How can I make my Joomla! site more secure?
Joomla is undoubtedly one of the most well known and widely used Content Management Systems (CMS). The first years after it separation from the Mambo CMS, has revolutionized the way in which the Internet applications were working. Since then, of course, many things have changed as Joomla too.
The Joomla generations / series
The Joomla as an evolving platform has traveled the following versions:
- Joomla 1.0 - (latest version 1.0.15)
- Joomla 1.5 - (latest version 1.5.26)
- Joomla 1.6 - (latest version 1.6.6)
- Joomla 1.7 - (latest version 1.7.5)
- Joomla 2.5 - (latest version 2.5.28)
- Joomla 3.0 - (latest version 3.0.3)
- Joomla 3.1 - (latest version 3.1.6)
- Joomla 3.2 - (latest version 3.2.4)
- Joomla 3.3 - (latest version 3.3.4)
- Joomla 3.4 - (latest version 3.4.8)
- Joomla 3.5 - (latest version 3.5.1)
- Joomla 3.6 - (latest version 3.6.5)
- Joomla 3.7 - (latest version 3.7)
- Joomla 4.0 - (release in 2017)
Secure Joomla versions
It is important to understand that the secure versions are the ones that are supported and upgraded by the official Joomla community. All previous versions are not considered safe and should be upgraded to a newer one.
Migrates & Updates
Migrate is to move from one Joomla version to another. The Migration process is a prescribed procedure that is specific and is carried out by finite steps.
Updates are also clearly defined procedures but with a greater degree of automation than Migrates. Usually made with the click of a button through the Joomla control panel.
Joomla 1.0 to newer version
The greatest and more crucial change to Joomla was during the transition from version 1.0 to version 1.5. In version 1.0 the Joomla application was functioning more like a well-mounted set of scripts on which slowly the Joomla Framework begun to form. In version 1.5 now there is the Joomla Framework upon which the Joomla CMS was built from the beginning.
This significant difference on how these two platforms are structured is the reason why the migration process from 1.0 to 1.5 is different from the migration 1.5 and 2.5 to 3. You can see details for the Joomla 1.0 to 1.5 migration here. Also you can not upgrade from Joomla 1.0 to 3.x but you must first upgrade to Joomla 1.5 and then to Joomla 3.x.
Joomla 1.5 to 2.5 or 3.x
Users who have applications in version 1.5 are recommended to upgrade their applications immediately. Upgrading Joomla 1.5 to 2.5 or 3.x is similar. It is recommended to upgrade to the latest Joomla 3.x version because version 2.5 is no longer supported and therefore it is a vulnerable version. You can see the steps for the 1.5 to 3.x migration here.
Joomla 2.5 to 3.x
Upgrading Joomla 2.5 to 3.x is designated as a mini-migration from the Joomla community. Theoretically it is migration because it changes the version number of the application (2 to 3), but carries the designation mini since the core installation of the Joomla is upgraded at the click of a button. The mini-migration from 2.5 to 3.x is considered necessary because version 2.5 is now vulnerable. You can see the steps for the 2.5 to 3.x mini migration here.
It is particularly important for Joomla website administrators, to follow the security updates / upgrades of Joomla. You can follow our blog in order to be informed for any new version or security update for Joomla and other CMS too. You can also follow us on Google+, Facebook and Twitter in order to be informed from there too.
My Joomla website is hacked, what can I do?
IP.GR is using security software in its servers thar is supervising the quality of files on the servers in real-time. If your Joomla website has been violated with malicious files transferred on your account, it is likely that we will first detect the malicious action and will inform you about it.
Not all malicious actions that can be done at a website can be detected, because of the human factor that is involved. For example if you have an easy password for the administrator interface of your Joomla website and with a simple test anyone can guess it and connect as administrator, then it is almost certain that any security software will not be able to detect this traffic as malicious. For this reason we recommend to always use a secure password.
There is also the possibility that your passwords are safe but be intercepted because the computer or the network is infected by a virus. It is recommended that the computers you use for professional work to be as safe as possible, updated and protected in order to avoid such incidents.
If your Joomla website has been violated then the following may occur:
Hack at code level:If you are sure that your database has not been tampered and there are only malicious files that were uploaded to your website, then you first need to follow the steps below:
- Download a Backup of your website's files to your computer in case of emergency. Some of that files are needed.
- Download a clean Joomla installation package of the version you are using from its official website. If you are using an older version you have to download the same old version because you are trying to clean your account. You can update your installation later.
- Delete the files from the Joomla installation directory on your server using the cPanel > File Manager or an FTP application.
- On the previous installation directory upload your new .zip file you downloaded in order to perform a new clean Joomla installation.
- Extract the zip file inside the Joomla directory using the File Manager.
- Delete the installation folder from the extracted files.
- Update the configuration.php file that you will find inside the Joomla installation directory and insert the appropriate information. You can also upload and use your old configuration.php from the backup you downloaded on your computer. Now your installation is working and your website is using the database and the data you had before.
Finally upload the images folder from the backup to your new installation. Pay attention in this step, as any of the files that you will upload may be a virus. You must supervise the files of the images folder before you upload them. Preview all the images one-by-one and delete anything redundant and unnecessary. Even an image file may contain malicious code, which can be used in malicious actions.
Your computer's antivirus may detect viruses within the backup files you have downloaded but probably will not find anything, because web viruses are different from the windows viruses and antivirus application for windows are created to find the viruses that can affect the windows platform and not the ones that attack websites.
Pay close attention to these steps because there is a risk to re-upload the virus to your website. Do not trust even the obvious if you will not open and closely supervise each file.
Hack at the database level
Open phpMyAdmin through cPanel and inspect the tables of the database. With a quick glance you can see if there are any tables with thousands of records that should not have so many records. If you find a table like this click Browse and see what are these records have inside. It is easy to find out if the records are Spam data or real data of your website.
Depending on the tables that are affected you can do the corresponding actions.If for example you have enabled a commenting system with thousand comments from fake users, then you have to update the commenting component if it's not updated and enable a captcha mechanism for your comment form to stop malicious scripts or bots that may have found the vulnerability of the comment form. Then empty the comments table or delete the spam comments by hand and see if the spam comments continue to show up. If spam comments continue to be added then you will have to contact a more experienced technician or contact IP.GR for help.
Users table is also a table that is frequently targeted by hackers. You may find out that you are not the only administrator on your website but there is also another one. Delete the record/s you do not recognize as yours and change the password of your Joomla administrator. If the user records are a few then probably you had an easy password which is stolen and the hacker used it in order to connect as administrator and create his own user. If the user records in the list are thousands, then usually there is a security bug in the user registration form, so check there and use a captcha mechanism and make the possible updates.
I do not know what has been tampered
If you are unable to check what has been tampered or everything has been tampered heavily, then a fresh / clean installation is always the best solution. But if you restore the data from the hacked website follow the rules described in the previous steps to exclude the possibility of uploading a virus to your website by yourself.
Additional safety actions
You can make some additional steps that will give another level of security to your application:
Make your administrator page password protected.
This can be done through cPanel by selecting the Password Protect Directories option under the Security category.
Put an .htaccess file inside the administrator directory.
If you own a static IP address you can allow the administrator directory access only from your IP address.
If you own a dynamic IP address you can cut the total access by adding the line Deny From ALL inside the .htaccess file. When you want to connect to the administrator environment you will have to comment this line of code using the cPanel > File Manager, do your changes and then revert back the line of code.
This way an extra dialog box will be shown every-time you are trying to login that will ask for a username and a password.