Last April Fools I made a joke that my website was hacked and turned upside down. When your website is really hacked, there's nothing funny about it.

Joomla! is a great CMS that is used worldwide. For this reason, hackers often try to find a way to hack a Joomla! website. Here are 7 tips to optimize your Joomla! security, preventing your Joomla! website getting hacked.

Always remember to make a regular backup of your website and database. If you still get hacked, you can always get back to an older version of your website. Make sure you find out which extension caused the vulnerability and un-install it.

Change the default database prefix (jos_)

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections.

You can set the database prefix when installing your Joomla! website. If you've already installed Joomla! and want to change your prefix, do the following:

1. Log on to your Joomla! back-end.
2. Go to your global configuration and search for the database
3. Change your database prefix (Example: fdasqw_) and press Save.
4. Go to phpMyAdmin to access your database.
5. Go to export, leave all default values and press Start. Exporting the database can take a while.
6. When done, select all code and copy it to notepad (or any other text editor)
7. In phpMyAdmin, select all tables and delete them
8. In notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: fdasqw_). Press "Replace all".
9. Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start.

Remove version number / name of extensions

Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:

1. Retrieve all files of the extension from your server.
2. Open up Dreamweaver.
3. Load any file from the extension that you just downloaded to your local machine.
4. Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit to.
5. Set the search term to "MyExtension version 2.14" and press OK.
6. When found the correct file, remove the version number.
7. Upload the changed file to your server and check if the changes are made.

Use a SEF component

Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL's and prevent hackers from finding the exploits.

Additionally, you'll get a higher rank in Google when using search engine friendly URL's.

Keep Joomla! and extensions up to date

This one is pretty obvious. Always check for the latest versions of Joomla! and the extensions you're using. Many vulnerabilities are resolved most of the times in later versions.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

• PHP files: 644
• Config files: 666
• Other folders: 755

Delete leftover files

When you installed an extension that you didn't like, don't set the extension to unbublished. If you do, the vulnerable files will still be on your website. So simply use the un-install function to totally get rid of the extension.

Change your .htaccess file

Add the following lines to your .htaccess file to block out some common exploits.

 
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

For more Joomla! security tips, you can read the following:

• Joomla Administrators Security Checklist
• Visit the Joomla! security forums (1.0 and 1.5)

Keep an eye on websites listing Joomla! vulnerabilities:

• Secunia
• FrSIRT
• Milw0rm

If you have more tips to enhance the security of Joomla!, I would really like to hear them.

Interested in this topic? You might enjoy another article I've written called

• How you can prevent an SQL injection
• Offline ways to keep your creative fluids going
• Extraordinary places you can leave your domain name
• A Walkthrough on Creating Icons with Photoshop
• Enable Akismet support in !JoomlaComment

Comments

Add New Search RSS

Enrico   2008-06-14 17:40:53 Thanks for the tips. However point 6 of 'Change the default database prefix (mf_)' isn't so clear: - When done, select all code and copy it to notepad (or any other text editor) What code should I select? Do I have to open the dumped .sql file with notepad? Thanks. Reply | Quote

Marco - Yes!   2008-06-15 15:44:13 By default, the export compression of phpMyAdmin is set to "none". When doing this, you get the SQL dump shown on the website instead of a .sql file. If you can't view the SQL code dump, you can indeed retrieve your .sql file and open / change it with notepad. Good luck! Reply | Quote

dennyhalim.com - block bad agent   2008-06-15 02:11:52 block bad user agents http://it.dennyhalim.com/2008/06/ultimate-htaccess-blacklist.html Reply | Quote

Marco - Thanks!   2008-06-15 15:46:32 Hi Denny, Thanks for your input! I checked out the list and it really looks amazing. There's just one reason I'm not adding it to the list: The htaccess is for all websites, and these tips are purely based for Joomla! only. Great share anyway! Greetings,,, Reply | Quote

Friso   2008-06-16 09:38:54 You can also protect the administrator folder; here is a tutorial for cpanel. Reply | Quote

greta   2009-02-20 02:52:09 bad link URL Reply | Quote

Kleine Smurf - Good   2008-06-15 21:44:23 Tnx Marco for the tips Reply | Quote

bahareh   2008-08-25 08:12:01 Hi. I want to change my database prefix but after saving database prefix I got this error. .jtablesession:tore failed DB function failed with error number 1146 Table 'tabs.tab_session' doesn't exist SQL=INSERT INTO tab_session ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '6b6282a706bb72ccbabf2adf59f1af18','1219647789','','0','1','1' ) what can I do? Thanks. Reply | Quote

Enrico - Applied but ERROR!   2008-08-31 10:02:51 Hi again Marco, today I've decided to apply the 'change mf_ prefix" tip. However, when I paste mysql code, it starts the process but after some minutes I have this message displayed: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO `NEPREFIX_content` (`id`, `title`, `title_alias`, `introtext`, `fullt' at line 2 Any help, please? Thanks Reply | Quote

Marco - What did you do?   2008-08-31 15:23:21 What exactly did you do? Shouldn't the NEPREFIX_content be "NEWPREFIX_content"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,, Reply | Quote

Enrico - re: What did you do?   2008-08-31 16:36:53 Marco wrote: What exactly did you do? Shouldn't the NEPREFIX_content be "NEWPREFIX_content"? Please contact me through the contact form so you can send me your .SQL file so I can check. Greetings,, Nothing special. I've simply followed the steps: downloaded sql, changed prefix, but when I paste the 'new' sql code and click start....after some minutes ('cause my sql is 40mb big) I got that message displayed. Yew, neprefix is just an example. I didn't write here the real new prefix. ;-) Reply | Quote

