Secure Joomla Against Hackers

Joomla is an open-source, content management system. Still confused? That's okay, this is a question many clients ask us as we talk about Joomla a lot. Much like Wordpress or Drupal, Joomla is actually a software program that uses a database to store and manage content so that content can be fed up dynamically. It is an international software project developed and supported by thousands of people around the world.

Since I've been building websites for over 15 years, I feel qualified to say that Joomla is one of the easiest, most robust ways to create an awesome website. Joomla is a fairly easy way for non-programmers to build a website.

Still not sure what Joomla is? Read our lens Designing a Website With Joomla for a detailed explanation of what Joomla is and how it works.

The following steps are ways to help prevent hackers from getting into your Joomla website. They are not foolproof, so it is very important to continuously monitor your site and to do regular maintenance to prevent a hack attack.

1. Create a backup plan for the site.
If you do nothing else, at least do this. You never expect to be attacked, but when you have a backup of your Joomla websites, you can relaunch within an hour. Check if to see if your host has daily or weekly backups. Even if they do, it is best to take your own backup as insurance to safeguard the site. You can do this manually by copying your files and export a copy of the MySQL database. It is easier to use third party backup extension such as Akeeba Backup. Read this Akeeba Backup tutorial to find out how.

2. Update your version of Joomla.
Subscribe to updates of Joomla security by e-mail or RSS. Update your website whenever a new version comes out. An update will be a minute if you use Joomla Update Manager component.

3. Use a reputable hosting company
Many hosting companies that knows how to optimize for Joomla hosting. Many hosting companies say they know how, but do your research before you sign up. Read Joomla Hosting reviews or ask on the Joomla support forum. We have found the following Joomla web hosting companies to have the most reliable hosting solutions for Joomla:

Company Name

Joomla Support

Cpanel

Auto backups

Monthly Cost

Hostgator

yes

yes

weekly

$4.95-$99.95

Interactive Online

yes

yes

weekly

$5.95-$12.95

Rochen

yes

yes

2x daily

$8.95-$69.95

SEE OUR COMPLETE LIST FURTHER DOWN THIS LENSE!

4. Review the list of vulnerable extensions before installing Joomla extensions.
The extensions are built by third-party developers and are not always 100% secure. It is wise to consult this list before installing a Joomla extension, and go every time you update your extensions. You can subscribe to the list of Joomla vulnerable extensions RSS feed to receive announcements when the extensions are vulnerable. When updating your version of Joomla, recheck this list to see if any of the extensions you use have been marked as vulnerable.

5. Review the Joomla-created Joomla security checklist.
This checklist has been provided as a simple way to control your Joomla installation and server settings. It will help you evaluate where you might be security holes.

6. Remove the username admin that comes with the original installation.
Hackers know the name, this admin user, and of course the default username (admin), which is created when you install Joomla. If you leave it there, it gives them a means of accessing a piece of the puzzle without any effort. Create a super admin user with a different user name.

7. Install JSecure - a plugin to hide the Administrator login page.
This simple plugin allows you to create a custom URL for your admin login page, which makes it difficult for a hacker to connect to the admin panel.

8. Remove the FTP functionality in Global Configuration.
If an attacker gains access to your Joomla admin and FTP is enabled, it gives free access to your server.

9. Change your password regularly.
Change your Joomla passwords and cPanel and FTP passwords at least once a month. This is particularly important if you connect from different computers that other people have access to. When you create a password, do not use the names of your child or pet. Make it encrypted and difficult to understand. Use a random password generator to create cryptic passwords. Combine uppercase and lowercase letters, numbers and symbols if you are generating your own password.

10. Disable or uninstall the extensions that are not being used.
The basic Joomla installation comes with several components, modules and plugins. If any are not in use, turn them off. To do this go to the Joomla Extension Manager > Install / Uninstall tab and scroll to the appropriate extension using the blue tabs at the top. If you have chosen to install a third party Joomla extension that you are no longer using, uninstall it.

11. Do not run your site in Legacy Mode.
If you have a part that requires legacy mode, spend time to find and install a component that is Joomla 1.5 native. Legacy mode does not allow you to utilize some of the extensions that will keep your site secure.

12. Consider installing commercial security extensions.
The following extensions are a good investment because they offer a long list of features that keep your Joomla site secure:
RS firewall
JomDefender**
Mighty Defender

**Through August 15, 2011 you can get 25% off JomDefender. Use promocode: hotdeals11 when you check out.

13. Report hacking attempts on your hosting company.
They need to know that someone is hacking the server. Only then can they provide support and solutions to secure the server for everybody.

14. Install SEF (Search Engine Friendly) component.
Without SEF URLs, hackers can seek specific URLs in your Joomla site which can give them clues for hacking. Install SEF, Joomla URL rewrite search engine friendly keywords, so hackers can not find the URL they are looking for. This is also good for SEO efforts.

15. Change the table prefix in your mySQL database.
This is for advanced users, so for starters, you better find a developer to help with this. The default Joomla table prefix is "jos_ so" hackers will expect that. Changing the prefix avoids a hack known as a SQL injection (where they inject something in your database tables).

