How to Keep Joomla Secure

The biggest vulnerability to any website built on a CMS are outdated versions of plugins or an outdated version of the CMS itself. It is essential to update these as soon as new versions are released. We suggest you install additional security plugins and take regular backups of your site.

How to Update Plugins in Joomla

1. Log into your Joomla admin area

2. In the top menu, hover over Extensions and then click Extension Manager.

3. You will see several tabs at the top of the page. Click the Update tab.

4. There may not always be updates available. If there are, you will see a list of them on the screen, click on the relevant buttons to update them.

5. A great security plugin is Akeeba Admin Tools Professional. For in-depth information and a download link please visit the official Joomla Extensions website.

Akeeba Admin Tools Installation

Installation is simple and works the same as every other plugin. Go to the Extension Manager (Extensions > Manage) and select the tab ‘Upload Package File’. Select the zip archive and click Upload & Install. After the installation, the extension can be found under Components > Admin Tools. You then have to provide your Download key and a password. This password is an additional security layer. If somebody gets access to the backend of your website, they still can’t make changes to the plugin settings.

Web Application Firewall

This is the core security feature of Akeeba Admin Tools. It blocks malicious input and prevents Brute Force Attacks on the backend. Here is how to configure it:

[optional]

If your office has a fixed IP address, you can lock out everybody else from the Joomla backend. But remember that you can only gain access to your website from your office. To enable this feature, add your IP to the Whitelist (Web Application Firewall > Administrator IP Whitelist). Go to Web Application Firewall > Configure WAF. You will find nine tabs where you can change settings. These are not the all settings, but those considered most important. Allow administrator access only to IPs in Whitelist. If you put your IP into the whitelist, set this to yes to lock out other IPs.

Administrator secret URL parameter

This option changes the default link to the backend. You can specify a secret parameter x. Then you need to go to domain.com/administrator to log in.

Change administrator login directory

This also changes the address to log in. Change it from the default /administrator to something custom. This might not be working on your server and Akeeba doesn’t provide support for it. Use with caution.

Active Request Filtering

SQLiShield protection against SQL injection attacks YES
Detects common SQL injection attacks against your site and blocks them. Cross Site Scripting block (XSSShield) YES
Detects common cross-site scripting (XSS) attacks and blocks them. Allow PHP tags in request NO
Set this to NO! Otherwise hackers might be able to execute PHP scripts. XSS-safe request parameters LEAVE DEFAULT
Malicious User Agent block (MUAShield) YES
Blocks the ability to send PHP in the user agent string of the browser CSRF/Anti-spam form protection (CSRFShield) ADVANCED
Prevents spam on forms by adding a hidden input, spammers try to fill in. Remote File Inclusion block (RFIShield) YES Direct File Inclusion shield (DFIShield) YES Uploads Scanner (Upload Shield) YES
All uploaded files are scanned for PHP code. Anti-spam filtering based on Bad Words list
You need to input a list with words users must not use in forms if you want to enable this feature.

Joomla Feature Hardening Options

Disable editing backend users’ properties YES Changing the user properties can only be done by the person who has the Akeeba Admin Tools password. This might not be necessary for your site. Treat failed logins as security exceptions YES
All failed logins are now logged.

Visual Fingerprinting Protection

These settings try to hide that you are using Joomla and block template switching. The following settings can be applied: Hide/customise generator meta tag YES
Generator tag COMPANY NAME [OR SOMETHING ELSE]
Block temp=foo system template switch YES
List of allowed tmpl= keywords LEAVE DEFAULT
Block template=foo site template switch YES
Allow site templates YES

Auto-ban Repeat Offenders

IP blocking of repeat offenders YES
Stops Brute Force Attacks by blocking the IP after several failed logins Block after 5 ATTACKS IN 15 MINUTES
Block for this long 15 MINUTES
IP blacklisting of persistent offenders YES
Permanently blacklist IP after 5 AUTOMATIC IP BLOCKS These are settings we recommend for your website. It should give you an additional layer of security. You can now save the settings and close the Web Application Firewall.

.htaccess Maker

Akeeba Admin Tools comes with the ability to create custom htaccess files. If your website is running on an Apache Webserver (most of them are), you can stop people from looking at certain files or directories. Even if you don’t need to block certain directories, these basic settings protect you from a few security risks:

Disable directory listing (recommended) YES
Very important, otherwise Apache shows all files in a directory if no index document is present.

Protect against common file injection attacks YES
Protects against exploits and malicious code execution on the server.

Disable PHP Easter Eggs YES
Tries to stop hackers from finding out which PHP version you are running.

Block access to configuration.php-dist and htaccess.txt YES
Those files are created after a Joomla installation and can be directly accessed from the web. They tell the user what Joomla version you use.

Protect against clickjacking YES

Reduce MIME type security risks YES
Prevents users from uploading executable files with IE9 and Chrome.

Reflected XSS prevention YES
Prevents the most common form of Cross Site Scripting Attacks where injected scripts are reflected off the webserver in error messages, search results or any message where form input is shown to the users.

Remove Apache and PHP version signature YES

Prevent content transformation YES
Prevent issues when trying to compress CSS/JavaScript in congested networks.

Block access from specific user agents YES
Akeeba provides a list of bad user agents that are used by spammers. You can also look for more up-to-date lists on the internet.

The settings below are mainly used for file and directory protection. Once you are done you can either save without creating a file, to store your configuration, or save it and create an htaccess file.

Helpful Tools

There are a few other helpful tools that are worth checking every once in a while.

Repair and optimise tables
This cleans your database by repairing tables. This process can take a bit of time.

Fix Permissions
Some plugins can change the file permissions and make them less secure. Directories should be set to 755 and files to 644. This tools does this automatically. This is how to decode those numbers:

1. Number: Permissions of the owner the files belong to

2. Number: Permissions of the groups the files belong to

3. Number: Permissions of everybody on the server

0: no permissions

4: read

5: read and execute

6: read and write

7: read, write and execute

Remember, it’s best practice to take regular backups of your website – this is especially true if you’ve made any recent changes to content etc. We highly recommend using Akeeba Backup.

How to install Akeeba Backup

Go to the Extension Manager (Extensions > Manage) and select the tab ‘Upload Package File’. Select the zip archive and click Upload & Install. After the installation the extension can be found under Components > Akeeba Backup. Follow the simple instructions onscreen and you will have a new backup of your site stored.