Last April Fools I made a joke that my website was hacked and turned upside down. When your website is really hacked, there's nothing funny about it.

Joomla! is a great CMS that is used worldwide. For this reason, hackers often try to find a way to hack a Joomla! website. Here are 7 tips to optimize your Joomla! security, preventing your Joomla! website getting hacked.

Always remember to make a regular backup of your website and database. If you still get hacked, you can always get back to an older version of your website. Make sure you find out which extension caused the vulnerability and un-install it.

Change the default database prefix (jos_)

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections.

You can set the database prefix when installing your Joomla! website. If you've already installed Joomla! and want to change your prefix, do the following:

1. Log on to your Joomla! back-end.
2. Go to your global configuration and search for the database
3. Change your database prefix (Example: fdasqw_) and press Save.
4. Go to phpMyAdmin to access your database.
5. Go to export, leave all default values and press Start. Exporting the database can take a while.
6. When done, select all code and copy it to notepad (or any other text editor)
7. In phpMyAdmin, select all tables and delete them
8. In notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: fdasqw_). Press "Replace all".
9. Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start.

Remove version number / name of extensions

Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:

1. Retrieve all files of the extension from your server.
2. Open up Dreamweaver.
3. Load any file from the extension that you just downloaded to your local machine.
4. Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit to.
5. Set the search term to "MyExtension version 2.14" and press OK.
6. When found the correct file, remove the version number.
7. Upload the changed file to your server and check if the changes are made.

Use a SEF component

Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits.

Additionally, you'll get a higher rank in Google when using search engine friendly URL's.

Keep Joomla! and extensions up to date

This one is pretty obvious. Always check for the latest versions of Joomla! and the extensions you're using. Many vulnerabilities are resolved most of the times in later versions.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

• PHP files: 644
• Config files: 666
• Other folders: 755

Delete leftover files

When you installed an extension that you didn't like, don't set the extension to unbublished. If you do, the vulnerable files will still be on your website. So simply use the un-install function to totally get rid of the extension.

Change your .htaccess file

Add the following lines to your .htaccess file to block out some common exploits.

 
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

For more Joomla! security tips, you can read the following:

• Joomla Administrators Security Checklist
• Visit the Joomla! security forums (1.0 and 1.5)

Keep an eye on websites listing Joomla! vulnerabilities:

• Secunia
• FrSIRT
• Milw0rm

If you have more tips to enhance the security of Joomla!, I would really like to hear them.

Interested in this topic? You might enjoy another article I've written called

• Fronteers 2012 - Notes and more
• Working with Websockets
• How you can prevent an SQL injection
• Offline ways to keep your creative fluids going
• Extraordinary places you can leave your domain name

Comments

Add New Search RSS

Enrico   2008-06-14 17:40:53 Thanks for the tips. However point 6 of 'Change the default database prefix (mf_)' isn't so clear: - When done, select all code and copy it to notepad (or any other text editor) What code should I select? Do I have to open the dumped .sql file with notepad? Thanks. Reply | Quote

Marco - Yes!   2008-06-15 15:44:13 By default, the export compression of phpMyAdmin is set to "none". When doing this, you get the SQL dump shown on the website instead of a .sql file. If you can't view the SQL code dump, you can indeed retrieve your .sql file and open / change it with notepad. Good luck! Reply | Quote

dennyhalim.com - block bad agent   2008-06-15 02:11:52 block bad user agents http://it.dennyhalim.com/2008/06/ultimate-htaccess-blacklist.html Reply | Quote

Marco - Thanks!   2008-06-15 15:46:32 Hi Denny, Thanks for your input! I checked out the list and it really looks amazing. There's just one reason I'm not adding it to the list: The htaccess is for all websites, and these tips are purely based for Joomla! only. Great share anyway! Greetings,,, Reply | Quote

