I do a bit of business from time to time when clients call me to clean up broken or hacked Joomla web sites. While the paths the hackers took to get into the system were all different they all boil down to a few basic things. From the moment you first set up your Joomla site make sure you follow these tips. They won’t stop all hacking attempts but they will make it much less likely.
- Update your Joomla installation to the most current version immediately after you first install it.
Many people install Joomla through Fantastico, Softaculous, or the Web Apps panel in their hosting’s control panel. The problem is that if their hosting provider does not do a good job of keeping those installer scripts up to date you might be installing a version of Joomla that is very out of date. I’ve seen some recent posts on here of people installing Joomla 1.5 on their systems through their cPanel when 1.5 was discontinued over a year ago. Always update to the most recent version ASAP. If you don’t know if you have the most recent go over to www.joomla.org and check to see what release they are currently on.
- Make sure your file permissions are set correctly.
Pretty much all of the files in your Joomla installation should be set at 644 and the directories 755. One major exception being your configuration.php which should be set 444 (some people suggest 666 as well). This will require you to go in and change the permissions before you can edit it but it also makes it harder for others to get at it as well.
- Change your database prefix!
When you first set up Joomla change the prefix from the old default jos_ to something else. If you already have the site set up and running install the Akeeba Admin Tools extension and have it change the prefix on everything for you. Admin Tools has a lot of other great features to it (including changing file and directory permissions in bulk). Plus, it’s free!
- Install a backup component and USE IT IMMEDIATELY!
Go over to Akeeba again and grab the free version of Akeeba Backup or find another backup option that you prefer. As soon as your site is up and running back up the whole thing, save it off site by downloading the backup file or having the system email it to you. If you can, set up the backup system to do this automatically on a regular basis. That way if you do get hacked you will have a copy your system administrator can use to get you back up and running as quickly as possible without having to start over from scratch or pay your hosting company to do a restore from their server backups.
- Update your extensions whenever you update your Joomla system software.
If you are using Joomla 2.5 or 3.0 then many of the extensions you are using may be available to be updated automatically through the extension update manager. If your extensions do not make use of this feature then make sure to update them manually on a regular basis.
There are dozens of other security tips for safeguarding your Joomla install, including several Joomla security guides over at the Joomla.org site. There are also several more over at MarcoFolio’s site as well. The first tip above is still the most important of all. UPDATE UPDATE UPDATE!
If you are having any problems with your site or have questions about Joomla installations and Joomla security be sure to post here in the forum or feel free to drop me a PM and I’ll try to help if I can.