Tips on How to Protect Your Joomla Website Against Hackers

Posted by Bojan Sorenson on in Hosting Tips

Joomla is an open source Content Management System, which will make it easy for you to create awesome websites. Joomla has been around since 2005 and ever since has been working hard to improve its security and usability. But of course this does not mean that it is an uncrackable platform.
Since its open source it can be subjected to all kinds of hacks that could affect the security of your precious data. It is very important to make it sure your sites are safe, thankfully there are ways you can easily avoid most of these attacks by just simply following this handful of good tips that will guarantee you benefit for your data’s security in the future.

joomla12

1. Keep Joomla up-to-date

It’s one of the most basic things that you can do to make your website secure enough. Every new update contains a new bug fix or a security flaw fix or feature, so it is important to always have the newest version of Joomla’s websites and extensions. Be sure your website is always updated to the latest stable Joomla release!

2. Remove all unused extensions

By doing so, you can have double benefits. It not only makes Joomla so much more secure it makes it run faster too. If you have unused extensions and done experimenting with them it is advised to remove them since it can cause security risks to Joomla’s extension.

3. Use a strong password

It is strongly advised to use strong passwords, not just for Joomla but for all the sites that you are using. This is one of the key components to keep all your data secure online. It is recommended to use different passwords for different websites but you better make sure that the password you are using is hard to guess or hard to crack, it is a very useful thing to do. Do the following to make sure you have a secure password:

  • Don’t use words that are very common and short: admin, strong, love, black, etc.
  • Avoid using personal information as your password, like names, date of birth or favorite animal’s name.
  • Make sure that your passwords are longer than eight characters.
  • Your password should never contain your user name, real name or your company’s name.
  • It should not be a single word
  • Avoid using any password generators that are online. These passwords are generated by a certain rule that can make it easy to hack.
  • Try using special characters in your password such as: @!+(=. Maybe add some capital letters and numbers too. The more complex a password is the harder it is to crack.
  • Make sure that your new password is different from all the previous ones you made up.
  • An easy way to create a secure password is to memorize a sentence and combine it with numbers and uppercase characters such as: You1Can’t2Crack3This4
  • Here’s a website where you can check how easy it is to crack your password with a computer. Click here to check it.

hflnet52

4. Don’t allow users’ registration on your website

If your website is not a social network or a community you should not let anyone register to your site for security reasons. To disable user registration, follow these steps:

  •  Log in to backend.
  •  Click on ‘Users’, then on ‘User Manager’ and find the ‘Options’ tab at the top.
  •  Look for the setting of ‘Allow User Registration’.
  •  Set the section to No.
  •  Click save in the end, for the settings to take effect, you can find the button on the top left corner of the page.

5. Make sure that your Joomla and its extension version is hidden

It is very important to hide your Joomla’s and its extensions’ versions because there are malicious scripts online that target your site according the type of CMS your site is running on. If your version is showing in the HTML code, that’s not good. If hackers know what version you are using, they can easily look up what are the flaws of that version and start an attack on your site.

You can easily check out if your Joomla version is showing in the source code by clicking on ‘View Page Source’ in Firefox or in Chrome. All you have to do is click on the ‘Sources’ tab and then look for ‘Templates’ folder, in it you will have ‘System’ and in hat folder ‘CSS’ in which you will find the file ‘system.css’. If you open it you can check if the Joomla version is showing.

6. Change your admin username

On Joomla’s websites the default username is always admin. Most of the time no one really cares about changing this, which can make it really easy for hackers to crack your site, since they already know half of your details that is needed for a login. All they have to find out from that point, what is your password. By changing your username you are making it harder for hackers to access your site, and this is a very easy thing to do, yet a lot of users do not do anything about it, so we strongly advise you to do so.

  • You can easily change your admin username by the following steps:
  • Log in to the Administration area as current Super User
  • Click on the ‘Users’ tab then on ‘User Manager’ and on ‘Add New User’
  • Make the new user a ‘Super User’
  • Log out of the current Super User account and log in to the newly made Super User account
  • Look for the old Super User account and change its name

7. Force Joomla into SSL mode for all logins on your site

By enabling SSL on your site you can protect your Joomla site from exploits that might make affect your users. Note that you can only enable this built-in feature if your website’s domain has a properly configured SSL certificate. If you have the SSL certificate for your site you can enable this feature which will encrypt your user’s names and password before it is sent over to your server. To enable this feature do the following:

  •  Go on the ‘Extensions’ tab, then on ‘Module Manager’
  •  Then on ‘Filter Login Module’
  •  Look up and open the Logins module
  •  When you see the option ‘Encrypt Login Form’ set it on ‘yes’
  •  Save the whole process.

8. Protect your cookies

If a user logs into your website special session cookies are set in the browser that will identify that user later. Every time someone logs onto your page the page will make these cookies so it knows which user and how many of them are viewing the page.
These cookies will remember the users that have logged in and will give them the privilege to use the site even after they have left it. These cookies can be intercepted by a third party, which will give them the same privileges as a member of the site.
You can force the SSL to encrypt these cookies during the entire session while you are on the site as a Super Admin or you can even make registered people’s cookies encrypted too. This way hackers will have no access to your website’s cookies. You can do this by going to the Server options and where it says ‘Force SSL’ select ‘Administrator Only’.

9. Disable FTP Layer

For the most part Joomla’s FTP layer is not required, therefore we recommend you to disable this function by the following steps:

  •  Login into your Joomla backend
  •  Go to ‘System’, then on ‘Global Configuration’ and then on Server
  •  You will see the option ‘FTP Settings’ where you should Select ‘No’ at the ‘Enable FTP’
  •  Save what you have done

10. Use the Two-Factor Authentication

This will give you an additional layer of security to your Joomla website. This system will random generate passwords over a period of time which are unique to your username. If you do not know that secret key you will not be granted entrance to the website. This will keep away key loggers, password crackings and hackings.

11. Always use a professional web hosting provider

The above mentioned 10 tips are crucial when we are talking about Joomla website security and by setting them, you can protect your site better. But it is also vital to choose a professional web hosting provider, where administrators have up to date security and hosting knowledge, and the storage is secured well.

It is recommended to choose a bit more expensive provider, since too cheap companies do not have enough resources (a.k.a. money) to hire professionals, in most cases students or non pro persons manage there the webservers. You should think about what is more expensive to you, to pay few bucks more every month, or hire a backup pro to restore your website in case it disappears because of cheap hosting solutions.
You can find many web hosting review websites on the internet and there are many forums as well, take your time and read few reviews to find the best hosting solution to your website. It is totally worth to do!