10 security mistakes to avoid in Joomla! - Part One

in RSFirewall! on 11 Aug 2009 having 14

Whenever you install Joomla! on a server, you must take some measures in order to secure the installation.RSFirewall! - Joomla! security extension

Users often tend to leave the installation as it is, thus making the server vulnerable to hackers. That's why, when you install Joomla! on your server you need to change several configuration settings to avoid some major mistakes that will affect the overall site security.

Let's see the most common mistakes and why they are critical for your system:

Mistake #1. NOT TO download or upgrade to the latest Joomla! Version

New versions of Joomla! are released often with various security fixes and the developers are strongly recommending to upgrade to the latest version of Joomla!

It is important to download Joomla! packages from trusted sources or directly from joomla.org, otherwise you may compromise your system (you may download a modified package that could harm your website ). Periodical backups of the whole site are essential, providing a safety net in case something goes wrong caused by the update or some other unforeseen event. Already there are some specialized components that can create backups (files+database) very easily.

Mistake #2. NOT TO check folders permissions after installing Joomla!

Folders that have permissions higher than 755 may compromise your Joomla!, leaving the "door" open for an attacker to read/write or even upload his own shell files, thus taking control over your site.

On the server, usually, folder permissions inherit the root configuration, but it's always a good practice to check the folder permissions.

Folders with permissions higher than 755 are possible paths that could be exploited by:

  • creating and uploading files that could make your website vulnerable
  • modifying the existent files

Why take the risk when you could make a quick scan of your Joomla! and instantly find the "weak" folders?

Mistake #3. NOT TO check files permissions

We advice you setting permissions to all Joomla! files to 644 or lower.

Leaving files with permissions higher than 644 can make life easier for hackers trying to access your website. Once they're in, they can easily modify files with permissions higher than 644.

Mistake #4. ALLOW uncontrolled file uploads(forums, comments)

Hackers can and will use these applications to upload malware scripts and enter into your Joomla! website.

You must allow as few file extensions as possible, and NEVER let executable script files (.php, .php3, .php4, .php5, .phtml) to be uploaded.

To avoid this you can use RSFirewall! that automatically blocks unwanted file uploads. Also it can scan your system, look for mallware patterns and hacker scripts.

Mistake #5. Let IMPORTANT files and folders accessible by everyone

You must protect sensitive files and folders like:

  • configuration.php - main configuration file for the Joomla global configuration,
  • Joomla! temporary folder - every extension that you install is first uploaded to this folder,
  • Joomla! log folder: Joomla! related activity is recorded thus an attacker can find what vulnerabilities may reside within your site.

The best way to protect your site against such attacks is to move them away from public access, to a non-public folder.

To better understand how to move these files without compromising the Joomla! functionality, read the following articles:


These are just a few advices on how to keep your business website secure. However, securing your website is not always easy and may require some expert skills.

This is where RSFirewall! comes into place, providing a complete suite of tools specially created for Joomla!. You can access the product demo here: http://demo.rsjoomla.com/. If you have any questions, don't hesitate to ask us a question.

This is the first part of the article "10 security mistakes to avoid in Joomla! ".

Read the next security mistakes in the second part, when we will talk about insecure php cofiguration like allow_url_fopen, register_globals and admin passwords.

Have you applied these basic rules for your website?
Are you sure your Joomla! website is secure?



Subscribe to our blog

Found this article interesting? Subscribe to our blog for more.



Gravatar
Linda - 26.07.2010 (11:31:24)
Great Job

Great job on listing some security threats. I have had some of my joomla sites hacked in the past and in addition to using Akeeba Backup, I also use JSecure Authentication which changes the location of the administration area. I have not had my sites hacked since I installed JSecure. (**fingers crossed**)

Quote
0

Gravatar
mandville - 16.03.2010 (06:51:24)

Isnt this just a rehash of the top 10 stupid administrator tricks on the Joomla! docs website

Quote
0

Gravatar
kevin kscope - 16.03.2010 (06:50:50)

Sorry just reread #1. Must have been an id10t error

Quote
0

Gravatar
kevin kscope - 16.03.2010 (06:50:16)

This is a great article thank you... you mention in step one not to use the most recent version of Joomla. Until recently I was still using 1.13 as I had be told it was the most stable, now that 1.0 is no longer supported I ask this question. Which version of 1.5 should I be using? Most stable etc.

Quote
0

Gravatar
Alex P. - 16.03.2010 (06:48:48)

Hello Martin, this is the first part of the article. In the second part, we will talk also about the .htaccess admin protection. Great thing is that with RSFirewall! you can set an additional .htaccess protection for the /administrator on the run, directly from the control panel.

Quote
1

Gravatar
albruna - 16.03.2010 (06:48:09)

I was suprised that you didn't mention the most basic defense strategy. Protect the admin section with .htaccess / .htpasswd files.

Quote
1

Gravatar
Robbert - 16.03.2010 (06:45:08)

@Alex - yes for sure - but in here we are also talking about the admin username and id. Which is 62 by default for every joomla installation. Try to read Brians article if you have some time. Best regards, Robbert

Quote
0

Gravatar
Mihaela - 16.03.2010 (06:43:34)

@Robert thanks for your suggestion. The default admin password is on our list and we will talk about it in the part 2 of the post.

Quote
0

Gravatar
joomla webdesign - 16.03.2010 (06:41:59)

@alex thank you for explanation for or 5.2 (Joomla! temporary folder).

Quote
0

Gravatar
Robbert - 16.03.2010 (06:40:52)

Sorry tried to include a link to that article. Didn't work ;) After 'about' I was supposed to add 'about replacing the default admin user'. See http://bit.ly/1p0Bi

Quote
0

1000 Characters left