subject: How to secure your joomla website? [print this page] How to secure your joomla website? How to secure your joomla website?
Joomla is undoubtedly one of the best CMS available in the market. As more and more websites have started using Joomla, its important that the site is configured properly to prevent any security compromises. A lot of people getting old versions of #joomla 1.5 hacked today. Securing your site is rather easy, if you know what, where, and how it needs to be completed. I have compiled 14 security tips to secure your joomla website.
Proper Hosting Environment
A properly configured server is highly recommended for your joomla website. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don't need to set insecure global permissions like CHMOD of 777.
a. Set register_globals OFF
b. Disable allow_url_fopen
c. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
d. Don't use PHP safe_mode
Change the Default Database Prefix (jos_)
While installation, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrive superadmin details from jos_users table.
Disable FTP Layer
While installation, dont enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla.
Change your admin user
You don't know what user 62 is? To cut a long story short, when you install Joomla! on your site it creates a Super Administrator account with a known user-name (admin) and a known user ID (62). This has been exploited in the past by crackers to gain access to unsuspecting sites. The best approach is to create a new Super Administrator user and block or demote the default admin user all the way down to Registered level.
Don't use the root user in mySQL as the user of your database
You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest are wide open as well...
