Joomla Security FAQ
- Why do people hack websites?
- To infect the computers of your site's visitors with malware, which in turn helps them to create botnets (armies of infected computers) that are used for attacks on yet more systems, sending spam, and "key-logging" to harvest credit card or banking details.
- If your site handles online payments then this presents an even greater incentive for hackers, even if you use 3rd party payment processors (eg where a hacker might send your visitors to a fake Paypal site instead of the real one).
- Adding spamlinks (links to nefarious sites to help those sites to rank better on Google) is another common motivation.
- How likely is it that someone will try to hack my site?
Almost inevitable. A scan of the logs of most websites will reveal regular attempts to scan for vulnerabilities. Such attacks aren't targeted, but result from wide spread automated trawling by "bots", that look for sites with vulnerabilities (like outdated software), and then automatically hack them. Low level scans for common vulnerabilities (eg unpatched software) and brute force attacks happen quite frequently, while more sophisticated attacks happen rarely on some sites and more often on others. A site running any popular software that is out of date (unpatched) should expect to get hacked sooner or later. - How do I know if my site's been hacked. Some indications are broken pages, source code visible on the page, or odd links to other sites that you didn't put there. Your antivirus software might also give you a warning that the site is infected, but often it won't be obvious at all without inspecting the source code, and even then it is sometimes well hidden, so hacks often go unnoticed until automated backups are overwritten with hacked versions, hence the need to keep an offline history of archived backups.
- Can't I just rely on having a good backup regimen, and then restore from backup if I get hacked? This used to be a viable option that many people relied on (with the logic that it's cheaper), but not any more as the scale of hacking has been escalating dramatically in recent years. Critically, never rely solely on hosting company backups. Most only keep backups for 7 days (we keep a 30 day history for sites we host) and if a hacking goes unnoticed for longer than this, then such backups will be infected and useless you've got a reliable history of offline backups yourself. Whilst it's still essential to keep a good history of offline backups, it shouldn't be used as a first line defence or response to the current risks of hacking, and no host will take responsibility for the security of your site, nor guarantee that their systems are capable of preventing all hacking attempts.
- How can I make my site 100% secure? It's simply not possible. If the US Department of Defence, Sony, Microsoft, and Google can't keep their systems secure with an army of full time security staff, then no one can. Just like home security, website security is a balancing act between cost, risk, resources, and practical convenience.
- If I can't make my site 100% secure, how can I make it more secure? In order of benefit/cost below:
- Setup Joomla as securely as practicable
in the first place.
- Choose a joomla compatible host , ideally with apache and Cpanel, and use appropriate file permissions (644 for files, 755 for directories).
- Don't store FTP passwords in Global configuration (if you follow the bullet point above you shouldn't need to).
- Don't use the default: jos_ as the database prefix (most SQL injection attacks will assume this)
- Ensure configuration.php has secure permissions or move it outside of the public folder
- Enable the Joomla version of .htaccess whether using SEF urls or not
- Lock the /administrator/ folder in cpanel>>security>>web-protect (not possible if using virtuemart with Paypal-IPN or some other extensions) and most site owners prefer this not to be set because the extra login step causes confusion for them, but if you can put up with an extra login step then this is highly recommended.
- Don't install every extension or template under the sun. If you're not using something, uninstall it.
- Never use the default "admin" as your username (all brute force attacks start with this username)
- Delete the installation folder after installation (don't just rename it)
- Keep the /tmp/ folder clean e.g. tidy up after extension installations
- More
- Choose a joomla compatible host
- Never use weak passwords, especially for your email, since your email password is the master key for all your other passwords (by using lost password recovery links).
- Avoid dictionary words or words that appear on your site or relate to information that someone could find out about you. (automated bots can try thousands of combinations of dictionary words, proper nouns and numbers very quickly so it's not just a matter of picking a dictionary word or name that you think no one will guess). Also avoid sequential keys on the keyboard like QWERTY or anything else that might feature prominently in "top 1000 passwords" type lists.
- Use a combination of upper case, lower case, numbers, letters and symbols.
- Use acronyms for unique phrases that you've made up. E.g. "MSirQS!" could be short for "My Site is really Quite Secure!"
- Keep a reliable history of offline backups.
- Subscribe to get alerts of Joomla security announcements and patch whenever needed. http://feeds.joomla.org/JoomlaSecurityNews
- Monitor the Joomla vulnerable extensions list and apply 3rd party extension security updates as needed.
- Use a Joomla security suite such as RSFirewall, (about $65 AUD/year) or Admin Tools Pro by Akeeba and turn on the "ActiveScanner" feature that logs, reports or blocks most common attacks.
- Use a 3rd party malware scanning service such as Sucuri.net that will regularly scan your site for signs of malware and alert you if malware is detected.
- Setup Joomla as securely as practicable