Joomla

The purpose of this tutorial is to show you how to secure your Joomla website. There are several steps you can take to protect your Joomla application. Joomla's security can be improved significantly by following these simple steps.

• Change the administrative username of your Joomla
• Change the default table prefix of your Joomla database
• Password protect your Joomla administrative area
• Keep your Joomla up-to-date
• Use the .htaccess file to additionally secure Joomla

How to change the administrative username of your Joomla website

By default your administrative username is admin. The majority of the attackers would expect the username to be admin. Changing it will protect you against many attacks.

To do this, you should:

Alternatively, you can do this by modifying the database of your Joomla website:

Step 1. Open the phpMyAdmin tool in your cPanel and load your Joomla database.

Step 2. Select the jos_users table from the left column and click on the Browse button to edit the rows in it.

 

Step 3. Locate the line for the "admin" username and click on the pen icon next to it to edit it.

 

Step 4. Change the value of the "username" field to something different than "admin". Using lower and upper case characters as well as numbers is highly recommended.

Step 5. Once you change your administrative username, press the Go button at the bottom right part of the page.

 

Now you can login to the administrative area of your Joomla application with the new username.

How to change the default table prefix of your Joomla database

Changing the default table prefix will stop the majority of attacks against your database. You can use the DB Admin component in order to do this. Although it is originally designed for Joomla 1.0.x, it works on Joomla 1.5 too.

Step 1. Install the component and go to Components > DB Admin.

Step 2. Using the intuitive interface, change the default "jos_" prefix of your Joomla 1.5 tables to a different value.

Step 3. Modify the configuration.php file in your main Joomla folder. In it locate the following line:

var $dbprefix = 'jos_';

You will have to edit it to correspond to the new table prefix you have set. For example, if you have changed the table prefix to "smth_" the line in the configuration.php file should look like this:

var $dbprefix = 'smth_';

The default table prefix of your Joomla database is now changed. This should block the majority of attacks against your database.

Password protect your administrative area

Password protecting the "administrator" folder will add an additional layer of protection to your Joomla website. For more information on how to do that you should refer to our tutorial on How to password protect directories. You should set username and password for your website different from the ones for your Joomla application.

Once you do this, you will have to login twice. First to access the login page of Joomla and then to login in the application itself.

That would make guessing your passwords a very difficult task for any attacker. In addition, even if there is a security breach within the Joomla script itself, a potential attacker won't be able to gain access to your administrative end even if s/he knows your login details.

Keep your website up-to-date

You should always keep your Joomla application up-to-date. We recommend you to subscribe to the Joomla newsletter in order to receive news about new versions. You can do this at Joomla's official download page.

Once you receive a notification that a new version of Joomla is released, you should upgrade your website immediately. For detailed information on how to upgrade your site, you can refer to our Joomla upgrade tutorials:

• How to upgrade Joomla 1.0.x
• How to upgrade Joomla 1.5.x

If your website is running Joomla 1.0.x it is recommended to migrate it to Joomla 1.5.x. In Joomla 1.5 there are many security improvements in the core elements of the application. The migration, however, should be performed with caution. You should always backup your Joomla before proceeding with the upgrade. For more information you can check our tutorial on How to upgrade from Joomla 1.0.x to Joomla 1.5.

Use the .htaccess file to additionally secure your Joomla

You should make the following changes to the .htaccess file in the Joomla directory:

• First, If you don't have a .htaccess file in your Joomla folder, you should rename the htaccess.txt file that comes with your Joomla installation package to .htaccess. To do this, you can use the File Manager tool in your cPanel. In addition, doing this will allow you to enable the SEF functionality of your Joomla application. The rules in it will block the majority of well-known attacks against your website.
• Make sure you are running your website on PHP 5.2 or newer. All SiteGround customers have their accounts running PHP 5.2 by default.
• Block the access to all files except index.php and index2.php. Note, however, that you may have to allow the access to some additional files if your extensions require them. If certain parts of your website do not appear, you can check the files that they rely on. Then, you can add them to the access rules. Generally, if you add the following lines to your .htaccess file, everything should work just fine:
  

  deny from all
  <FilesMatch "index.php">
  allow from all
  </FilesMatch>
  <FilesMatch "index2.php">
  allow from all
  </FilesMatch>

Obviously, your primary focus should be keeping your passwords secure and making sure you are using credible components and updating them whenever a security release comes out. There is a second step you can take which will be a good addition to your site's security: add a second level password to the administrator area.

