Recently we’ve published results of the study, where we provide data on the use of Joomla! CMS. As it turned out, more than a half of the top sites are still using Joomla! 1.5 versions. We have already mentioned that it carries security risks. In this post, we have decided to offer some tips that can help improve the security of your site, if you still run old Joomla! for some reasons.
WHAT SHOULD YOU DO FIRST
Many of the sites which we have analyzed not only use Joomla 1.5 line, but more than that are not updated to the latest minor version 1.5.26, and still running 1.5.12 or even 1.5.3. If you are among them, you should immediately update your site.
Joomla.org has closed access to 1.5.x downloads, so for those who have not yet decided to migrate to 2.5.x or 3.x, we offer our link for Joomla 1.5.26 package.
If you are still using an old version of Joomla, then perhaps your site is already under attack. Check your site for known malware with this free service: Sucuri SiteCheck.
One of the serious security holes, which was closed since Joomla 1.6 and higher - default database prefix (jos_). Thus, the attacker always knows how tables are called in your database. In addition if one of the installed on your site components has a flaw that allows an SQL injection you will be hacked. To prevent this, change the jos_ prefix to any other. Do not forget to make changes in configuration.php file after you changed the prefix too.
After you have made changes to the configuration.php, it is not superfluous to impose restrictions on access to the file. This can be done by putting permissions to 444.
Another security lack of Joomla 1.5 version is impossibility to change default super admin username and id. Therefore, you have to do it manually. Create another super admin (be sure to set username that is not so simple to guess – administrator, root, etc. are bad examples; password should be strong too – we recommend to use password generator to create a strong password. Login with your new super admin and block/delete super admin with ‘admin’ username.
Another step that should be done to protect the access to the admin panel of Joomla! is change the path to the panel, or block access using .htaccess file. A positive side effect here is that an attacker will not find out which CMS you have on your site, as admin panel did not respond from its usual place.
Another flag, which can help hackers identify what Joomla version is used on your site is meta tag "generator". If an attacker can determine CMS installed on your site and its version, it is not a hard task to find a ready-made exploit, simply by asking Google. For security reasons do not promote that your website is built on Joomla! and its version.
On previous steps we have mentioned the use of .htaccess file. This file is part of the standard package of Joomla! All you have to do is to rename htaccess.txt to .htaccess. But please note you should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.
Joomla! community has produced advanced master .htaccess file that can help prevent unauthorized activity on your site. However, be sure that you know what you do as some extensions that use non-standard entry points can stop working. Make sure you have read documentation carefully.
In our practice, when we restore hacked site, we often see that malware scripts have been hidden among long list of files, expecting that it is harder to find them. Therefore, it is a must that you track useless files on your server and delete them. It is also true for Joomla! extensions that you do not use anymore. If you do not update your extensions periodically, there is high chance that hackers will use security flaws that has become publically known and fixed in the latest versions.
FOLLOW BEST PRACTICES
Many Joomla! developers and administrators are not aware that Joomla! has its own constantly updated Security Checklist. There you will find the most relevant information from community regarding development, testing and administration of Joomla! site. And this site for sure should be placed in your bookmarks.
INSTEAD OF A CONCLUSION
However, all of mentioned steps are only temporary measures, by which you will get some extra time in battle with hackers. Make a good use of time you win - get ready to migrate your site to the latest Joomla! version.
The above recommendations for the security of your site together with useful links for each step are published in our Successful Joomla! Site Checklist. In addition, you will find there information that will help you make your website faster, improve accessibility and attract more users.
Finally, please, do not underestimate the importance of the above security steps. We already had to deal with several severe hacker attacks due to failing to follow some of those tips.
If you have any questions on optimizing your site or improve security, leave a comment below or send a request via helpdesk.