Security Recommendations or Checklist

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
zaknokimi
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sat Oct 31, 2015 10:37 pm

Security Recommendations or Checklist

Post by zaknokimi » Mon Sep 28, 2020 11:14 pm

Hello, I've been using Joomla for years for managing and building my organisation's website. I was just wondering if there were some points someone could mention or a sort of tick-list for a Joomla website could be secure.

Server Level
  • I'm using a managed hosting setup so the server security is fine
  • Also a site scanner / malware scanner
  • Backups are scheduled every night for the server
Server is not what I'm worried about as much. It used to be self-managed but I decided I didn't have much knowledge/experience to keep it safe.

The main concerns are with the Joomla itself. Here's what I have setup already:
  • RSFirewall Plugin - blacklisted countries I know we don't need traffic from, have an additional password before the user login, critical issue email updates, and the usual default system/db checks
  • Joomla is always updated to the latest version, and running the most recent reliable PHP version.
  • Akeeba Backup is installed for remote backups of files + db to Dropbox.
  • User accounts are limited to only 2 users who manage the site, and the passwords are already very secure (20+ characters with symbols/letters/numbers etc)
  • Plugins are updated frequently, and the ones we don't need are removed.
  • No possible front-end input - the contact form even is hosted separately by a form provider e.g. Jotform / Typeform. Much of the website is static and mostly hosts information.
  • SSL is of course set.
I was wondering if on top of this, there's anything I can do to improve security. For example, if RSFirewall isn't enough and there's perhaps a complementary plugin to improve other aspects of security? A better backup tool than Akeeba? Other tweaks to Joomla? Turning off / disabling Joomla default plugins I'll never use?

Would really appreciate thoughts, and thanks!

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3903
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Security Recommendations or Checklist

Post by abernyte » Tue Sep 29, 2020 4:18 am

Ah...security. It is perhaps becoming a cliche but it is none the less true that security is not a tick list but a "forma mentis"
You are already well prepared for many threats but you are thinking from inside the silo. You need to consider what type of data you hold and why it may prove a target, if indeed it does. That allows you to concentrate on how it may be best protected.
If you are just protecting from the usual background noise of bots and scanners then you probably have it covered. There is not a better backup solution than Akeeba but remember that your nightly backup is actually not a backup unless you have successfully restored from it.
What we obtain too cheap, we esteem too lightly…Thomas Paine

User avatar
AlexVega
Joomla! Hero
Joomla! Hero
Posts: 2539
Joined: Fri Aug 28, 2015 6:13 am
Location: México

Re: Security Recommendations or Checklist

Post by AlexVega » Tue Sep 29, 2020 6:34 am

Hi there!,

To complement, we also have available this checklist:
https://docs.joomla.org/Security_Checklist

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27205
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Security Recommendations or Checklist

Post by Per Yngve Berg » Tue Sep 29, 2020 7:33 am

Enable 2FA to increase password security.


Post Reply

Return to “Security in Joomla! 3.x”