Adding a pop-up password with .htaccess

Think of this as "belts and suspenders." By adding a password requirement at the file system level, no one can even access the administrative back end without knowing this first password. (Note that if they have somehow obtained an admin password they can still do some damage from the front end). Functionally it means your administrators will have to enter one more username and password, but it's worth the extra effort. You should be sure to use a different username and password than you are using for your Joomla! login credentials.

To add the second-level protection, you need to create two new files, a .htaccess file in the administrator directory, and a .htpasswd file (in a folder that is not web-accessible).

.htpasswd

If you have access to the command line on your server you can create the password file by using the htpasswd command. If you need a little more guidance, you can use a site such as this .htaccess generator to create the files and provide them to you. The .htpasswd file will contain a username and an encoded password and it should be placed in a directory that is outside the web root if possible. (e.g. if your web root is in /[path-to-home-directory]/public_html you could create another folder in /[path-to-home-directory]/pw to store this file). Here is what a sample .htpasswd file looks like (the username is 'editor' and the password is encoded behind it):

editor:edEbsSZTeFf6M

.htaccess

If you already have a .htaccess file in the administrator directory, make a backup before adding the following code. If you don't have one, create one using the code below.

AuthUserFile /[path-to-home-directory]/pw/.htpasswd
AuthType Basic
AuthName "[Name to show in popup window]"
<Limit GET>
require valid-user
</Limit>

Joomla! is a great CMS that is used worldwide. For this reason, hackers often try to find a way to hack a Joomla! website. Here are 7 tips to optimize your Joomla! security, preventing your Joomla! website getting hacked.

Always remember to make a regular backup of your website and database. If you still get hacked, you can always get back to an older version of your website. Make sure you find out which extension caused the vulnerability and un-install it.

Change the default database prefix (jos_)

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_userstable. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections.

You can set the database prefix when installing your Joomla! website. If you've already installed Joomla! and want to change your prefix, do the following:

1. Log on to your Joomla! back-end.
2. Go to your global configuration and search for the database
3. Change your database prefix (Example: fdasqw_) and press Save.
4. Go to phpMyAdmin to access your database.
5. Go to export, leave all default values and press Start. Exporting the database can take a while.
6. When done, select all code and copy it to notepad (or any other text editor)
7. In phpMyAdmin, select all tables and delete them
8. In notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: fdasqw_). Press "Replace all".
9. Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and pressStart.

Remove version number / name of extensions

Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:

1. Retrieve all files of the extension from your server.
2. Open up Dreamweaver.
3. Load any file from the extension that you just downloaded to your local machine.
4. Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit to.
5. Set the search term to "MyExtension version 2.14" and press OK.
6. When found the correct file, remove the version number.
7. Upload the changed file to your server and check if the changes are made.

Use a SEF component

Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEFor another SEF component to re-write your URL's and prevent hackers from finding the exploits.

Additionally, you'll get a higher rank in Google when using search engine friendly URL's.

Keep Joomla! and extensions up to date

This one is pretty obvious. Always check for the latest versions of Joomla! and the extensions you're using. Many vulnerabilities are resolved most of the times in later versions.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

• PHP files: 644
• Config files: 666
• Other folders: 755

Delete leftover files

When you installed an extension that you didn't like, don't set the extension to unbublished. If you do, the vulnerable files will still be on your website. So simply use the un-install function to totally get rid of the extension.

Change your .htaccess file

Add the following lines to your .htaccess file to block out some common exploits.

 
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

For more Joomla! security tips, you can read the following:

• Joomla Administrators Security Checklist
• Visit the Joomla! security forums (1.0 and 1.5)

 

Keep an eye on websites listing Joomla! vulnerabilities:

• Secunia
• FrSIRT
• Milw0rm

 

If you have more tips to enhance the security of Joomla!, I would really like to hear them.

 

source: http://www.marcofolio.net/joomla/7_tips_to_optimize_joomla_security.html