Menu
Because there will always be risk, Joomla security remains a continuous process, requiring frequent assessment of possible attack vectors. This guide is intended to educate Joomla website owners and administrators on basic security techniques and actionable steps that will help to improve your security posture and reduce the risk of a compromise.
Contents
The Joomla security team is doing a great job encouraging users to keep their sites up to date, but due to the variety and complexity of modern web servers, security issues can’t be resolved with simple, one-size-fits-all solutions.
By regularly installing the latest versions of Joomla, you can ensure that your website stands a better chance of resisting potential bad actor attacks.
Extensions and templates can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your Joomla installation, we recommend that you audit your extensions, components and templates on a regular basis. The Joomla dashboard offers update notifications when admins log in. These include outdated Joomla core version, PHP version, or extensions. Update notifications show up whether there are security issues or not, so make sure you always keep everything up to date.
All known vulnerable extensions are listed in the Vulnerable Extensions List (VEL) section. No patch is available for extensions in this section and you are recommended to uninstall the extension from your site. The Resolved VEL section lists extensions for which a patch is available. You are recommended to update if your site uses any of these extensions.
You can assess the security of Joomla components, extensions, and templates by reviewing important indicators:
Just as with any other CMS, when it comes to unused components, less is always more. Storing unused components in your Joomla installation will only increases the chance of a compromise, even if they are disabled and inactive.
We highly recommend removing unused extensions, components, or themes to lessen potential security flaws.
Gone are the days of manually checking the version of your Joomla core or other official components and extensions.
Joomla now offers automatic updates for your installation. When you log into the dashboard (which defaults at yourdomain.com/administrator/) you will be presented with a notification of any updates available to your software version or Joomla core itself.
If there is no need for an update to be applied to your Joomla installation, the dashboard indicates that. Under the “Maintenance” item of the Control Panel menu: “Joomla is up to date” and “All extensions are up to date”.
You should always apply updates as soon as possible. Logging into your site on a frequent basis will ensure that you’re aware of newly released updates. Click Check For Updates to verify directly with Joomla repository of any new updates.
Joomla will notify you on your Administrator home page (control panel) when an update is available. It will not automatically update for you. It is the responsibility of the administrator to start the update and verify successful completion.
If you cannot update your site for any reason, consider using a website firewall to virtually patch the problem and minimize the risk.
Before you update Joomla, we recommend taking the following precautionary steps:
In order to see if any updates are available for your installed extensions, login to your Joomla dashboard and navigate to Extensions > Manage > Update.
Depending on your Joomla version, the corresponding extensions may differ in their updating method, so it is recommended you always check the official Joomla documentation for the right method to use to install updates.
There will always be attackers trying to exploit weak user credentials and security setups in order to obtain access to Joomla websites.
By utilizing strong, unique passwords on your website, restricting the privileges available to users through assigned roles, enabling two-step or multi-factor authentication, and limiting user sessions, you can reduce the risk of a website compromise by a bad actor.
How you manage your users plays an important role in the security of your Joomla website.
By default, Joomla allows three privileged user groups to access the Control Panel:
At the beginning of any new Joomla installation, you have to set the administrator’s username and password. Make sure your username is not “demo”, “admin” or “administrator”.
By changing the username, you increase the difficulty of accessing the account. An attacker must correctly guess both the username and password at the same time to gain access.
The principle of least privilege is composed of two very simple rules:
In addition, Joomla includes various built-in roles for Public, Guest, Registered, Special and Super Users. These roles specify what can and cannot be accomplished by a user.
Follow these access control recommendations to reduce your security risks:
Password lists are often used by attackers to brute force Joomla websites. This is why you should always use strong, unique passwords for all of your accounts.
As a security best practice, we encourage all webmasters to use a password manager like KeePass to generate and securely store their passwords.
Two-factor authentication provides a second level of protection for your account. This feature requires a user to approve a login via an app and protects your account in the event that someone is able to guess your password.
The Sucuri Firewall includes a feature that helps you easily implement 2FA or password protection on any page of your website.
Unlimited login attempts is a default setting in Joomla. This leaves your site vulnerable to brute force attacks as hackers try different password combinations.
We recommend adding an extra layer of protection by limiting the number of login attempts against an account through an extension, or by using a Web Application Firewall (WAF).
