Securing Joomla website

In addition to understanding the threats, and implementing general defensive strategies, it is important to know more specific details about security in Joomla, as well some specific examples of how to implement security strategies.

The developers of Joomla are constantly striving to improve the overall security of the system by employing good programming techniques and addressing security issues as they arise.  It is therefore important to try to keep up with the latest version of Joomla - 'patches' (collections of replacement files) are released periodically to address bugs and security holes as they are discovered.

Input boxes
There are various input boxes that can appear in a 'vanilla' Joomla website - for example, search boxes, filters, etc., and the data entered in such features is always validated to ensure it does not allow injection attacks.

HTML Editors
It is also possible with Joomla to allow your website's end users to submit news articles etc., and this opens up the possibility of cross-site-scripting injection where the data is allowed to be entered as HTML.  Most HTML editors will not allow javascript or certain other tags (eg. <object>, <applet>) to be entered though - for this very reason.

A problem arises here, because with Joomla, the same HTML editor is used both in the back end administrator and in the front end website.  So if you, as an administrator, want to add some javascript or other 'forbidden' tag, you're stuck.  Some editors (eg. JCE) will allow you to specify which tags are allowed, and therefore give you the flexibility to add javascript etc., if you need to do so - but if you use these options, you must ensure that you don't allow end users to use that HTML editor.

You can do this either by just not allowing user-submissions at all (which is the safest option), or by using 2 different HTML editors - the default one being restrictive, and an extra one which is assigned to your user record only (definable in Joomla's User Manager) which can be less restrictive.

User Login
The login features of Joomla - both for the back end administrator and the front end website - make use of one-way password encryption.  When you type in your password, Joomla applies a 'salted hash algorithm' to turn your password into a jumble of unintelligible text.  It never actually decrypts this, it just compares the jumbled up version of what you type in with the jumbled up version that is stored in the database against your user record to see if they match.

In order to determine whether or not you are logged in at any given time, Joomla uses a 'cookie' - a small text file which is stored on your computer.  This cookie does not contain your user name and password - it just contains a session id (or reference number), which Joomla can look up to find out who you are and whether you are logged in.  So even if someone could steal the cookie from your computer, all they would get is a reference number - they couldn't do much with it.

Make sure your Joomla Administrator password is not easy to guess - the longer it is, the more difficult it will be to guess.  Include numbers and punctuation marks (some symbols might not be allowed by Joomla though) for maximum security.

Release Notes
The text files that ship with a standard Joomla installation include release notes such as a 'change log' - a list of changes made to the program since the last release.  Such information can give away valuable clues about possible weaknesses that hackers can exploit.  However, the text files supplied with Joomla are protected from casual viewing by being named as PHP files and by programatically preventing browsing over HTTP.

.htaccess File
There is a file which is supplied with Joomla called htaccess.txt.  As long as the file is called htaccess.txt, it has absolutely no effect on your site.  Once you rename the file to .htaccess ("dot htaccess" instead of "htaccess dot txt"), it influences every request that is made of your site (note: this applies to sites running on an Apache web server, not IIS - if you're not sure whether your site is running on Apache or IIS, it is probably running on Apache!  99.99% of Joomla sites run on Apache web servers.  Apache is the name of the web server software, not the operating system - Apache can be run on Windows or Unix or Linux or FreeBSD, etc. etc.  IIS only runs on Windows. There are other web servers out there, but Apache and IIS are the most common).

Typically, you would only rename the file to .htaccess if you wanted to use search engine friendly URLs (or SEF URLs) - the instructions in that file allow meaningful page names to be translated internally (or 'rewritten') into a format that Joomla can understand (it is also now possible to have SEF URLs without .htaccess, although not all search engines will read them).  There are many other uses for an .htaccess file though, including setting password protection on a directory, to block users based on their IP address, and various other things.  This little file can be very powerful!  It is therefore important to ensure no unauthorised person can view it, or worse still, edit it.