Friso   2008-06-16 09:38:54 You can also protect the administrator folder; here is a tutorial for cpanel. Reply | Quote

greta   2009-02-20 02:52:09 bad link URL Reply | Quote

Kleine Smurf - Good   2008-06-15 21:44:23 Tnx Marco for the tips Reply | Quote

bahareh   2008-08-25 08:12:01 Hi. I want to change my database prefix but after saving database prefix I got this error. .jtablesession:tore failed DB function failed with error number 1146 Table 'tabs.tab_session' doesn't exist SQL=INSERT INTO tab_session ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '6b6282a706bb72ccbabf2adf59f1af18','1219647789','','0','1','1' ) what can I do? Thanks. Reply | Quote

Enrico - Applied but ERROR!   2008-08-31 10:02:51 Hi again Marco, today I've decided to apply the 'change mf_ prefix" tip. However, when I paste mysql code, it starts the process but after some minutes I have this message displayed: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO `NEPREFIX_content` (`id`, `title`, `title_alias`, `introtext`, `fullt' at line 2 Any help, please? Thanks Reply | Quote

Marco - What did you do?   2008-08-31 15:23:21 What exactly did you do? Shouldn't the NEPREFIX_content be "NEWPREFIX_content"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,, Reply | Quote

Enrico - re: What did you do?   2008-08-31 16:36:53 Marco wrote: What exactly did you do? Shouldn't the NEPREFIX_content be "NEWPREFIX_content"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,, Nothing special. I've simply followed the steps: downloaded sql, changed prefix, but when I paste the 'new' sql code and click start....after some minutes ('cause my sql is 40mb big) I got that message displayed. Yew, neprefix is just an example. I didn't write here the real new prefix. ;-) Reply | Quote

Marco - Strange   2008-08-31 20:09:57 Hmhm, that's pretty strange indeed. I've checked your SQL code and it doesn't contain any errors. Could you check if your phpMyAdmin allows to import such big scripts (40 M? You can also try copy-pasting the create / insert for each table seperately. Good luck! Greetings,,, Reply | Quote

Maik Kaune - Extension for changing the table prefix !   2008-09-07 13:03:30 Joomla 1.0.x Extension! Change default(and custom!) table prefix . Anyone with a J!1.5 version? CU Reply | Quote

Sunlust Designs - Good tips   2008-09-09 15:02:20 Just recently my Joomla website got hacked, thanks for the tips mate, I'll put them in good use. Reply | Quote

shiva   2008-09-27 11:19:14 very useful information . thank you! Reply | Quote

Mark - Mark Ivon   2008-11-21 07:47:30 Excellent tutorial for joomla security. Reply | Quote

Jamp Mark - Helpful   2009-01-10 13:31:15 Nice to know all those things especially the CHMOD thing. thanks Reply | Quote

Durga Prasad - Good Stuff   2009-01-12 05:37:43 Really Good Stuff to be Secure Reply | Quote

mark - not really "security" tips but...   2009-04-13 06:26:33 These are not really "security" tips. Using a non-default database prefix doesnt mean much, as, if there is an exploit that gives them sql access, they can issue a query that can tell them the names of the tables in the database. Changing the version string (now using version 1.1 of Docman) for instance may be a feature that allows you to not catch the eye of a little hacker bastard who is visiting your site so he wont go "hey! I got an exploit for the version he's using, yippee!" In that case, you better of removing the "Docman" part of it as well! Since people through the exploits at any/every thing, to see what sticks - and that is where the real part of security comes in. Determining and detecting if your site is being probed bay a hacker, looking for exploits or loop holes. With Jquery and the like, our sites are WAAAAAAY more prone to Cross-site scripting and other dangers than EVER before. exploits that were once impossible ( "as there is nothing you can really do in 300 bytes of javascript" are now possible if the target is running Jquery. Also, with a tool like firebug, a hacker may do something is this scenario. "Ajax and PHP based Filebrowser. // Javascript has some init variables. ... Var basdir ='/home/dev/mysite/uploads' ..... Now when the page for the script loads, the user can fireup FireBug, and, and the javascript console say basdir ='/home/dev/security' Now when the user continues the execution, the Ajax passes the parameter to the php code on the server and browsing is starting from the ....SECURITY folder Tomorrow I will go into this in more detail and how you can secure apps against this additional vector` Reply | Quote