Some popular plugins that provide you with this feature are AdminExile, and Brute Force Stop.
The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. This feature is extremely useful for stopping automated bots from accessing your Joomla dashboard, as well as submitting unwanted spam through forms.
Popular extensions that add a CAPTCHA to your Joomla login page are SecurImages Captcha Plugin, Antispam by CleanTank, Custom reCaptcha, or OSOLCaptcha.
Limiting the access to your login page to only authorized IP’s will prevent unauthorized entries.
There are extensions available that can do this. If you are using a cloud-based WAF like the Sucuri Firewall, you can restrict access to these URLs via your dashboard without having to modify .htaccessb> files.
In the field of Information Security (InfoSec) we like to use the phrase defense in depth.
To appreciate this ideology, you have to subscribe to a very simple principle: There is no 100% complete solution capable of protecting any environment.
In this section, we’ve listed a number of solutions you can employ on your Joomla website to provide an effective defense-in-depth strategy. By layering these defensive controls, you’ll be able to identify and mitigate risks and attacks against your website.
If you go to the official Joomla extensions repository and run a quick search for Security, you will find over 500 extensions with distinct categorizations and feature sets—site access, security tools, access & security, plus many others.
Joomla organizes their Access & Security group separately, with a current total of almost 400 extensions—both free and paid.
Detection plugins are important in identifying if something has gone wrong on your website. These tools ensure that you’re informed in the event a security incident occurs.
Web hosting security has matured in recent years, yet remains a very complex topic.
Most hosts provide the security you require at various levels in the stack, but not for the website itself. There are a number of hosting providers that offer security for an additional fee, but unless you’ve purchased a security product from them, it’s unlikely that they will resolve a compromise for you.
There are four main hosting environments that can be used for your Joomla installation:
In theory, the environments that remove the most dependency from the user will offer the most security. If you have the time and skill to secure your own environment, then you have more options but also more responsibility.
In reality, however, the type of hosting environment you choose should be dictated by your needs, expertise, and budget:
You can also initiate a conversation with your hosting provider to identify what their stance is on security. Here are some key points that should be addressed:
As with other CMS platforms, the official Joomla website recommends some web hosting provider services to try. We’re not really sure if the list is based on vetted security and performance features or mere advertisement, so tread carefully.
Securing file transfer to and from your server is an important facet of website security in your hosting environment. Encryption ensures that any data sent is protected from attackers trying to gain access to your network traffic.
SSH: Secure Socket Shell is a secure network protocol and the most common way of safely administering remote servers. With Secure Socket Shell, any kind of authentication (including password authentication and file transfers) is encrypted.
SFTP: SSH File Transfer Protocol is an extension of SSH and allows authentication over a secure channel. If you are using FileZilla or some other FTP client, you can often select SFTP instead. The default port for SFTP in most FTP services is 22.
Maintaining website backups should be one of the most important recurring tasks for a website administrator.
A good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files or corrupts your site files with their buggy scripts, the damage can be undone simply by restoring your site from your backups.
One of the most used backup tools for Joomla is Akeeba.
There are four key requirements for employing a successful backup solution:
There are a number of tools you can use to identify when something has gone wrong on your Joomla website.
To help you respond quickly to a security breach, employ a tool that includes the following services:
Integrity checks are an important aspect of auditing your Joomla installation. They give you an early warning of an intrusion on your website.
File Integrity Monitoring tools should normally be installed on a server where they can create a baseline cryptographic checksum of the critical files and registry entries. If a file or record is modified in any way, you’ll receive a notification of the changes.
Auditing tools give you visibility into user activity on the website. As the administrator of your website you should be asking questions like these:
We cannot stress enough the importance of logging activity. Use a tool that logs and alerts you of any actions taken on your website, including:
Response and recovery aren’t just about responding to a compromise or incident, it’s about analyzing the impacts of an attack to understand what happened, and implementing controls to prevent it from happening again.
Sucuri offers DDoS Protection, WAF, SSL Support & Monitoring with its Platform Plans.
The .htaccess file is what most vendors will modify when they say they are hardening your environment. This critical configuration file is specific for web servers running on Apache.
Joomla ships with a preconfigured .htaccess file, but you need to choose to use it. The file is called htaccess.txt. To use it, rename it to .htaccess and place it in the root of your site using FTP. Whenever you update your Joomla website, this htaccess.txt file must be renamed again to ensure you have the latest recommended .htaccess.