Company

Backups

$$ Back Guarantee

Monthly Cost

weekly

yes

$4.95-$99.95

weekly

yes

$5.95-$12.95

2x daily

yes

$8.95-$69.95

extra $

30 day

$7.33

every 6 hours

30 day

$7.95-$160

yes

anytime

$3.45-$6.95

nightly

45 day

$4.95-$350

some accounts

90 day

$3.99-$19.99

yes
yes

anytime

$6.95

yes

30 day

$5.95-$99.95

yes

anytime

$6.95

daily

30 day

$2.95-$64.95

extra $

no

$5.95-$89

weekly

30 day

$6.95-$8.95

We recommend changing passwords at least once a month. Once a week if you login on a public computer or a computer that is used by a lot of people. If you allow a freelance developer work on your site, you should change all passwords once the work is done.

Which passwords should I change?
You should change all the passwords for Joomla administrators, plus the cpanel and ftp passwords for your hosting account.

How do I make a strong password?
Passwords are hard to remember, so as a result people use words that are familiar and they can easily remember. That problem is that passwords that are easy to remember make it easy for people to hack in. This is particularly true if you use a password that is relevant to something in your life, like your pet's or kid's name.
How do I create a secure password?
The following guidelines should help you create a secure password:

• Do not use real words.
• Do not use names of people or pets close to you.
• Mix upper and lowercase characters.
• Throw in a number or two.
• Use symbols: ! @ # $ % ^ & * ( )
• Mix it up with all of the above
• Use a password strength checker
• Use a password generator tool

Password examples:
A strong password example: #rtg7yhwS!
A weak password example: BuddyDog

What if I forget my new password?
There is a way to go into the database to reset the administrator password. You need to access your Joomla database via phpMyAdmin to change a person's password. In phpMyAdmin, open the SQL tab (look at the top navigation bar). In the text field write the following SQL query:

UPDATE `jos_users` SET `password` = MD5( 'new_password' ) WHERE `jos_users`.`username` = "admin" ;

"new_password" - replace this with the new password you wish to use.
"admin" - replace this if your admin username is different.

Often it is really easy to tell if you site has been hacked -- it won't work. You'll either get an error message or a blank white screen. You may even be able to log into your Joomla administrator panel, and all will seem well from the backend, but the live website just won't display.

Sometimes it's not that obvious. The hackers may have inserted code that downloads a Trojan horse or virus onto people's computers (otherwise known as malware). You may not know this unless somebody tells you that their virus software gave them a warning when they visited your site.

One of the best ways to keep on top of your website is to sign up for Google Webmaster tools. Once you verify your site with them, they will monitor your website for hacking code and report any suspicious code they find. This is a great way to make sure your website is staying clear of hackers. You do need a Google account to sign up for this service.

If your website has been hacked, the first thing you should do is notify your hosting company. If you are on a shared server, your website hack makes all other sites on that server vulnerable. The hosting company can also look at log files and try to determine where the hack came from and possibly block their IP. After reporting to the hosting company, move on to restoring your website.

Do you have a backup? If yes, read this...
1. The best option to resolve a hacking attempt is to delete your website and database, then reinstall everything from your backup. Hopefully you have used Akeeba Backup which means it will take less than 20 minutes to restore your site.

2. Immediately after reinstalling (we're talking minutes here, not days), change all the passwords. Change your Joomla administrator passwords as well as cpanel passwords. Also change your database user password, and even create a new username for the database.

3. Then go through our 15 tips to secure your Joomla website and employ the tools required to keep hackers from visting again.

By restoring from a clean backup you are guaranteed to remove all hack code from all files on your site. There are 1,000s of php files in a Joomla website, so searching through each of them can be a laborious process. This is why it is so important to take regular backups of your site!

Did you forget to backup? If yes, read this...
1. Contact your hosting company and ask them if they have a backup of your site. Often hosting companies will backup servers even if they don't advertise that they do. Sometimes they will charge you to restore from this backup, but it's worth it to get your site up and running again. It is in the hosting company's best interest to get your hacked code off their servers, so most companies will be helpful in getting your site cleaned.

2. If the hosting company does not have a backup, then you will need to hunt for the hacked code and make repairs. Use the following site scanners to determine what files may contain the hacked code:

• Use Google's diagnostic tool to review your website. Type the following URL into your browser, replacing YOURDOMAIN with your own URL:
  http://www.google.com/safebrowsing/diagnostic?site=http://YOURDOMAIN
• Unmask Parasites
• Rex Swain's HTTP Viewer
• Sucuri Site Scanner
• SOS Site Scan

3. If you are unable to clean up the hacked code yourself, join the free BadwareBusters.org online forum and see if some of their members can assist you.

4. If you still aren't able to find a solution, considering hiring a freelance developer to assist you in the clean up process. Freelancer.com has a lot of reliable Joomla developers who could help you resolve your hacking issue.

5. Once you get your Joomla site cleaned, BACK UP YOUR SITE!! Akeeba backup is a simple extension that allows you to quickly backup your Joomla website.

What if you've been kicked out of Google for a hacked site?
Google does scan for hacked websites, and they will remove them from their index if hacked code is found. This is why registering for Google Webmaster tools is beneficial. They will notify you when they find hacked code on your site, and once you fix the problem you can easily resubmit your site for indexing.

If you don't have Google Webmaster tools, you can also resubmit your site for indexing AFTER all the hacked code is gone.

Do you have some interesting knowledge to share?
Did you know you could make money with Squidoo?
Create a Squidoo Lens Now! >>>

Gloriousconfusion