luck

http://extensions.joomla.org/extensions ... tion/22609

Re: How to make a Joomla website more secure

Posted: Mon Mar 04, 2013 1:18 pm
by leolam
N4ndee wrote: Also, I see that if you try to access http://www.joomla.org/administrator, it redirects you to the main page. How is that possible?
Done with a directive in htaccess-file

Leo 8)

Re: How to make a Joomla website more secure

Posted: Fri Apr 19, 2013 5:20 am
by johnclr
Step 1. Install the component and go to Components > DB Admin.

Step 2. Using the intuitive interface, change the default "jos_" prefix of your Joomla 1.5 tables to a different value.

Step 3. Modify the configuration.php file in your main Joomla folder. In it locate the following line:

var $dbprefix = 'jos_';

You will have to edit it to correspond to the new table prefix you have set. For example, if you have changed the table prefix to "smth_" the line in the configuration.php file should look like this:

var $dbprefix = 'smth_';

The default table prefix of your Joomla database is now changed. This should block the majority of attacks against your database.

Re: How to make a Joomla website more secure

Posted: Sat Apr 20, 2013 8:46 pm
by PhilD
Joomla 3.0+ randomizes the database prefix automatically upon site creation and no longer uses a default jos_ prefix. It is no longer necessary to manually change the prefix.

As Leo said it is easy by using a directive in the site htaccess file to redirect all but specific ip addresses to the home page when access to the the admin url is attempted.