Marco - Thanks!   2009-04-16 07:48:36 Hi Mark, Thanks for your comment. You're right about the fact that real hackers can do a lot to take your website down. The "changing database prefix" tip is to prevent SQL Injections - they'll need to know the database name. If there is an exploit in any extension, they can retrieve the database password etc., so it'll still be dangerous. Anyway, thank you for sharing your thoughts! Reply | Quote

goldy - see its hack i think   2009-04-18 21:36:32 http://www.ajitweekly.com/index.php?option=com_content&task=view&id=6227&Itemid=1 when we click its open some other site hock:' /> Reply | Quote

Genex Business Solutions - Web Security is Important   2009-06-06 11:44:31 Thank you for the information on securing Joomla websites. Auto scanners on the Internet are always looking for website loopholes to hack them. Since Joomla is a largely used web management system, and hackers know how its built they know where and how to attack. Changing Table names in the database, securing htaccess file and turning register globals and allow URL fopen gives you great deal of security. Additionally we are working to setup a private firewall on our websites to track and monitor every request at our website. I think its time to close website entrance for everyone and strictly monitor who is coming at our websites and why! Reply | Quote

Abdul Mannan - Login Security?   2009-11-01 23:44:14 Hello, I saw a plugin called 'Secure Login Plugin'. Developer says that it encrypts username/password before sending over internet and make both front and back end login safe. I am really keen on security. Is it something important to buy? I don't have SSL. Thanks. Reply | Quote

Abdul Mannan - Login Security?   2009-11-01 23:45:45 By the way, here is the link if someone need to see http://codingmall.com/products-mainmenu-8/37-secure-login-plugin-without-ssl Reply | Quote

Akanke - Changing Prefix - Step 9   2009-11-02 10:40:00 Hi, Something didn't work for me. The query part is not clear. When I select "SQL" the query window comes up as one open box. Then I past all my code there and click "Go". Then I get an error message: Error SQL query: -- -- Database: `information_schema` -- CREATE DATABASE `information_schema` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; MySQL said: Documentation #1044 - Access denied for user 'manajoomla2'@'%' to database 'information_schema' Can you tell me what I may have done wrong? Reply | Quote

Chris - Thank you   2009-11-11 14:54:23 Thank you for the information. It seems that someone is trying to access my website. Reply | Quote

donold - Thank you   2009-12-05 05:46:26 this is really nice information i must say thank you by heart once again pleaes keep on updating and send me. thanks Reply | Quote

website design   2009-12-17 07:28:11 what a nice blog dear. I never seen such a quite attractive and useful blog after seeing it. I will pray for your success and also appreciate you at your great step that you have taken toward your bright future.. Thanks a lot again. Reply | Quote

husteng   2010-02-13 11:28:48 tnx 4 d info Reply | Quote

syrakozz - other site for listing Joomla! vulnerabilities:   2010-02-19 10:35:31 the site is http://www.exploit-db.com/ it`s very updated Reply | Quote

aviko oloo   2010-06-28 09:36:46 thanks for the post,it was a life saver Reply | Quote

Marius - problems with .htaccess   2010-07-02 12:00:06 Change your .htaccess file Add the following lines to your .htaccess file to block out some common exploits. _________________________________ well I tryed this tip and after refreshing my page i got 500 internal server error, then I removed that code from my .htaccess and the error has gone. What was wrong in that code that made that error appear? Reply | Quote

bitstomper   2010-07-14 21:26:29 The code that causes a 500 internal server error is: # Block out any script that tries to set CONFIG_EXT (com_extcal2 issue) RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5.*= [NC,OR] So leave this out of your htaccess file Reply | Quote

Alan   2010-07-23 00:58:55 Outstanding, Thanks! Reply | Quote

Anonymous - seo   2010-07-28 09:38:15 thanks man Reply | Quote

About USA Basketball - About USA Basketball   2010-08-24 07:54:48 2010ZQ About USA Basketball Based in Colorado Springs, Colo., USA Basketball is a nonprofit organization and the national governing body for men's and women's basketball in the United States. Reply | Quote

