(For more resources related to this topic, see here.)
Choosing a web host that meets your security requirements
In this article, you’ll learn what you, as the site administrator, can do to keep your site safe. However, there are also some basic but critical security measures that your web hosting company should take. You’ll probably have a shared hosting account, where multiple sites are hosted on one server computer and each site has access to their part of the available disk space and resources. Although this is much cheaper than hiring a dedicated server to host your site, it does involve some security risks. Good web hosting companies take precautions to minimize these risks. When selecting your web host, it’s worth checking if they have a good reputation of keeping their security up to standards. The official Joomla resources site (http://resources.joomla.org/directory/support-services/hosting.html) features hosting companies that fully meet the security requirements of a typical Joomla-powered site.
Tip 1 – Download from reliable sources
To avoid installing corrupted versions, it’s a good idea to download the Joomla software itself only from the official website (www.joomla.org) or from reliable local Joomla community sites. This is also true when downloading third-party extensions. Use only extensions that have a good reputation; you can check the reviews at www.extensions.joomla.org. Preferably, download extensions only from the original developer’s website or from Joomla community websites that have a good reputation.
Tip 2 – Update regularly
The Joomla development team regularly releases updates to fix bugs and security issues. Fortunately, Joomla makes keeping your site up to date effortless. In the backend control panel, you’ll find a MAINTENANCE section in the quick icons column displaying the current status of both the Joomla software itself and of installed extensions. This is shown in the following screenshot:
If updates are found, the quick icon text will prompt you to update by adding an Update now! link, as shown in the following screenshot:
Clicking on this link takes you to the Joomla! Update component (which can also be found by navigating to Components | Joomla! Update). In this window, you’ll see the details of the update. Just click on Install the update; the process is fully automated.
Before you upgrade Joomla to an updated version, it’s a good idea to create a backup of your current site. If anything goes wrong, you can quickly have it up and running again. See the Tip 6 – Protect files and directories section in this article for more information on creating backups.
If updates for installed extensions are available, you’ll also see a notice stating this in the MAINTENANCE section of the control panel. However, you can also check for updates manually; in the backend, navigate to Extensions | Extension Manager and click on Update in the menu on the left-hand side. Click on Find Updates to search for updates.
After you’ve clicked on the Find Updates button, you’ll see a notice informing you whether updates are available or not. Select the update you want to install and click on the Update button. Be patient; you may not see much happening for a while. After completion, a message is displayed that the available updates have been installed successfully.
The update functionality only works for extensions that support it. It’s to be expected that this feature will be widely supported by extension developers; but for other extensions, you’ll still have to manually check for updates by visiting the extension developer’s website.
The Joomla update packages are stored in your website’s tmp directory before the update is installed on your site. After installation, you can remove these files from the tmp directory to avoid running into disc space problems.
Tip 3 – Choose a safe administrator username
When you install Joomla, you also choose and enter a username for your login account (the critical account of the almighty Super User). Although you can enter any administrator username when installing Joomla, many people enter a generic administrator username, for example, admin. However, this username is far too common, and therefore poses a security risk; hackers only have to guess your password to gain access to your site.
If you haven’t come up with something different during the installation process, you can change the administrator username later on. You can do this using the following steps:
- In the backend of the site, navigate to Users | User Manager.
- Select the Super User user record.
- In the Edit Profile screen, enter a new Login Name. Be creative!
- Click on Save & Close to apply changes.
Log out and log in to the backend with the new username.
Tip 4 – Pick a strong password
Pick an administrator password that isn’t easy to guess. It’s best to have a password that’s not too short; 8 or more characters is fine. Use a combination of uppercase letters, lowercase letters, numbers, and special characters. This should guarantee a strong password.
Don’t use the same username and password you use for other online accounts, and regularly change your password. You can create a new password anytime in the backend User Manager section in the same way as you enter or change a username (see Tip 2 – Update regularly).
