Joomla Security Info

First of all, use the latest version of Joomla. How to upgrade Joomla to the newest version.

Most times when people say their Joomla website has been hacked, the security problem has nothing to do with Joomla itself. In most of the cases, the hacker came in through an unsecure third party extension that the site owner installed. Check this list for vulnerable 3rd party/non Joomla! extensions.

Don’t use the default admin username. Change it to something safe and choose a safe password.  A safe password contains at least eight characters and includes both letters, numbers and special characters. Here is a great Secure Password Generator »

A SEF component is used to make the url:s of your Joomla website more Search Engine Friendly.  But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.

The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack. It also gives you the option to remove the generator tag from your site. The generator tag tells the world that your site is generated by Joomla. Of course it is a nice thing to give credit to Joomla, but there are other ways to pay back to the Joomla community that does not help hackers. If you do not tell the hacker that your website is built with Joomla, you make it a lot harder for him to know where to start hackning. 

• Avoid any web host that uses php safe_mode, i.e. safe_mode should be OFF.
• If you use Joomla 1.0.x, make sure to Joomla's Register Globals Emulation OFF. You find the setting in the Joomla Global Configuration.
• Use PHP5 rather than PHP4.

• Make sure that no outsider can view php information (server configuration) by phpinfo.
• Hide the generator tag that shows that you use Joomla CMS. Note that we are not suggesting that Joomla would be insecure. This suggestion is just to make it harder for Joomla-specialized hackers to recognize that your website is Joomla-powered.
• Use an SEF component that masks what components are used on your website.

You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.

It is important to delete Joomla templates that you do not use for your website. If you keep the default Joomla templates, someone could for example link to your site with the url /index.php?jos_change_template=rhuk_solarflare_ii and show your website with the default template. Besides that your website may look terrible for anyone clicking that link, it may also show content that you never intended to publish on the web, for example through module positions that does not exist in your chosen template.