Uphichet   2010-09-26 13:27:20 Thank! Please let me get the clear picture with config fiels. Can you give me some examples. How about other file such as picture files ans so forth. Regards, UPhichet Reply | Quote

eddy mania - thanks for sharing   2010-11-16 09:19:16 Hi Marco, Thanks for sharing your tips to improve the Joomla Security. Another 'tips article' for Joomla can be found here for those who are interested http://hubpages.com/hub/Joomla_Security Also, i think installing a security plugin like http://www.blitzgeek.com/products/JHP or RSJoomla should be part of this document. Best wishes, Eddy Reply | Quote

hostgator - hostgator   2011-02-12 23:02:02 Thank you so much, Can I share that article on my website? If you allow, please contact with me. Thanks again... Reply | Quote

Ron - Reset   2011-02-21 22:28:56 Followed advice for changing prefix in database. Made change in Global configuration and now my site is completely down. Even a restore from a backup doesn't help. I'm using Joomla 1.5 Any thoughts I can't see my site. I can't even get the logon window for Joomla. Have restored site and database and nothing works. Reply | Quote

Ron - Reset continued   2011-02-22 01:53:09 http://help.joomla.org/content/view/51/153/1/4/ Well thats the answer right there...never never change the prefix before it exists in the database. Explaines my problem Reply | Quote

Helen - Thank you for nice article   2011-03-07 18:04:57 i really enjoy this article, i get lots of knowlege, and update my knowlege about programing. Reply | Quote

hayden   2011-04-12 05:11:07 http://extensions.joomla.org/extensions/hosting-a-servers/database-management/14895 modern 1.6/1.5 compatible prefix changer Reply | Quote

ITGenes - Wonderful Information   2011-04-12 19:08:08 I just want to drop a thanks note to the author of this post. This post in fact helped me and my team to secure our 20s of Joomla sites from several hacks while un-optimized joomla sites were hacked or injected at the same time Reply | Quote

Besto - thnxxxxx   2011-04-25 04:14:00 hi marco folio;; Nice work Reply | Quote

Sifur Rahman - Joomla! tutorials, Web directory site list & blog   2011-05-08 05:10:33 Thanks, It is very useful for any joomla website. Reply | Quote

helga - S.O.S .httacces tweak killed my site   2011-06-04 19:19:55 OH MY GOD! I ADDED THIS CODE TO MY .HTTACCESS AND ALL MY SITES ON MY SERVER ARE NOW D-E-A-D What happened? Please help Reply | Quote

Kelechi - Thank you very much!   2011-08-15 19:45:10 God bless the brain that produced this article and feed him more, also refresh him more with milk and honey. I thought of this method of changing the database prefix but was sort of confuse. But this article helped me a million. Other sites were given me option to do it manually, which I did on localhost(on my laptop) and was successful tho. or use rename.php script which is also okay for speedy. But with this; should I call it "automatic-maual", it work like a charm. It worked perfectly. I changed it successfully. Reply | Quote

makin - after hacked no i can loggin in my administrator   2011-09-17 10:17:11 this week i really 'battle' with hacker, joomla 1.5 www.teamspeedline.com first he change my template index.php=> i found & replace thus i improve with install pugin jsecure now i don't know what he hacked but i can login in my administrator site, I can not login even though I already know the username & password (via php my admin) so what next file hacked by a hacker while display normal websites?? help me please note: after input right username & pasword => message eror Reply | Quote

seo training delhi - SEO Training Delhi   2011-09-18 13:32:40 before some days some one hacked my joomla 1.5 site index page...and while searching to remove that i got your article and I get very useful security points from here for my future sites... Reply | Quote

seo training delhi - seo training delhi   2011-09-18 13:34:14 seo training delhi Reply | Quote

Mamum - Thanks   2011-11-03 19:36:47 First of all i wanna to thank you from my core of heart... what a outstanding article.. sir i am using one of the plugin (jomdefender) to prevent hack of my site (http://www.e-opensources.com/).. Is this enough for my site.. please mail me. i will glad to you if u contact me.. please thanks Mamun Reply | Quote

sakuramann - Thanks!   2011-12-08 06:49:36 Thank you so much for the information. You saved me a great deal of labour and time! I appreciated so much... Reply | Quote

