Over the last decade there has been a revolution in access to the internet. Whereas once building websites was the sole domain of developers and coders, these days you don’t need any programming skills to setup even the most sophisticated of websites. This revolution has been driven by the Open Source (OS) movement which leveled the playing field by bringing together likeminded people to create a wealth of software available free of charge to anyone who wishes to download it. As far as websites are concerned, the leading OS solution is definitely WordPress with roughly 20% of all internet websites underpinned by the solution. A close second though is Joomla - roughly 7% of the internet currently uses Joomla.
Joomla started life as part of the Mambo project but broke away in 2005. Like WordPress, Joomla provides a framework that novices can use to create dynamic websites that can easily be modified and updated. Joomla is supported by a vast community of developers who produce commercial and cost-free templates that alter the look of a website, and literally thousands of ‘modules’ and ‘plugins’ that change a site’s functionality. For example, if you want a rotating banner, there is a module for that. If you need to place Adsense adverts on your site, there is a module for that. Basically, there’s a module for anything you can imagine. See here.
While the Joomla software is free of charge, it doesn’t mean it comes without cost. While you are able to download Joomla without cost, so are the legions of hackers that are intent on manipulating Joomla for their own profit. They too can download the code, deconstruct it and learn exactly how to exploit it for their own gain. A particular favorite is injecting code into Joomla sites that redirects a site to pages where hackers can make money.
How then can you protect yourself from this type of behavior? Below are a number of tips that might help you avoid having your site hacked and get you back online quickly if you do.
1. Activate Joomla’s .htaccess file
When you install Joomla it comes along with a ‘.htacess’ file which is loaded with code that will safeguard you from some of the more obvious exploits. Ensure you activate this file, and do not write over it using a blank .txt file. Change the name from .htaccess.txt to .htaccess.
2. Keep everything current
Fortunately, the Joomla community is up to the fight against hackers. They regularly update Joomla with security fixes and inform website owners when an update is required:
Click on ‘Update Now’ and Joomla smoothly transitions to the latest version. Unfortunately, upgrading the modules is not done automatically:
For every automatic update you need to manually download and update the latest version of the modules and plugins you are using. If you don’t, you potentially open your website up for exploits.
3. Use a strong password and change your admin name
The Joomla system calls people who run Joomla sites ‘Super Administrators’ and issues a user name of ‘Administrator’ to which you add a password. Unfortunately, the bulk of hacks are done through “brute force” - meaning someone sits down and just keeps guessing passwords until the right one comes up. By issuing ‘Administrator’ as a Super Administrator’s admin name, that simplifies things for hackers. Knowing your admin name, they only have to guess the password, and how often is this “myjoomlawebsite123” or something equally simple?
Joomla names don’t allow symbols but if you change your admin name to something likie “3TChVEVWxBYM2PM” and your password to “mSXfCaXcwvo7cWk” you are making their lives more difficult. Try a random password generator like Secure Password Generator to make things more secure.
4. Keep an eye on the extensions you are using
The core of Joomla’s popularity is its extensions (modules, plugins, templates) but of course not all developers are equal. Some unknowingly leave your site open for exploits so you have to do your research. Look at the Joomla! Extensions Directory (JED) (linkto https://extensions.joomla.org/) and make sure the module or plugin you are interested in has a good reputation. Likewise, just to be on the safe side, remove modules and plugins you are not using. This has the added benefit of speeding up your site.
5. Set up Two-Factor Authentication
Sites using version 3 of Joomla can use two-factor authentication. This means that someone logging in has to provide a user name, a password and a One-time Password (OTP) automatically generated to protect sites from intrusion. The Joomla backend gives details on how to set this up:
6. Turn Off User Registration
Joomla is designed for websites that have communities. People can sign up to be members and you can send a newsletter to members directly from your backend. If you have a community website this is appealing, but it obviously leaves your site vulnerable. If you must have a newsletter use something like YMLP. Better still, drive visitors to Facebook or other social media and let them manage your community.
7. Use Search Engine Friendly URLs
People use Search Engine Friendly (SEF) URLs because it allows Google to notice your site more easily. So www.mysite.com/099-626-xccm.php becomes www.mysite.com/friendly-url. However, SEF URLs have the added advantage of hiding your site structure. Knowing a site’s structure can make it easier for hackers to add exploits. Just click the button on your control panel:
8. Restrict editor access
In line with this ‘community’ ethos, Joomla has a genuine collaborative feel about it as far as content is concerned. Super Administrators can make certain users ‘Editors’ and they have the ability to change certain Joomla content without them having to access the backend of the system. In an ideal world this would be a dream – a website where people can have access to certain pages and update them at will, keeping your site current with nominal effort. But of course, this access is open to exploitation and even if people start off friendly they can turn to the dark side. Limit and strictly monitor who you make ‘Editors’ – or if you take our advice, do everything yourself and don’t give anyone “Editor” privileges.
9. Restrict access to your Joomla Admin Panel
Your web hosting will most likely utilize cPanel or Plesk as your control panel. Both will allow you to protect your Joomla administration page so only you have access to it. You can even set up your panel so it is only accessible using your own IP address. Contact your web host for details on how to do this using your current hosting control panel. However, this might not be possible using shared hosting accounts because your IP address is likely to be dynamic and change a lot.
10. Disable FTP
FTP is used to move website files to servers. Joomla has its own tool for uploading files (pictures, etc.) so disabling FTP is one more way of stopping possible intrusion – again, you might have to ask your web host how to do this for your Joomla site.
11. Initiate File Permissions
You can add permissions to Joomla files and folders so that they can only be accessed by your account. Adding such permissions can block outsiders from trying to access your key Joomla files and folders, particularly your Joomla configuration files. Details on permissions can be found here but if you are a novice, it might be best to get a programmer or someone with some experience to do this.
12. Invest in an SSL Certificate
SSL certificates were originally intended to encrypt sites that contain sensitive data like credit card numbers, but these days they are becoming the norm, especially for OS sites. Your website URL will change from http://www.mysite.com to https://www.mysite.com and it means your user name and password are encrypted before they are sent across the internet. Obviously someone intercepting your details won’t be able to use them if they are encrypted.
13. Use SiteLock and Codeguard
If you can afford it use SiteLock and Codeguard. SiteLock provides “comprehensive, cloud-based website security solutions” that automatically fix some issues when your site has been compromised and informs you of others by email. Codeguard simply backs your website up to the cloud and if there are any problems you can simply rollback to a previous working version.