Tip 5 – Use Two-Factor authentication
By default, logging in to the administrative interface of your site just requires the correct combination of username and password. A much more secure way to log in is using the Two-Factor authentication system, a recent addition to Joomla. It requires you to log in with not just your username and password, but also with a six-digit security code. To get this code, you need to use the Google Authenticator app, which is available for most Android, iOS, Blackberry, Windows 8, and Windows Mobile devices. The app doesn’t store the six-digit code; it changes the code every 30 seconds.
Two-Factor authentication is a great solution, but it does require a little extra effort every time you log in to your site. You need to have the app ready every time you log in to generate a new access code. However, you can selectively choose which users will require this system. You can decide, for example, that only the site administrator has to log in using Two-Factor authentication.
Enabling the Two-Factor authentication system of Joomla!
To enable Joomla’s Two-Factor authentication, where a user has to enter an additional secret key when logging in to the site, follow these steps:
- To use this system on your site, first enable the Two-Factor authentication plugin that comes with Joomla. In the Joomla backend, navigate to Extensions | Plugin Manager, select Two Factor Authentication – Google Authenticator, and enable it.
- Next, download and install the Google Authenticator app for your device.
- Once this is set up, you can set the authentication procedure for any user in the Joomla backend. In the user manager section, click on the account name. Then, click on the Two Factor Authentication tab and select Google Authenticator from the Authentication method dropdown. This is shown in the following screenshot:
- Joomla will display the account name and the key for this account. Enter these account details in the Google Authenticator app on your device.
- The app will generate a security code. In the Joomla backend, enter this in the Security Code field, as shown in the following screenshot:
Save your changes. From now on, the Joomla login screen will ask you for your username, password, and a secret key. This is shown in the following screenshot:
There are other secure login systems available besides the Google Authenticator app. Joomla also supports Yubico’s YubiKey, a USB stick that generates an additional password every time it is used. After entering their usual password, the user inserts the YubiKey into the USB port of the computer and presses the YubiKey button. Automatically, the extra one-time password will be entered in Joomla’s Secret Key field. For more information on YubiKey, visit http://www.yubico.com.
Tip 6 – Protect files and directories
Obviously, you don’t want everybody to be able to access the Joomla files and folders on the web server. You can protect files and folders by setting access permissions using the Change Mode (CHMOD) commands. Basically, the CHMOD settings tell the web server who has access to a file or folder and who is allowed to read it, write to it, or to execute a file (run it as a program).
Once your Joomla site is set up and everything works OK, you can use CHMOD to change permissions. You don’t use Joomla to change the CHMOD settings; these are set with FTP software. You can make this work using the following steps:
- In your FTP program, right-click on the name of the file or directory you want to protect. In this example, we’ll use the open source FTP program FileZilla.
- In the right-click menu, select File Permissions.
- You’ll be presented with a pop-up screen. Here, you can check permissions and change them by selecting the appropriate options, as shown in the following screenshot:
As you can see, it’s possible to set permissions for the file owner (that’s you), for group members (that’s likely to be only you too), and for the public (everyone else). The public permissions are the tricky part; you should restrict public permissions as much as possible.
When changing the permission settings, the file permissions number (the value in the Numeric value: field in the previous screenshot) will change accordingly. Every combination of settings has its particular number. In the previous example, this number is 644.
- Click on OK to execute the CHMOD command and set file permissions.
Setting file permissions
What files should you protect and what CHMOD settings should you choose? Here are a few pointers:
- By default, permissions for files are set to 644. Don’t change this; it’s a safe value.
- For directories, a safe setting is 750 (which doesn’t allow any public access). However, some extensions may need access to certain directories. In such cases, the 750 setting may result in error messages. In this case, set permissions to 755.
- Never leave permissions for a file or directory set to 777. This allows everybody to write data to it.
You can also block direct access to critical directories using a .htaccess file. This is a special file containing instructions for the Apache web server. Among other things, it tells the web server who’s allowed access to the directory contents. You can add a .htaccess file to any folder on the server by using specific instructions. This is another way to instruct the web server to restrict access. Check the Joomla security documentation at www.joomla.org for instructions.