10 security mistakes to avoid in Joomla! - Part two

in RSFirewall! on 20 Aug 2009 having 6 comments

Since the first part of the article "10 security mistakes to avoid in Joomla!" was a real success, we are really excited about writing another set of mistakes commonly found on customer Joomla! websites .RSFirewall! - Joomla! security extension

In the first part we wrote about the importance of updating to the latest version of Joomla!, about files permissions, folders permissions, file uploads and keeping the public folder clean.

Mistake #6. Have PHP not configured properly

These are some php settings that you must setup in order to secure your server. (Note that these settings may be applied only by editing the php.ini file)

  • check register_globals
    It is recommended to disable register_globals. Don't trust Joomla! extensions that ask you to turn it on. Leaving register_globals=ON makes your website vulnerable to hack attempts. In PHP 4.2.0 register_globals was changed from ON to OFF, by default, and completely removed in PHP 6.0.0
  • check safe_mode (leaving it ON could create some problems)
    We recommend to keep safe_mode OFF. In PHP 6.0.0 safe_mode was removed because it didn't reached its purpose: it didn't increase the website security causing some bugs and problems.
  • check for allow_url_fopen
    allow_url_fopen enables a script to open remote files. You must make sure that script cannot open remote files.
  • check allow_url_include
    allow_url_include allows inclusion and execution of a remote php script. Therefore this setting must be turned off.
  • use disable_functions to disable some functions that could make your website vulnerable. Some of these are: system, shell_exec, exec, phpinfo, etc.
  • use open_basedir to define the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it.

We recommed using the following PHP configuration:

  • register_globals = OFF
  • safe_mode =OFF
  • allow_url_fopen =OFF
  • allow_url_include = OFF
  • disable_functions = system, shell_exec, exec, phpinfo(full list available in RSFirewall!)
  • open_basedir=/your/joomla/path

Mistake #7. USE the "admin" user

When you install Joomla!, it comes with the predefined "admin" user. Joomla! had a bug allowing hackers to take over Joomla! websites exploited this "admin" user, but it has been fixed now. Anyhow, leaving the admin user as the Super Administrator in combination with a weak password can make your website vulnerable.

Important security advice: to protect the administrator page from being accessed by anyone set up an additional backend password for your Joomla! website.

Mistake #8. USE weak passwords for admin users

Choose carefully passwords for admin users; don't use common words.

It is best to advice your users, when registering to your website, to choose a good password , alpha-numeric, because hackers might take advantage and steal valuable information from them.

Do not use the same password to access the Joomla! backend and the hosting account.

Try not to include in your password personal information like your name, username, date of birth, common words and easy to guess like "admin","password", "username", "password123" or English words.

You could apply an algorithm, easy to remember to choose a password.

For example, create a sentence like : "I have one brother Alan and a sister Kate". If we take the first letter from every word the result will be IhobAaasK . To complicate it replace numbers with digits and if it's possible introduce special characters.

Here is the result: Ih1bA&1sK.

Mistake #9. NOT to have an updated antivirus

If you have solved the above issues from 1 to 9 don't think that your website will be secure if you don't use any antivirus application to protect your computer. New viruses nowadays look for ftp connections and inject malicious scripts directly into your Joomla! files because your computer is virused. It's best to keep your computer protected by getting the latest updates for your antivirus.

Mistake #10. Assuming your website is protected and secure if there are no visible signs of it being hacked

It's always best to stay vigilent, carefully keep track of possible intrusion attempts, constantly backup your website, monitor it's files and keep applications up to date.

Of course all these actions require time, and time is the only thing we never have enough. We suggest using a security extension such as RSFirewall! to monitor and protect your website. Get a free demo of the product right now and you'll understand how easy is to keep your website protected.

Subscribe to our blog

Found this article interesting? Subscribe to our blog for more.

tim79 - 16.03.2010 (07:02:50)

Thanks for the tips, really helpfull!


Madamsplash - 16.03.2010 (07:01:26)

I would be a mad woman without these tips


James - 16.03.2010 (06:58:47)

Great advice and everyone should know. The RSFirewall Extension is a great invention. Greatly appreciated


Genner Puello - 16.03.2010 (06:56:30)

oh! such great security tips!! Genner Puello


Alex P. - 16.03.2010 (06:54:05)

Hello Robbert, yes, well in fact these mistakes are tracked by the RSFirewall! System Check, so we listed them all. Hope it helps.


Robbert - 16.03.2010 (06:53:22)

Great guys, thanks! See that my tip made it to #7. Well you would have thought about this anyway, isn't it? Keep it up! Robbert


1000 Characters left