When building a Joomla site, most of the focus goes to developing an intuitive UX and aesthetically-pleasing pages. While there’s nothing wrong with this, it’s also important for developers to ensure that their Joomla site is secure.
Despite the fact that the developers of Joomla take security threats seriously and cautiously deal with potential issues, the truth is that it’s impossible to be completely secure.
Hackers are everywhere and they’re always looking for ways to target weak sites, extract data, and inflict as much damage as possible.
10 Steps to Ensure Your Joomla Site is Secure
While there are hundreds of steps you can take to ensure your Joomla site is secure, many are redundant and unnecessary. Ultimately, you’ll want to focus on the following 10 tips. If you can follow these, you’ll be able to mitigate most risk and stay protected.
-
Analyze your current status.
The first place to start is with an analysis of your current security status. Are you using the latest version of Joomla? Outdated versions can leave you exposed to harmful threats. The easiest way to check on what version you’re using is to log into the administrator section of your account and search for the version number. Otherwise, you can visit the System Information page and find the details there. The latest version of Joomla is 3.3.6 and was released in October 2014. If you need to install the new version, make sure you back up your site prior to making any changes.
-
Only use approved plugins.
Because there is such a large Joomla community, there are tons of third party extensions and apps in the marketplace. While most are released with good intentions, you can never be too careful when it comes to installing an extension. If you aren’t careful, you may be giving hackers a way into your site. Use this page to check for vulnerable third party extensions.
-
Develop a secure login.
Are you one of the many site administrators that leave their default login account as “admin?” This is a big security risk and makes it easy for hackers to do their job. You can protect yourself on this front by changing your default login to something other than “admin” and generating a complex password with letters, numbers, and other characters. Avoid using your website name, personal name, or any words that are easily guessable.
-
Only use secure web hosts.
This one is a no-brainer, but can slip the mind of new or busy developers. Always use a secure web host and avoid using any host that uses “php safe_mode.” “Safe_mode” should always be off and PHP5 is better than PHP4.
-
Delete unused extensions.
It’s common for developers to try out new extensions or switch to alternatives on a semi-regular basis. While there’s nothing wrong with this, there’s no reason to keep unused extensions. These serve as nothing more than potential security threats and should be deleted. This goes for unused Joomla templates, too. There’s no use in keeping templates you don’t use and they could allow people content you didn’t intend to publish.
-
Install HTTPS.
If you don’t already have HTTPS installed and setup, now is the time to take care of that. Setting up HTTPS is easy and can be completed in just a few steps. Simply purchase a SSL certificate, install it, set your options and encryption rules, adjust the components as you see fit, and you’re good to go.
-
Change file permissions.
It’s best to change your file permissions on critical files so it’s more difficult for hackers to access, edit, and overwrite your files. Some suggestions include setting the permission of /index.php, /configuration.php, and /templates/yourtemplate/index.php to 444, as well as the folder /templates/yourtemplate/ to 555.
-
Don’t allow user registration.
If your site has no need for allowing user registration, you should disallow it altogether. This reduces another potential entry point for hackers. You can do this by logging into your administration panel and finding the setting for “Allow User Registration.”
-
Use two-factor authentication.
In addition to making your login more secure, you can also implement two-factor authentication to double-up on security. This makes it even harder for hackers to gain access to your admin account and is the safest form of protection you can have.
-
Scan your site.
Finally, after you’ve taken care of all of these potential threats and strengthened any vulnerable areas of your Joomla site, you should perform an online scan. This is an ongoing step and should be conducted on a regular basis. There are plenty of sites, such as SiteCheck, that allow you to perform a free analysis.
Protect Your Joomla Site Today
How’s your Joomla site looking? If you’ve overlooked security in the past, now is the time to proactively confront the issue. Implement these 10 steps and ensure your site is protected from dangerous hackers and harmful security threats.
