Because there will always be risk, Joomla security remains a continuous process, requiring frequent assessment of possible attack vectors. This guide is intended to educate Joomla website owners and administrators on basic security techniques and actionable steps that will help to improve your security posture and reduce the risk of a compromise.
Contents
The Joomla security team is doing a great job encouraging users to keep their sites up to date, but due to the variety and complexity of modern web servers, security issues can’t be resolved with simple, one-size-fits-all solutions.
By regularly installing the latest versions of Joomla, you can ensure that your website stands a better chance of resisting potential bad actor attacks.
Extensions and templates can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your Joomla installation, we recommend that you audit your extensions, components and templates on a regular basis. The Joomla dashboard offers update notifications when admins log in. These include outdated Joomla core version, PHP version, or extensions. Update notifications show up whether there are security issues or not, so make sure you always keep everything up to date.
Note
Carefully read the Terms of Service. Extensions and templates may include unwanted extras—and you may want to look for an alternate, more secure solution.
All known vulnerable extensions are listed in the Vulnerable Extensions List (VEL) section. No patch is available for extensions in this section and you are recommended to uninstall the extension from your site. The Resolved VEL section lists extensions for which a patch is available. You are recommended to update if your site uses any of these extensions.
You can assess the security of Joomla components, extensions, and templates by reviewing important indicators:
Just as with any other CMS, when it comes to unused components, less is always more. Storing unused components in your Joomla installation will only increases the chance of a compromise, even if they are disabled and inactive.
We highly recommend removing unused extensions, components, or themes to lessen potential security flaws.
Gone are the days of manually checking the version of your Joomla core or other official components and extensions.
Joomla now offers automatic updates for your installation. When you log into the dashboard (which defaults at yourdomain.com/administrator/) you will be presented with a notification of any updates available to your software version or Joomla core itself.
If there is no need for an update to be applied to your Joomla installation, the dashboard indicates that. Under the “Maintenance” item of the Control Panel menu: “Joomla is up to date” and “All extensions are up to date”.
You should always apply updates as soon as possible. Logging into your site on a frequent basis will ensure that you’re aware of newly released updates. Click Check For Updates to verify directly with Joomla repository of any new updates.
Joomla will notify you on your Administrator home page (control panel) when an update is available. It will not automatically update for you. It is the responsibility of the administrator to start the update and verify successful completion.
If you cannot update your site for any reason, consider using a website firewall to virtually patch the problem and minimize the risk.
Before you update Joomla, we recommend taking the following precautionary steps:
In order to see if any updates are available for your installed extensions, login to your Joomla dashboard and navigate to Extensions > Manage > Update.
Depending on your Joomla version, the corresponding extensions may differ in their updating method, so it is recommended you always check the official Joomla documentation for the right method to use to install updates.
There will always be attackers trying to exploit weak user credentials and security setups in order to obtain access to Joomla websites.
By utilizing strong, unique passwords on your website, restricting the privileges available to users through assigned roles, enabling two-step or multi-factor authentication, and limiting user sessions, you can reduce the risk of a website compromise by a bad actor.
How you manage your users plays an important role in the security of your Joomla website.
By default, Joomla allows three privileged user groups to access the Control Panel:
At the beginning of any new Joomla installation, you have to set the administrator’s username and password. Make sure your username is not “demo”, “admin” or “administrator”.
By changing the username, you increase the difficulty of accessing the account. An attacker must correctly guess both the username and password at the same time to gain access.
The principle of least privilege is composed of two very simple rules:
In addition, Joomla includes various built-in roles for Public, Guest, Registered, Special and Super Users. These roles specify what can and cannot be accomplished by a user.
Follow these access control recommendations to reduce your security risks:
Password lists are often used by attackers to brute force Joomla websites. This is why you should always use strong, unique passwords for all of your accounts.
Pro Tip
You can enforce strong passwords from Users > Password Options.
As a security best practice, we encourage all webmasters to use a password manager like KeePass to generate and securely store their passwords.
Two-factor authentication provides a second level of protection for your account. This feature requires a user to approve a login via an app and protects your account in the event that someone is able to guess your password.
The Sucuri Firewall includes a feature that helps you easily implement 2FA or password protection on any page of your website.
Unlimited login attempts is a default setting in Joomla. This leaves your site vulnerable to brute force attacks as hackers try different password combinations.
We recommend adding an extra layer of protection by limiting the number of login attempts against an account through an extension, or by using a Web Application Firewall (WAF).
Some popular plugins that provide you with this feature are AdminExile, and Brute Force Stop.
The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. This feature is extremely useful for stopping automated bots from accessing your Joomla dashboard, as well as submitting unwanted spam through forms.
Popular extensions that add a CAPTCHA to your Joomla login page are SecurImages Captcha Plugin, Antispam by CleanTank, Custom reCaptcha, or OSOLCaptcha.
