In the last few months, website attacks have been rampant. Our customers have asked if we could provide them a solution that is why we have created jDefender that we released last month. This month we will provide more information on how to keep your website secure.
Keeping Joomla secure is important in order to ensure that your site isn’t compromised. This article is going to focus more directly on the ways you can defend and protect your Joomla site against common attack using jDefender.
1. Don’t use “admin” as a username
Try to avoid common usernames such as admin, administrator, your website’s name or your name. Even better, if you are using jDefender it has a functionality that can block user with "Admin" as a username.
2. Enforce strong usernames and passwords
It’s important to choose a complex username and password comprised of letters, numbers and characters. Don’t choose a password that’s similar to your username, website name or a simple word with a few changes. An easy way to generate a password with sufficient complexity is to use password generator such us LastPass.
If you are using Joobi Registration with jContacts, it has a built-in security feature that allows you to define user and password strength, and the maximum number of fails before user account get blocked.
3. Limit user access
A good rule of thumb is to only grant administrator access to those who absolutely need it. You may deactivate the admin accounts once the assigned tasks is finished, if you absolutely need to keep inactive users in your Joomla site, change their role to ‘registered’ in order to limit any actions that could be performed.
4. Limit logins
The brute force attack is frequently used by hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. With jDefender you may restrict user from attempting to login again for a given period of time.
5. Install jDefender security extension
jDefender helps you defend and protect your site from common hacking attacks - SQL Injections, Direct/Remote File Inclusion, Session Poisoning, and many others... It has a very user-friendly 'Incident Reporting' interface which help you track every detail of user activity and behavior to find out how the attackers are trying to penetrate your site.
If you are an active Joobi club member, you can download jDefender free of charge or buy it for as low as $27.
6. Cut back on extension use
Be selective when choosing which extensions and template to use. Before installing a plugin or template, read about it (ideally on JED extensions.joomla.org) and ensure the plugin developer offer an efficient product support with constant update. Any extension which does not provide at least an update every 3 months should be consider dormant and dangerous to use.
Also you should limit the number of extensions you install by deleting extensions and templates you are not using. This prevents you from using outdated and vulnerable extensions. In the end, the fewer extensions you have, the faster your site will load (speed and performance) and fewer chances you get hacked.
7. Secure your Joomla administrator
Change the default URL of your Joomla login area so attackers won't know where to look. And to make it even more stronger, you have the possibility to block none-whitelisted administrator. This will only allow access to users with whitelisted IP. jDefender is great offering this feature together with all other whole set of security features.
Example with added secret key to access the site: http://www.mysite.com/administrator/?adminaccess
8. Restrict access to /administrator folder
Password protecting your Joomla administrator area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess admin password.
To do this, you will need to create a .htpasswds file, putting it in this directory causes the browser to display a login dialog. The .htpasswd file stores combinations of usernames and password hashes which the web server will use to authenticate users. You can create a .htpasswd file using an online password file generator.
9. Restrict administrator login to site frontend
Site administrator has the ability to modify contents from the administration and front-end area of your site. jDefender allows you to disable 'Admin frontend login' to block administrator front-end access and limit any actions that could be performed through the frontend.
10. Enable Search Engine Friendly URL's
Activating your site Search Engine Friendly URL’s is a good way to mask Joomla URL’s from visitor. By default a Joomla URL tells the visitor a lot about the page being visited and what components are being used.
None-SEF: https://joobi.org/index.php?option=com_jstore
SEF: https://joobi.org/store
11. Ensure file and folder permissions are correct
If you’re not using a managed web host, it’s important to ensure that Joomla files and folders have the correct ownership and permissions. This prevents attackers from exploiting poor file security and taking control of your site.
All files should have good CHMOD configuration. Recommended;
PHP files – 644
Config Files – 444
Other folders – 755
12. Keep Joomla, extensions and Templates updated
Running the latest version of any software is probably first the most obvious security measure that should be taken. Each update of Joomla not only brings with it new features, but more importantly, it brings with it bugfixes and security fixes, which help your Joomla site remain safe against common vulnerabilities.
13. Site monitoring
jDefender allows site administrator to receive email alerts every time custom incidents or monitoring are triggered such us Failed Login, SQL Injection, Admin Login and many others. Any time a user attempt to do an illegal action you will know about it instantly.
Conclusion
In this article we’ve covered 13 tips for securing your Joomla site using jDefender and some basic security techniques to ensure Joomla is as secure as possible. Some you might’ve known about before but it is my hope that some were new discoveries. And always remember that prevention is better than cure.