Joomla has exploded in popularity as an open-source website creation tool for individuals, small and medium-sized businesses, enterprises, and developers. It has been downloaded 78 million times and currently powers millions of websites.
Joomla websites have not been entirely unaffected by the cyber crime problems that have plagued content management systems (CMSs) and the internet in general. A wave of fake jQuery attacks hit Joomla and WordPress sites in 2015 and 2016, affecting over 4.5 million sites.
It is not necessary to have an in-depth understanding of how code injection attacks work in order to protect your website, however, as basic security considerations make these and most other attacks unlikely to target your site, and less likely to succeed.
To safeguard your website and its visitors, consider the following. For the record, I have personal experience using the following tools and platforms.
1. Start with security
A good antivirus service that performs regular scans can be a valuable part of your website security. Consult with your service provider if they offer such a service with their hosting package. However, this should only be the starting point.
Consider making security a big part of your strategy. This includes using a unique, non-default password, multi-factor authentication and an intrusion detection system. The first step in securing your Joomla website is to take security seriously.
2. Use a web application firewall
A web application firewall (WAF) is a form of reverse proxy that protects web or other applications on a server from common HTTP-based attacks, such as cross-site scripting, SQL injections, illegal resource access and remote file inclusions, among others.
Incapsula, a leading security provider, has a cloud-based WAF and security-enriched content delivery network (CDN) that integrates with and is specifically designed for Joomla. Investing in a WAF will significantly improve your infrastructure’s ability to ward off malicious traffic, and it can provide some protection against DDoS and similar attacks.
3. Keep Joomla and extensions up to date
Like any CMS, and all web-facing software, Joomla must be kept up-to-date to maintain security. Along with providing new features, regularly upgrading to the latest versions of Joomla helps address vulnerabilities and close attack vectors.
The same goes for extensions. Extensions are a common attack vector, so Joomla publishes a list of vulnerable extensions. If you have never checked this, do so even before reading further.
4. Rewrite your URLs
Search-engine-friendly (SEF) URLs can improve your Google ranking. They also have a significant security benefit because they replace URLs that can provide hackers with information they can otherwise use to target vulnerabilities. There are a number of extensions for Joomla—some free and some paid—that will help you generate SEF URLs that will not show up in a hacker’s advanced Google searches using the inurl command or Occurrences searches.
5. Use an encryption certificate
Let’s Encrypt is an open certificate authority (CA) that grants SSL certificates for free. Created by the Internet Security Research Group, a non-profit industry organization, Let’s Encrypt currently counts over 20 million sites currently using its SSL certificates. There are a handful of other certificate authorities, and some even provide free options. This means you have no excuse to be exchanging unencrypted information with your website visitors.
6. Set permissions correctly
Directories and files in a website can be set so that they can be read, written to and executed by different people. A website owner or administrator should generally be the only person with permission to write files and directories, while no-one should have permission to write to PHP. File permissions set to 777 allow anyone to view and modify files, but some servers require 777 permissions for Joomla to work properly. Joomla recommends users in this situation request to be put on a different server. The recommended settings are 755 for directories, 644 for files and 444 for PHP.
7. Pay for a good host
For many SMBs and individuals, cost is the primary consideration when choosing a web hosting company. There’s a multitude of Joomla hosting packages available (such as LCN), starting from as little as $3 a month and up to $12 for multi-site solutions (try providers like HostUpon). However, as seen with 777 permissions above, not every kind of server is appropriate for hosting Joomla websites.
You want a web hosting company that keeps your site’s PHP (the language Joomla is written in) up to date. It does not have to be expensive, but keep in mind that many sites have already been victimized by service provider negligence. The only time you can avoid this is when you choose your host.
The measures above are not the only things you can do to improve your Joomla website’s security, but between these steps and conducting regular backups, website owners and administrators can avoid being attractive targets for hackers as “low-hanging fruit.”
Joomla also provides helpful documents, such as a security checklist for administrators, that can communicate best practices for security—even for website administrators who are not web development experts.
You can significantly enhance the security of your Joomla website by making a small investment in time and money to implement the suggestions above, as well as go through the checklist provided by Joomla. The returns on that investment are not just prevented breaches, with their associated downtime, recovery costs, and possibly legal ramifications, but also a protected reputation. A secure website gives you peace of mind, which lets you focus on your core business objectives.