Marco - Strange   2008-08-31 20:09:57 Hmhm, that's pretty strange indeed. I've checked your SQL code and it doesn't contain any errors. Could you check if your phpMyAdmin allows to import such big scripts (40 M? You can also try copy-pasting the create / insert for each table seperately. Good luck! Greetings,,, Reply | Quote

Maik Kaune - Extension for changing the table prefix !   2008-09-07 13:03:30 Joomla 1.0.x Extension! Change default(and custom!) table prefix . Anyone with a J!1.5 version? CU Reply | Quote

Sunlust Designs - Good tips   2008-09-09 15:02:20 Just recently my Joomla website got hacked, thanks for the tips mate, I'll put them in good use. Reply | Quote

shiva   2008-09-27 11:19:14 very useful information . thank you! Reply | Quote

Mark - Mark Ivon   2008-11-21 07:47:30 Excellent tutorial for joomla security. Reply | Quote

Jamp Mark - Helpful   2009-01-10 13:31:15 Nice to know all those things especially the CHMOD thing. thanks Reply | Quote

Durga Prasad - Good Stuff   2009-01-12 05:37:43 Really Good Stuff to be Secure Reply | Quote

mark - not really "security" tips but...   2009-04-13 06:26:33 These are not really "security" tips. Using a non-default database prefix doesnt mean much, as, if there is an exploit that gives them sql access, they can issue a query that can tell them the names of the tables in the database. Changing the version string (now using version 1.1 of Docman) for instance may be a feature that allows you to not catch the eye of a little hacker bastard who is visiting your site so he wont go "hey! I got an exploit for the version he's using, yippee!" In that case, you better of removing the "Docman" part of it as well! Since people through the exploits at any/every thing, to see what sticks - and that is where the real part of security comes in. Determining and detecting if your site is being probed bay a hacker, looking for exploits or loop holes. With Jquery and the like, our sites are WAAAAAAY more prone to Cross-site scripting and other dangers than EVER before. exploits that were once impossible ( "as there is nothing you can really do in 300 bytes of javascript" are now possible if the target is running Jquery. Also, with a tool like firebug, a hacker may do something is this scenario. "Ajax and PHP based Filebrowser. // Javascript has some init variables. ... Var basdir ='/home/dev/mysite/uploads' ..... Now when the page for the script loads, the user can fireup FireBug, and, and the javascript console say basdir ='/home/dev/security' Now when the user continues the execution, the Ajax passes the parameter to the php code on the server and browsing is starting from the ....SECURITY folder Tomorrow I will go into this in more detail and how you can secure apps against this additional vector` Reply | Quote

Marco - Thanks!   2009-04-16 07:48:36 Hi Mark, Thanks for your comment. You're right about the fact that real hackers can do a lot to take your website down. The "changing database prefix" tip is to prevent SQL Injections - they'll need to know the database name. If there is an exploit in any extension, they can retrieve the database password etc., so it'll still be dangerous. Anyway, thank you for sharing your thoughts! Reply | Quote

goldy - see its hack i think   2009-04-18 21:36:32 http://www.ajitweekly.com/index.php?option=com_content&task=view&id=6227&Itemid=1 when we click its open some other site hock:' /> Reply | Quote

Genex Business Solutions - Web Security is Important   2009-06-06 11:44:31 Thank you for the information on securing Joomla websites. Auto scanners on the Internet are always looking for website loopholes to hack them. Since Joomla is a largely used web management system, and hackers know how its built they know where and how to attack. Changing Table names in the database, securing htaccess file and turning register globals and allow URL fopen gives you great deal of security. Additionally we are working to setup a private firewall on our websites to track and monitor every request at our website. I think its time to close website entrance for everyone and strictly monitor who is coming at our websites and why! Reply | Quote

Abdul Mannan - Login Security?   2009-11-01 23:44:14 Hello, I saw a plugin called 'Secure Login Plugin'. Developer says that it encrypts username/password before sending over internet and make both front and back end login safe. I am really keen on security. Is it something important to buy? I don't have SSL. Thanks. Reply | Quote

Abdul Mannan - Login Security?   2009-11-01 23:45:45 By the way, here is the link if someone need to see http://codingmall.com/products-mainmenu-8/37-secure-login-plugin-without-ssl Reply | Quote

Akanke - Changing Prefix - Step 9   2009-11-02 10:40:00 Hi, Something didn't work for me. The query part is not clear. When I select "SQL" the query window comes up as one open box. Then I past all my code there and click "Go". Then I get an error message: Error SQL query: -- -- Database: `information_schema` -- CREATE DATABASE `information_schema` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; MySQL said: Documentation #1044 - Access denied for user 'manajoomla2'@'%' to database 'information_schema' Can you tell me what I may have done wrong? Reply | Quote

Chris - Thank you   2009-11-11 14:54:23 Thank you for the information. It seems that someone is trying to access my website. Reply | Quote

donold - Thank you   2009-12-05 05:46:26 this is really nice information i must say thank you by heart once again pleaes keep on updating and send me. thanks Reply | Quote

website design   2009-12-17 07:28:11 what a nice blog dear. I never seen such a quite attractive and useful blog after seeing it. I will pray for your success and also appreciate you at your great step that you have taken toward your bright future.. Thanks a lot again. Reply | Quote

husteng   2010-02-13 11:28:48 tnx 4 d info Reply | Quote

syrakozz - other site for listing Joomla! vulnerabilities:   2010-02-19 10:35:31 the site is http://www.exploit-db.com/ it`s very updated Reply | Quote

Read more...
Name:
Email:	do not notifynotify Gravatar enabled.
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge

Unsubscribe from e-mail notifications.