Jim - use .htaccess in administration folder   2012-01-02 10:50:48 Add this .htaccess file to the joomla administrator directory It will block out everyone bar your IP address ##################################################### # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE # # The line just below this section: 'Options +FollowSymLinks' may cause problems # with some server configurations. It is required for use of mod_rewrite, but may already # be set by your server administrator in a way that dissallows changing it in # your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, # it has been set by your server administrator and you do not need it set here. # ##################################################### ## Can be commented out if causes errors, see notes above. # Options +FollowSymLinks # # mod_rewrite in use RewriteEngine On RewriteCond %{HTTP_REFERER} zone-h\.org [NC,OR] #RewriteRule .* - [F] Order Deny,Allow Deny from all Allow from 100.100.100.100 Reply | Quote

Anonymous   2012-01-02 10:52:06 replace 100.100.100.100 with your IP address Reply | Quote

jahirul islam - thanks   2012-01-07 04:30:14 wowow ... what a outstanding article which is very much helpful to prevent hacking. can you tell me how can i prevent my wordpress site (http://ebanglanewspaper.com) from hacking. thanks a lot sir. Reply | Quote

PHP Developer - PHP Development   2012-01-25 12:04:49 Great effort.. very nice information provided by the author.. thanks for sharing Reply | Quote

Tam Ngo - I want to share it   2012-02-06 10:32:35 Oh, amazing article. I want to share it on my FB fan page, sure people will like it. That's what Joomla admins need Reply | Quote

joomlaserviceprovider - security for joomla   2012-03-07 11:46:14 jSecure hides your Joomla administrator URL with a special key so that only you can access. The problem with Joomla is that anyone can tell if your site is Joomla by simply typing in the default URL to the administration area (i.e. www.yoursite.com/administrator). jSecure helps you hide the fact that your website is built with Joomla from prying eyes. Check out jSecure in action here: http://www.joomlaserviceprovider.com/ Reply | Quote

joomlaserviceprovider - joomla security   2012-03-16 11:36:21 jSecure hides your Joomla administrator URL with a special key so that only you can access. The problem with Joomla is that anyone can tell if your site is Joomla by simply typing in the default URL to the administration area (i.e. www.yoursite.com/administrator). jSecure helps you hide the fact that your website is built with Joomla from prying eyes. Check out jSecure in action here: http://www.joomlaserviceprovider.com/ Reply | Quote

Janyson   2012-04-29 13:30:09 hataccess is a powerful file to secure a Joomla, thanks for the wonderful tips. Reply | Quote

deoptimist   2012-12-07 23:45:12 You are the best sir. pls how do I go about changing the extensions version numbers and names. pls give me step by step. Thanks sir Reply | Quote

deoptimist   2012-12-07 23:51:30 PLs you mentioned "Retrieve all files of the extension from your server" as the first step in changing extension file. pls how do i retrieve all files of the extension from my server? I also love to knw how to get the htacess file. Thank you very much Reply | Quote

turgut kalfaoglu - what about forum image uploads?   2013-01-27 21:50:37 I recently came accross a site that was hacked by uploading a GIF looking file into its /images/stories folder. The beginning of the file looks like a GIF, with the correct signature, but under that, there is some creepy kid's eval(....) code.. What can be done to prevent against such hacks? Reply | Quote

Raj - /images/stories/ hacked   2013-03-22 08:34:41 Hi all ..i m using joomla1.5.26 and it was hacked recently by using /images/stories/nwo.php. Could you please let me know how would you stop this kind of attacks. Reply | Quote

Vishal gupta - SEO training   2013-05-24 08:41:53 For SEO training By Professionals call : +91-9873838243 Visit us : Reply | Quote

Read more...
Name:
Email:	do not notifynotify Gravatar enabled.
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
	Please input the anti-spam code that you can read in the image.

Unsubscribe from e-mail notifications.