Limiting the access to your login page to only authorized IP’s will prevent unauthorized entries.
There are extensions available that can do this. If you are using a cloud-based WAF like the Sucuri Firewall, you can restrict access to these URLs via your dashboard without having to modify .htaccessb> files.
In the field of Information Security (InfoSec) we like to use the phrase defense in depth.
To appreciate this ideology, you have to subscribe to a very simple principle: There is no 100% complete solution capable of protecting any environment.
In this section, we’ve listed a number of solutions you can employ on your Joomla website to provide an effective defense-in-depth strategy. By layering these defensive controls, you’ll be able to identify and mitigate risks and attacks against your website.
If you go to the official Joomla extensions repository and run a quick search for Security, you will find over 500 extensions with distinct categorizations and feature sets—site access, security tools, access & security, plus many others.
Joomla organizes their Access & Security group separately, with a current total of almost 400 extensions—both free and paid.
Detection plugins are important in identifying if something has gone wrong on your website. These tools ensure that you’re informed in the event a security incident occurs.
Web hosting security has matured in recent years, yet remains a very complex topic.
Most hosts provide the security you require at various levels in the stack, but not for the website itself. There are a number of hosting providers that offer security for an additional fee, but unless you’ve purchased a security product from them, it’s unlikely that they will resolve a compromise for you.
There are four main hosting environments that can be used for your Joomla installation:
In theory, the environments that remove the most dependency from the user will offer the most security. If you have the time and skill to secure your own environment, then you have more options but also more responsibility.
In reality, however, the type of hosting environment you choose should be dictated by your needs, expertise, and budget:
You can also initiate a conversation with your hosting provider to identify what their stance is on security. Here are some key points that should be addressed:
As with other CMS platforms, the official Joomla website recommends some web hosting provider services to try. We’re not really sure if the list is based on vetted security and performance features or mere advertisement, so tread carefully.
Securing file transfer to and from your server is an important facet of website security in your hosting environment. Encryption ensures that any data sent is protected from attackers trying to gain access to your network traffic.
SSH: Secure Socket Shell is a secure network protocol and the most common way of safely administering remote servers. With Secure Socket Shell, any kind of authentication (including password authentication and file transfers) is encrypted.
SFTP: SSH File Transfer Protocol is an extension of SSH and allows authentication over a secure channel. If you are using FileZilla or some other FTP client, you can often select SFTP instead. The default port for SFTP in most FTP services is 22.
Maintaining website backups should be one of the most important recurring tasks for a website administrator.
A good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files or corrupts your site files with their buggy scripts, the damage can be undone simply by restoring your site from your backups.
One of the most used backup tools for Joomla is Akeeba.
There are four key requirements for employing a successful backup solution:
There are a number of tools you can use to identify when something has gone wrong on your Joomla website.
To help you respond quickly to a security breach, employ a tool that includes the following services:
Integrity checks are an important aspect of auditing your Joomla installation. They give you an early warning of an intrusion on your website.
File Integrity Monitoring tools should normally be installed on a server where they can create a baseline cryptographic checksum of the critical files and registry entries. If a file or record is modified in any way, you’ll receive a notification of the changes.
Auditing tools give you visibility into user activity on the website. As the administrator of your website you should be asking questions like these:
We cannot stress enough the importance of logging activity. Use a tool that logs and alerts you of any actions taken on your website, including:
Response and recovery aren’t just about responding to a compromise or incident, it’s about analyzing the impacts of an attack to understand what happened, and implementing controls to prevent it from happening again.
Sucuri offers DDoS Protection, WAF, SSL Support & Monitoring with its Platform Plans.
Caution
The following recommendations are for server administrators with a working knowledge of these files. If you do not feel comfortable with the suggestions provided below, we recommend using a website firewall that includes virtual hardening instead.
The .htaccess file is what most vendors will modify when they say they are hardening your environment. This critical configuration file is specific for web servers running on Apache.
Joomla ships with a preconfigured .htaccess file, but you need to choose to use it. The file is called htaccess.txt. To use it, rename it to .htaccess and place it in the root of your site using FTP. Whenever you update your Joomla website, this htaccess.txt file must be renamed again to ensure you have the latest recommended .htaccess.
Make sure you follow Joomla security recommended htaccess content in order to better protect your site:
##
# @package Joomla
# @copyright Copyright (C) 2005 - 2018 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##
##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line 'Options +FollowSymLinks' may cause problems with some server configurations.
# It is required for the use of mod_rewrite, but it may have already been set by your
# server administrator in a way that disallows changing it in this .htaccess file.
# If using it causes your site to produce an error, comment it out (add # to the
# beginning of the line), reload your site in your browser and test your sef urls. If
# they work, then it has been set by your server administrator and you do not need to
# set it here.
##
## No directory listings
IndexIgnore *
## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes
## Mod_rewrite in use.
RewriteEngine On
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed
# below by adding a # to the beginning of the line. # This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a