Even if you are not using SEF URLs, it is a very good idea to use the supplied .htaccess file (ie. rename "htaccess.txt" to ".htaccess"), as it now includes a number of useful directives which provide extra security.  If you find that your site stops working when you have enabled .htaccess, try making the following changes (you might need one, some, or all of these changes for the file to work on your server - experiment with each combination of settings until you find one that doesn't cause any errors):

1) Find the line (about a third of the way down) that says "Options FollowSymLinks". Try adding a + sign like this: "Options +FollowSymLinks".

2) Add the following immediately after "Options FollowSymLinks": "Options SymLinksIfOwnerMatch".  Again, you might need to add a plus sign like this: "Options +SymLinksIfOwnerMatch" (if you are running on a Windows platform you will probably need this extra directive).

3) If it still doesn't work, try commenting out each of the above directives (that is, add a "#" sign to the beginning of the line).

In addition to setting the file permissions (see below), you can add the following directive to the top of your .htaccess file to prevent others from being able to read it:

<Files .htaccess>
order allow,deny
deny from all
</Files>

It is also a good idea to protect your site against HTTP tracking and tracing, and if you use a shared server, the easiest way to do this is to add the following to your .htaccess file (somewhere after the "RewriteEngine On" command):

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

Please note, that making these changes to your .htaccess file is not supported by all server configurations.  Always backup your .htaccess file before making changes to it, and if your website starts reporting errors, you may have to undo your changes.

Server Settings
Joomla specifies certain settings that are recommended for proper functioning of the system.  A list of the recommended and actual settings is displayed when you install Joomla.  One of the recommended settings is to have 'Display Errors'  switched on.  This is very useful when developing and debugging a site, but there is a security vulnerability in some versions of PHP (not Joomla, but the language in which Joomla was written) which may allow cross-site-scripting attacks when the display errors option is enabled, if you have a script which produces an error.

You can suppress Joomla error messages by going to Site->Global Configuration, and clicking on the 'Server' tab.  Set the 'Error Reporting' option to 'None'.  If you are not using the very latest version of Joomla, it would be a very good idea to upgrade!

To turn off display of all PHP errors, you need to change some settings in a file called php.ini - you might not have access to this file if you use shared hosting, but it might be possible to add your own php.ini file to the root folder and the /administrator/ folder of your website which will only affect your site and nobody elses.  Alternatively, depending on the configuration settings on your server, you might be able to override individual php.ini settings in your .htaccess file.

The settings that need to be specified in php.ini are:

display_errors = Off
html_errors = Off
display_startup_errors = Off
log_errors = On

For additional security it may be worthwhile disabling certain PHP functions.  The following 2 lines, when added to php.ini will prevent the listed functions from working.  If you have a third party script that relies on one or more of these functions, it will break when you turn them off like this.  Joomla does not use these functions, but some third party components might do.  Disabling these functions will help to protect your site from hackers though.

allow_url_fopen = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, tempnam

You might need to ask your host to restart the Apache web server before your settings will take effect (this does not mean rebooting the server, just restarting Apache - which only takes a few seconds).  Note: If you have any PHP files encoded with Zend Optimizer, adding your own local php.ini file can cause PHP to think that Zend Optimizer is not installed even if it is.

If your server configuration allows it, you may be able to just add the following lines to your .htaccess file to override the settings without needing your own php.ini file.  Try adding the following to the end of your .htaccess file (if your server does not recognise the directives, you will get an error message when you try to access your site):

php_flag display_errors "0"
php_flag html_errors "0"
php_flag display_startup_errors "0"
php_flag log_errors "1"
php_flag allow_url_fopen "0"

These settings will cause any PHP errors to be logged in a text file instead of being displayed in the user's browser window.  You could also write a custom error handler in PHP to display a user-friendly message when an error occurs, but that is a task for a developer and is beyond the scope of this article.

If your web server uses Apache, it is worthwhile installing the mod_security Apache module.  This helps protect against various forms of attack over HTTP.  Ask your web host whether this module is active, and if not, ask them if they will activate it.  There may be some undesirable side-effects, but these can usually be mitigated by tweaking the rules in mod_security.

File Permissions
Every folder and every file that your website contains has a set of properties called 'permissions'.  These properties define who is allowed to do what with the file or folder.  On Unix-based operating systems (including Linux, FreeBSD, etc.), there are 3 actions that can be performed on a file: read, write, and execute; and there are 3 types of user that can perform these actions: owner, group, and other (things are a bit different on Windows, but most production Joomla sites are hosted on servers running a Unix-based operating system).

