Last April Fools I made a joke that my website was hacked and turned upside down. When your website is really hacked, there's nothing funny about it.

Joomla! is a great CMS that is used worldwide. For this reason, hackers often try to find a way to hack a Joomla! website. Here are 7 tips to optimize your Joomla! security, preventing your Joomla! website getting hacked.

Always remember to make a regular backup of your website and database. If you still get hacked, you can always get back to an older version of your website. Make sure you find out which extension caused the vulnerability and un-install it.

Change the default database prefix (jos_)

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections.

You can set the database prefix when installing your Joomla! website. If you've already installed Joomla! and want to change your prefix, do the following:

1. Log on to your Joomla! back-end.
2. Go to your global configuration and search for the database
3. Change your database prefix (Example: fdasqw_) and press Save.
4. Go to phpMyAdmin to access your database.
5. Go to export, leave all default values and press Start. Exporting the database can take a while.
6. When done, select all code and copy it to notepad (or any other text editor)
7. In phpMyAdmin, select all tables and delete them
8. In notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: fdasqw_). Press "Replace all".
9. Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start.

Remove version number / name of extensions

Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:

1. Retrieve all files of the extension from your server.
2. Open up Dreamweaver.
3. Load any file from the extension that you just downloaded to your local machine.
4. Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit to.
5. Set the search term to "MyExtension version 2.14" and press OK.
6. When found the correct file, remove the version number.
7. Upload the changed file to your server and check if the changes are made.

Use a SEF component

Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits.

Additionally, you'll get a higher rank in Google when using search engine friendly URL's.

Keep Joomla! and extensions up to date

This one is pretty obvious. Always check for the latest versions of Joomla! and the extensions you're using. Many vulnerabilities are resolved most of the times in later versions.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

• PHP files: 644
• Config files: 666
• Other folders: 755

Delete leftover files

When you installed an extension that you didn't like, don't set the extension to unbublished. If you do, the vulnerable files will still be on your website. So simply use the un-install function to totally get rid of the extension.

Change your .htaccess file

Add the following lines to your .htaccess file to block out some common exploits.

 
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

For more Joomla! security tips, you can read the following:

• Joomla Administrators Security Checklist
• Visit the Joomla! security forums (1.0 and 1.5)

Keep an eye on websites listing Joomla! vulnerabilities:

• Secunia
• FrSIRT
• Milw0rm

If you have more tips to enhance the security of Joomla!, I would really like to hear them.

Interested in this topic? You might enjoy another article I've written called

• Enable Gravatar support in !JoomlaComment
• mfSlideBar: Sliding sidebar for Joomla modules
• mfDropCaps: Add your own drop caps to your Joomla articles
• mfReferral: Give your visitors a personal message
• mfBeer: A PayPal donation plugin for Joomla!

Comments

Add New Search RSS

Enrico   | 82.60.157.xxx | 2008-06-14 17:40:53 Thanks for the tips. However point 6 of 'Change the default database prefix (jos_)' isn't so clear: - When done, select all code and copy it to notepad (or any other text editor) What code should I select? Do I have to open the dumped .sql file with notepad? Thanks. Reply | Quote 0   0

Marco - Yes!   | 62.194.187.xxx | 2008-06-15 15:44:13 By default, the export compression of phpMyAdmin is set to "none". When doing this, you get the SQL dump shown on the website instead of a .sql file. If you can't view the SQL code dump, you can indeed retrieve your .sql file and open / change it with notepad. Good luck! Reply | Quote 1   0

dennyhalim.com - block bad agent   | 202.155.92.xxx | 2008-06-15 02:11:52 block bad user agents http://it.dennyhalim.com/2008/06/ultimate-htaccess-blacklist.html Reply | Quote 1   0

Marco - Thanks!   | 62.194.187.xxx | 2008-06-15 15:46:32 Hi Denny, Thanks for your input! I checked out the list and it really looks amazing. There's just one reason I'm not adding it to the list: The htaccess is for all websites, and these tips are purely based for Joomla! only. Great share anyway! Greetings,,, Reply | Quote 0   0

Friso   | 82.168.37.xxx | 2008-06-16 09:38:54 You can also protect the administrator folder; here is a tutorial for cpanel. Reply | Quote 1   0

Kleine Smurf - Good   | 217.136.144.xxx | 2008-06-15 21:44:23 Tnx Marco for the tips Reply | Quote 0   0

Read more...
Name:
Email:	do not notifynotify Gravatar enabled.
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
	Please input the anti-spam code that you can read in the image.

Unsubscribe from e-mail notifications.