Joomla is undoubtedly one of the best CMS available in the market. As more and more websites have started using Joomla, its important that the site is configured properly to prevent any security compromises. A lot of people getting old versions of #joomla 1.5 hacked today. Securing your site is rather easy, if you know what, where, and how it needs to be completed. I have compiled 14 security tips to secure your joomla website.

1. Proper Hosting Environment

   A properly configured server is highly recommended for your joomla website. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777.

   a. Set register_globals OFF
   b. Disable allow_url_fopen
   c. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
   d. Don’t use PHP safe_mode

2. Change the Default Database Prefix (jos_)

   
   While installation, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrive superadmin details from jos_users table.

3. Disable FTP Layer

   
   While installation, dont enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla.

4. Change your admin user

   You don't know what user 62 is? To cut a long story short, when you install Joomla! on your site it creates a Super Administrator account with a known user-name (admin) and a known user ID (62). This has been exploited in the past by crackers to gain access to unsuspecting sites. The best approach is to create a new Super Administrator user and block or demote the default admin user all the way down to Registered level.
   To avoid this, do the following:
   
   • Create a new super-administrator with another user name and a h3 password
   • Log out and in again as this new user
   • Change the original admin user to a manager and save (you are not allowed to delete a super-administrator).
   • Now, delete the original admin user (user ID 62).

5. Don't use the root user in mySQL as the user of your database

   You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest are wide open as well...

6. Install the jSecure Authentication plugin

   Every Joomla back-end has the same URL. If you install a security plugin, you can add a suffix to your back-end URL to make it look like this: http://www.yoursite.com/administrator?helloworld
   If the URL is not entered with a correct suffix, the site will redirect to a 404 (not found) page. Change the suffix regularly. The plug-in is $4.99 and it's worth it!
   Buy and download the jSecure Authentication plugin here

7. h3 and Unique password

   
   Always use h3 password for the administrator accounts. An example of h3 password is E@^M!$<9@k. You can use sites like www.h3passwordgenerator.com to generate a h3 password.

   A good addition is to password protect the administrator folder. In apache web server, you can do this htaccess file or in cpanel, you can use Password Protected Directory option to setup a password. This will add another layer of username/password before someone reaches your Joomla admin details. Needless to say, have this password different from Joomla admin password.

8. Change your username and password often

   
   At least every 3 months.

9. Enable SEF URLs

   Most hackers use the Google inurl: command to search for a vulnerable exploit. So enable SEF urls from site configuration if you are using Joomla 1.5. You can also use extensions like SH404SEF for both Joomla 1.0 and Joomla 1.5. This will prevent hackers from finding the exploits as well as benefit you in SEO perspective.

10. Upgrade to latest release of Joomla

    Always upgrade to the latest release of Joomla as soon as possible. The current release is 1.5.11. You can subscribe to http://feeds.joomla.org/JoomlaSecurityNews or our blog feeds http://feeds2.feedburner.com/joomlainblog to get updates about the latest security releases.

    Always download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash

11. Third party extensions

    
    There are more than 4000 extensions available for Joomla many of which are non-commercial. But dont take this as an opportunity to install unnecessary extensions on your website. Remember that most hacking attempts occur due to vulnerability in these extensions. So, always use extensions which are popular, has h3 community backing and development process.

12. ACL for the back-end

     

    The default Joomla! back-end roles are not as secure as you might think. Especially the Administrator role, which is inherently very permissive, does not provide adequate isolation from potential breach from the inside. I suggest you to use a third party ACL solution to limit back-end users’ access to specific core and third part components only, depending on the user’s role in the site's management work flow. Thanks to the efforts of the core developers, Joomla! 1.6 will make it possible to define such ACLs using no third party extensions.

13. Proper file/folder permissions

    
    The proper file/folder permissions for your joomla website is:
    * PHP files: 644
    * Config files: 666
    * Other folders: 755

    You can CHMOD the files and folders using your FTP client.

14. Setup a backup and recovery process

    
    Always rely on a h3 backup and recovery protocol for your live website. Its not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues. You can use JoomlaPack, a non-commercial component native for both Joomla 1.0 and 1.5 for backup.
    One important factor is how many backups you must keep and how you keep them. Keep at least a full month of daily backups, or 6 months of weekly backups. This way you can roll back to a safe known good position in time even if your site becomes compromised. Do not just keep your backups on the same server as your site! Download them to your hard drive and keep at least two copies on different removable media, e.g. CD-ROM, flash disk or external hard drive, optimally each copy being stored in a different physical location. Even better, use a cloud storage service – such as Amazon S3, DropBox, Wuala, or Ubuntu One – to securely store one copy of your backup archive. You can never be too paranoid about securing your backup files!