Make sure you follow Joomla security recommended htaccess content in order to better protect your site:
##
# @package Joomla
# @copyright Copyright (C) 2005 - 2018 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##
##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line 'Options +FollowSymLinks' may cause problems with some server configurations.
# It is required for the use of mod_rewrite, but it may have already been set by your
# server administrator in a way that disallows changing it in this .htaccess file.
# If using it causes your site to produce an error, comment it out (add # to the
# beginning of the line), reload your site in your browser and test your sef urls. If
# they work, then it has been set by your server administrator and you do not need to
# set it here.
##
## No directory listings
IndexIgnore *
## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes
## Mod_rewrite in use.
RewriteEngine On
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed
# below by adding a # to the beginning of the line. # This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root home page
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.
## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects
##
# Uncomment the following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##
# RewriteBase /
## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.
Make sure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of your public_html or similar public-facing folders. Check third-party extensions such as DOCMan and Gallery2 for editable paths to writable directories. Always make sure to review the extensive security documentation provided by Joomla when applying these steps.
For Joomla versions 1.5, 2.5, 3.x in the Back-End Global Configuration, make sure you change the log path. Some extensions use the built in JLog class. This will, by default, write logs to https://yoursite/logs. Change this to a place that a casual browser cannot find (and don’t pick /tmp/), or lock it down with http authentication.
For Joomla versions 1.5, 2.5, 3.x in the Back-End Global Configuration, change the temp folder path.
If the log and temp paths are changed and PHP open_basedir configuration directive is set, the new paths must fall within the scope of open_basedi, limiting the files that can be accessed by PHP to the specified directory-tree, including the file itself.
There is currently no easy way to move the Joomla! /image and /media directories. This is because thousands of third-party extensions expect to find these important directories at the current location.
Remove all unnecessary design templates on your website.
On Joomla 1.5 it is recommended you disable the XML-RPC server if you don’t use it. XML-RPC is a specification and set of implementations that allows software running on different software platforms and written in different languages to make procedural calls over the internet using standard Extensible Markup Language.
Clean up after installs. The installation process will require you to delete the installation directory and all of its contents. Do this; do not simply rename it. If you upload files to your site as compressed archives (xxxx.zip for example), don’t forget to remove the compressed file. Check the /temp/ directory, as temporary files may remain there after a failed installation attempt. As a general rule, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.
This is the situation where cross-site contamination appears. Cross-site contamination occurs when a hacked site infects other sites on a shared server. One of the main causes of cross-site contamination is poor isolation on the server or weak account configuration.
This article sheds more light into the cross-site contamination process, why it happens to your site, and what you can do to prevent it.
The Joomla! Security Team supports an RSS feed that provides the latest Joomla security information. We recommend installing it on your website to always be up to date with any security releases or announcements the team releases.
Here are the steps to explain how to add this feed to your site:
You can also use this technique to deliver your own “Customer Updates” to sites that you build for others. It’s a great way to communicate with your customers after handing over the site to them. Every time they log in to the Back End, they’ll see your latest news.
There are a number of professional services that take care of your website security needs for you. Not all services are the same – some charge more to fix complex hacks, and others provide different tiered feature sets. You should choose the one that best fits your needs.
If your host provides security services, take some time to research exactly what features they include. They’re normally happy to advise you on ways to complement their baseline feature sets with additional services.
The benefit to employing a cloud-based security service like Sucuri is that it provides complete end-to-end website security. This means protection, detection, and response services are included with an all-in-one platform and no hidden fees.
Our highly-availability Globally Distributed Anycast Network (GDAN) ensures that websites can efficiently service their global audiences while mitigating DDoS attacks.
Benefits of using a website firewall:
1. Prevent a Future Hack
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
2. Virtual Security Update
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
3. Block Brute Force Attack
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
4. Mitigate DDoS Attack
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
5. Performance Optimization
Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
We offer all of these features for Joomla sites with our Sucuri Firewall.
Our Web Application Firewall (WAF) and Intrusion Prevention System (IPS) helps mitigate many website threats.
Here are some educational website security resources:
If you are looking for a website security partner, we would love to work with you.
Say on top emerging website security threats with our helpful guides, email, courses, and blog content.
