Security is not one single thing; it is a process, a set of steps that need to be taken in order to achieve a result. The process begins with your server settings and the Joomla! core files. If you fail to make this base level of the system secure, than additional steps are at the very least of limited effectiveness, at the very worst — they are pointless. Note as well, the first step towards assuring your site’s integrity is also one of the easiest: Only install the most recent version of the Joomla! core file packages found at the official download site, JoomlaCode.org. Do not download and install core file archives from other sites, as you cannot be certain of their origins, completeness, or integrity.
This article is excerpted from the upcoming Joomla! Bible, from Wiley & Sons. That book is due for publication in early November and can be pre-ordered directly from the publisher at www.wiley.com. Watch this site across the coming months as we preview more from this new title.
Protect directories and files
There are several steps you can take to enhance the security of the directories and files on your server. The first step is adjusting the permissions to be as strict as possible without impairing use of the site. Write-protect your critical directories. As a general rule, set the directory permissions to 755 and the file permissions to 644 using either FTP or the options in the Global Configuration Manager. Note that this is best done after you have fully completed your installation of the core and all Extensions. It is possible that you may have to make these setting more permissive if you need to install Extensions in the future.
There’s a good discussion of how to set file permissions and what they all mean on the Joomla! docs site — visit the resource to learn more.
There are a number of other steps you may want to consider taking, however you should note that each of these has a trade-off, either in terms of increased admin overhead or other limitations:
Move the configuration.php file outside of the public HTML directory on your server and rename it. Place a new configuration.php file in the public HTML directory pointing to the new file. Make sure your new file is not writable in order to avoid it being overwritten by the Global Configuration Manager. Note that making this change will force you to modify the new configuration file manually, rather than by using the Global Configuration Manager. For more information on how to set this up, see, http://docs.joomla.org/Security_and_Performance_FAQs
Use .htaccess to block direct access to critical files. Note this is only applicable to servers using the Apache web server and webhosts that allow you to modify .htaccess. Make sure you backup your old .htaccess file before you try this in case you experience problems and need to restore the old file.
Change the default log path. Hackers sometimes look to the log files as a way to identify what Extensions you have installed, in hopes of finding an Extension that has a known vulnerability they can exploit. To help deter this bit of information fishing, alter the log path settings in the Global Configuration Manager.
Change the default temp directory. The contents of the temp directory can also provide information you may not wish to disclose about your site. You can alter the temp directory settings in the Global Configuration Manager.
Protect access details
Humans are your most common point of security policy failure. Admin passwords should be changed often. The default user name that is produced for the administrator during the installation process should also be changed immediately after the system is set up. Leaving the default user name as “admin” gives a hacker one half of the answer to the puzzle they need to solve to gain access to your site. Passwords should also be as secure as practicable.
In addition to controlling the access to your admin system, you need to be sensitive to the access issues that relate to your database. If you have control over the access privileges to the user accounts on your MySQL database, make sure that all accounts are set with limited access.
Remove unnecessary files
If you don’t need it now and you don’t intend to use it, get rid of it. Logical targets for deletion include: unused Templates and Extensions you have installed then decided not to use. If you have copied archive files to your server during the course of installation, make sure you get rid of those. Don’t forget the installation directory — don’t simply re-name the installation directory, delete it!
Another candidate for deletion is the system’s XML-RPC server. If you are not using this functionality, delete it. It is located in the Joomla! root in the directory named xmlrpc/
Maintain a sensible server setup
In an ideal world, we would all have our own dedicated servers where we could control every aspect of the system. In the real world, shared hosting is the reality for many users. Shared hosting, though certainly more cost effective than a dedicated host, involves trade offs in terms of security and access privileges. Your goal should be to make the host set up as secure as possible, regardless of whether it is dedicated or shared. Exactly what you are able to do with your server varies, but you should consider the following:
Use Secure FTP, if available. This helps avoid the possibility that someone can determine your username and password while you are in the process of a file transfer.
If possible, use PHP 5. While both PHP4 and 5 are supported by Joomla!, PHP 5 is the superior solution and PHP 4 is being phased out.
Make sure your server does not have Register Globals enabled. Joomla! does not need it and it is a security risk.
If the mod_security module is installed on your Apache web server, use it. It acts as an embedded web application firewall and provides significant protection against many common attacks. Learn more about how to use it.
Turn safe mode off. Safe mode is not necessary for Joomla! and may cause problems with some Extensions.
Set Magic Quotes GPC to On.
Don’t use PHP allow_url_fopen. Set this option to Off.
Use PHP open_basedir. Set this option to On.
Official Joomla! Security Resources
The Joomla! Team and Community have created and maintain a number of useful security resources.
Name of resource URL
Security Checklist: Getting Started http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
Security Checklist: Hosting and Server Setup http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup
Security Checklist: Testing and Development http://docs.joomla.org/Security_Checklist_3_-_Testing_and_Development
Security Checklist: Joomla Setup http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setup
Security Checklist: Site Administration http://docs.joomla.org/Security_Checklist_5_-_Site_Administration
Security Checklist: Site Recovery http://docs.joomla.org/Security_Checklist_6_-_Site_Recovery
Joomla Security Strike Team Contact Form http://developer.joomla.org/security/contact-the-team.html
Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs
Automatic Email Notification System http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
Security RSS Feed http://feeds.joomla.org/JoomlaSecurityNews
Joomla! 1.5 Security Forum http://forum.joomla.org/viewforum.php?f=432
Vulnerable Extensions List http://docs.joomla.org/Vulnerable_Extensions_List
Security Announcements for Joomla! Developers http://developer.joomla.org/security/news.html
Joomla! Developers Security Articles and Tutorials http://developer.joomla.org/security/articles-tutorials.html