Typically, the permissions for a file are set using a 3-digit number: 000 being the most restrictive (nobody can do anything with the file - pretty pointless having a file with that level of restriction!), and 777 being the most liberal (anybody can read, write, or execute the file - that is, execute as in run a program, not execute as in chop someone's head off).  The first digit represents what the 'owner' of the file is allowed to do (that is, the specific 'user' who created the file); the second specifies what other authorised users are allowed to do, and the third says what the world at large is allowed to do.  The command used by the operating system to set the permissions of a file is called 'chmod' which means 'change mode'.

To get the balance between security and usability, all folders should be set to 755, and all files should be set to 644 unless a folder or file specifically requires a different setting in order to function properly.  Joomla has the ability to set these permissions for you (you can tell it to do this while installing, and through the Site->Global Configuration option in Joomla administrator) when it creates new files.  Using 755 and 644 for folders and files respectively generally means that the files cannot be edited - not even by Joomla (unless your server has suPHP installed - highly recommended!).

So if you want to install a new component, module, template, or whatever, you are going to need to make sure the relevant folders are writeable (775 and 774 for folders/files respectively, or if that doesn't work on your server, 777 for both) - otherwise Joomla will not be able to create the necessary files.  To see which folders need to be writeable, go into Joomla Administrator, click on the 'Help' menu item, then click on the 'System Info' link at the top right, then click on the 'Permissions' tab.  There is a list there of folders that need to be writeable for Joomla to function, as well as an indication of whether or not they are currently writeable on your server.

It is safest to keep files and folders unwriteable most of the time and only make them writeable when you need to - especially with reference to the configuration.php file, which stores your settings from Site->Global Configuration (keep that unwriteable [ie. 644] except when you need to make configuration changes - and make it unwriteable again as soon as you've finished making changes).  If your website allows for users to upload files though, you will need to make the relevant folders writeable all the time, otherwise the uploads will fail.

You can change the permissions of files and folders using an FTP client, or a hosting control panel such as cPanel or Plesk.

If your server has suPHP installed, you do not need to worry so much about file permissions, as you can keep the permissions as 755 (for folders) and 644 (for files) all the time - suPHP makes PHP run under your account username, so it 'owns' the files and can edit them without you having to change the permissions (in fact, setting permissions to 777 when you have suPHP installed will usually result in a server error).

Backups
Joomla does not have any backup feature by default.  It is a good idea, nay essential, to make some arrangement for backing up your site.  Even if your site is never the target of a successful hacking attack or vandalism, there's always the possibility of accidentally fouling it up yourself!

The simplest solution is to keep a copy of all of the files and database(s) used by your website on your local PC, and better still, backed up onto removable media (writeable CD or DVD).  If your site is constantly changing (eg. if it is built-up from community contributions), you will need some kind of automated backup script.  In most cases, the actual files on the server will not change much, so you only need to backup the database. Check the Joomla Extensions Directory or CMS Extensions Directory for backup components that are available.

Site Administration
Joomla's administration application is of course a powerful tool for controlling your website's content, and as such you don't want any unauthorised person to be able to access it.  Joomla also allows administrators to log in through the front end and edit content directly from there.  A default installation of Joomla is reasonably secure for non-critical use, but if security is a real concern, you will need to make sure you use SSL for logging in, and for all activity after having logged in.

Many administrators also like to add password protection to the Joomla administrator directory. This can be done using .htaccess, but most web hosting control panels provide an easy way of password protecting a directory without manually editing .htaccess. It is a good idea to change your administrator username from 'admin' to something else, as brute force attacks will often try to break in by using well-known usernames.

3rd Party Add-ons
Although keeping your site up-to-date by always upgrading to the latest stable version of Joomla will usually prevent hackers from breaking in through known vulnerabilities, you also need to be careful about any 3rd party components, modules, plugins (mambots), and templates.  Make sure you apply any patches necessary for third party addons that you use.

Please publish modules in offcanvas position.