Joomla! is an extremely powerful open source content management system (CMS). The core application is mature, very stable and inherently secure – as long as no poorly coded and vulnerable third party extension applications are installed, Joomla updates are installed on release and you choose a Joomla hosting company who have their web hosting servers securely configured.
Here are a few recommendations that Rochen, the web hosting company that host all the official Joomla websites suggest to ensure your Joomla website is not only secure, but also performs to its maximum potential.
Secure Joomla Hosting
- Your Joomla hosting company should run PHP in CGI mode with su_php. This means that PHP does not run under the global Apache web server user, but under your own individual user account. This means you don’t need to set insecure CHMOD 777 (read, write, execute permissions for all users). Installation of plugins is much more straight forward and secure.
- All Joomla files should be CHMOD to 644 and all directories to 755 – no files should ever be set to 777 – especially the configuration.php file.
- The Joomla FTP layer is only required if your host does not run PHP under the account user. If you have a good Joomla hosting company then you should not need to enable FTP in your global site settings. You should also remove your FTP login details if they have already been stored.
- Change the default administrator username to something other than ‘admin’ – I normally change the username and set the user level to registered user. This makes the site even harder to compromise.
- Don’t install every component, plugin and module ever written for Joomla – if you don’t have a use for an extension or you no longer use one, remove them. The more joomla extensions you install the more you have to keep updated to avoid vulnerability issues. Make sure you remove the actual files too by FTP.
- Make sure your Joomla hosting company are keeping their servers regularly updated and removing end of life applications (like PHP4). Server modules like mod_security for Apache and open_basedir under PHP helps to minimise cross site scripting (XSS) issues.
- Passwords – as always make sure you use secure passwords for your administrator user, FTP, control panel and database connection.
- Password protect your administrator folder using .htaccess. This will ensure that even if someone were to get hold of your admin user password, they would not be able to get far enough into the site to actually use it.
- Most importantly, keep your Joomla installation updated to the latest version. It is a great idea to subscribe to the Joomla Security Mailing List. You should also subscribe to the security mailing lists of any third party vendors whose extensions you have installed.