610-624-3539
| Are You Making it Easy To Hack Your Joomla Site? |
5 Things To Do Right Now To Deter Hackers and Protect Your InvestmentOver the last several months I've worked with a lot of new clients who have had their Joomla sites hacked recently. In nearly all of these cases this trouble could of been prevented had these site owners "hardened" their Joomla site properly. Most of these clients had their original site done by a freelancing individual or they set them up themselves. Though Joomla can be easy to add content to and update, securing it against hackers is an area most Joomla newbies aren't savvy on. A book could easily be written on securing your Joomla site properly. In this article we'll look at 5 quick and easy steps you can take to protect your site from and make sure it stays up and running. 1) Upgrade to the latest version of Joomla.The latest version of Joomla 1.0.X version is 1.0.15The latest version of Joomla 1.5.X version is 1.5.17 If you are currently running a version of Joomla and are not at the latest release level you need to get this straightened out right away. The folks at Joomla.org are very good about fixing security holes found in the software. In the last few months 2 new releases have been made available. These release address potential security flaws that have been found. Support for version 1.0.15 has been discontinued. That means that you need to consider upgrading your 1.0.X version to the 1.5.X platform as soon as possible. Depending upon the extra components you have installed on your site this can either be quick and painless or a royal pain in the a$$. you'll need to get this done right away for security. 2) Change the default administrator account username.By default Joomla names the default administrator 'admin' during installation. Many web sites continue to use this account username as their main administrator account. Not good! To log into a Joomla site you need the username and password.If you don't change the default 'admin' username you have just given any potential hacker 1 of the 2 pieces of info they need to break into your account. By merely renaming this default account to something else ( joomadmin, jadmin, etc..) you have effectively helped close this security hole by making it tougher for them to figure out these two bits of information. 3) Change the URL to access the administrator login page.The best way to prevent hacks is to give the hacker as little information as possible about the inner workings of your site.It is common knowledge that you can access the administrator login page by merely typing in the '/administrator' path into the site URL. So if your site is called www.mysite.com, typing www.mysite.com/administrator brings anyone that types that into their browser to your admin login page if you are running Joomla. Depending upon the style of the page that comes up you can tell if the person is running the 1.0.X version or the 1.5.X version. This is information that gets them started on hacking your site. Let's at least hope you followed the advice in step #1! There are a number of ways to secure this login page from curious visitors. The easiest way is with the jSecure plugin. By using this simple plugin you can set it so that if they type in www.mysite.com/administrator it will redirect them to your home page and not show your Joomla administrator login page. This makes it harder for folks to see you are running Joomla. 4) Backup your site regularly and automatically.As part of my installation procedure I install the Joompack Backup component on my client's sites. This component makes it easy to backup your entire database and files. With one-click you can make an entire backup of your site in zip format. With this zip file you can restore your entire website and database in 5 minutes should something go wrong.Think about it. You go view your website and notice it is down. You call your hosting provider and they say their server crashed and they are not sure they have a good back up. Think it can't happen? Do you want to bet all the hard work you did over the last year tweaking content, adding pictures, etc on someone elses efforts? Or say your site is hacked and files were deleted or you aren't sure they haven't placed other scripts in your file system. Without a good backup you may need to rebuild the site from scratch. This is easily fixed by using the Joompack component often and making sure you download the file it creates to your local computer. Even burn a copy of this file to a cd and put it somewhere safe. As further protection I now install for clients an additional backup utility called Lazybackup. This plugin can be set to backup your database either everyday, once a week or whenever you set and email you a copy of the database. This is my set it and forget it tactic to make sure I never lose any of the content I create and add to my sites. I instruct my new cleints to sign up for a free Gmail account from Google and then have the Lazybackup send the backups to that email address. Gmail gives you 8GB of free space so you can send a lot of backups there and store as many as you like. This allows you to store different versions of your database and roll back to a previous date should you database become corrupted, hacked or lost in anyway. 5) Use the .htaccess fileBlock typical exploit attempts with local Apache .htaccess files. This option is not enabled on all servers. Check with your host if you run into problems. Using .htaccess, you can password protect sensitive directories, such as administrator, restrict access to sensitive directories by IP Address, and depending on your server's configuration, you may be able to increase security by switching from PHP4 to PHP5. For more information on this consult the Joomla.org site or speak with a Joomla Security Pro.
|
