Joomla is a free open source CMS which is 2nd most widely used built on MVC framework. It is also second largest infected website platform too.
Today we will learn some steps to harden security of your Joomla account :
1). Keep your Joomla account upto date :
It is very important to keep your Joomla account updated, as mostly new versions of themes and plugins have security patches.
- UPDATE all cms, themes, plugins.
- REMOVE unused and unnecessary plugins and themes.
- Use Securitycheck plugin for security.
2). Protect access of Joomla admin section :
You can protect your Joomla admin area through .htaccess file. You can deny all IP's and allow only those IP's through which you access your admin area.
Here, xx.xxx.xxx.xxx is your IP to whom you have given access. In case you want to allow access to multiple IP's, You have to simply add another line for new IP.
3). Secure your configuration.php file :
You can move your configuration.php file one level up above your Joomla install. It means you can move your configuration.php file outside your root folder if Joomla is installed in root folder.
4). Secure your local PC with updated antivirus :
The very big issue starts at our own end when we have our system compromised with viruses and malware.
You have to regularly scan your system on intervals to confirm security at your own end.
5). Check Files and Folders permissions :
To protect your Joomla account your files and folders permissions should be correct. All files should have correct CHMOD configuration.
6). Use SSL certificate for Joomla account :
The most biggest reason using SSL certificate for Joomla websites is that it process sensitive data like usernames and passwords. As if you are not using HTTPS then your usernmae and password is sent as clear text over internet.
7). Remove unwanted files from account :
You must remove unwanted files from your Joomla websites like readme and other unwanted files.
8). Disable the XML-RPC file :
You can change file permission of your XML-RPC file to '000'.
9). Don't use "admin" username and use strong password :
Most of the users use "admin" as username which is easily assumable and attackers can easily guess it. Kindly avoid to use "admin" username, it will reduce brute force to a limit.
Also, always use strong and complex passwords and avoid using these type of passwords (123456, password, etc). they can be easily assumable by a normal person.
10). Prevent PHP Files from executing :
Our experience says hackers puts their compromised php files in Joomla directory. Usually these are .php files with names that some what seems like Joomla core files, but they are not.
What you can do to for this is prevent PHP files execution in certain directories. You can put this code in ".htaccess" file to prevent php execution.