Why do we want, or need, to keep our website safe ?
- To maintain our own control and ownership of our website;
- On a shared server, in particular, where you share the server with other hosting company clients - a compromised website can affect the stability of the entire server - including other people's websites. You do not want another person's website to affect the operation of your website - and the other way around too;
How can our website be compromised ?
- We protect our home(s) and computers from hack*ers and in the same way we need to protect our website(s) from unscrupulous persons;
- A website can be breached - data can be accessed illegally;
- Your website could be taken over (hijacked) - you lose access to the administrator area and you cannot recover it;
There are many good pieces of advice available with regards to good practices in keeping your Joomla!® website safe and secure.
Much of those pieces of advice are consistent - UsingJoomla.com would like to give you some tips and advice here.
Here are our tips, in no particular order:
- Choose a good web-host
- Use the latest stable release of Joomla
- Use extensions that are regularly and recently updated
- Use the latest stable release of extensions
- Keep folder and file permissions appropriate
- Use a Web Application Firewall (WAF)
- Take regular backups
- Use difficult to guess Username(s) and Passwords
- Use Joomla security extensions
- When using an FTP client - use SFTP
- Protect the Administrator area login
- Have your website served over HTTPS using an SSL certificate
- Do not keep backup archives within your website
- Keep more than one copy of your backup archive
- Keep backup archives for a period of time
- Test your backup
Let us expand on those items above.
Choose a good web-host
A good web-host will take security very seriously, and will indeed be very proactive in ensuring their servers are secure - but it is your responsibility to ensure your website is secure.
Seek recommendations from people (developers) who you trust and who themselves are held in high regard.
Use the latest stable version of Joomla
Joomla gets updated at intervals - many updates are for new or improved features - but if a vulnerability is identified an update may be solely for security fixes and remedies.
Typically, when a security vulnerability is identified it will be remedied with a new release of Joomla before any details are released into the public domain of that vulnerability.
In the case where a release contains a security fix - it would be very important to update your Joomla install promptly because the release change-log will most likely explain what and where the vulnerability is.
An unscrupulous person could then attempt to find Joomla powered websites that have not been updated and still contain the said vulnerability.
Use the latest stable release of extensions
For exactly the same reason(s) above as using the latest stable release of Joomla.
Use extensions that are recently and regularly updated
An extension that is not recently updated - say several months ago - may contain one or more vulnerability.
An extension that has not been updated, for say several months - may be an extension that is no longer be supported/developed.
An extension not updated recently may not be compatible with the latest stable version of Joomla or the latest versions of PHP that are used on your server.
Keep File and Folder permissions appropriate
File and folder permissions can, broadly, be classed as determining Read, Write, and Execute rights for the file/directory.
Only certain levels of access should be able to write, and likewise read or execute a file.
Use a Web Application Firewall
Using a Web Application Firewall (WAF) is like using a filter.
A WAF is used to help provide real-time protection against common attacks
WAF can be used to:
- SQL Injection attacks;
- Brute Force Attack;
- Provide Login Protection;
- And much more;
Take Regular Backups
How regular is regular ?
How much work or data can you "afford" to lose ? 2 hours work? Two day's work ?
Do you have an eCommerce website with one or two sales taking place hourly ? Or hundreds of sales per hour ?
The above, hopefully places some form of "scale" to your back-up approach.
There are times when you should backup your website as a matter of routine:
- Before, and again after carrying out an extension update;
- Before, and again after carrying out a Joomla update;
- If you write several articles each day - carry out a backup before and after each article;
- If you make several sales from your eCommerce website every hour - carry out a backup every 1/2 an hour.
Carrying out a back-up and restoring that back-up is much, much less trouble than losing several hours work, or any amount of sales information.
The good news is:
Carrying out a backup does not have to be a burden.
If you use a great web-host and Akeeba Backup Professional you can schedule your backups to take place - even to take place while you sleep, eat, socialise - by using a CRON schedule.
Use difficult to guess usernames and passwords
Do not use words from a dictionary as either a username or password.
There are software programs that can be used to attempt to find a password.
Dictionary words are quite easy for a computer program to work out: the word "Dictionary" could take a computer approximately 1 month to determine. The word "Joomla" could take a computer program approximately 500 milliseconds (that is 1/2 a second !) to determine.
There are some excellent tools available to help you create a strong password one such tool is this StrongPasswordGenerator
Have your website served over HTTPS with an SSL certificate
HTTPS is a secure encrypted form of website delivery to your browser.
Installing and setting up an SSL certificate used to be a time consuming and expensive process.
However now it can be very easy and either free of charge or very cheap.
Some web hosts even offer clients the option of a free LetsEncrypt SSL certificate and the host will even set it up for you and renew it when required.
One such web host is SiteGround - their cPanel allows you to simply choose "yes" for an SSL against your cPanel domain name.
Protect the Administrator area login
Joomla, by default, has access to the Administrator area login panel by a commonly known URL (web address).
Any hack*er who wants to have a go at your website simply needs to use this known url - he / she does not even need to know your site is using Joomla - attack several hundred websites and if one gets him / her the login URL part of his / her job is done !
There are security tools available that will allow you to protect the administrator area URL so that the administrator area URL is known ONLY to you.
Use Joomla Security Extensions
All of the above might seem like a lot to do - individually, perhaps it is a lot to do.
There are however some excellent security tools available that can do a lot of the hard work.
Here at UsingJoomla.com we highly and strongly recommend:
- Akeeba Admin Tools For Joomla for Security tools, including Web Application Firewall, and Administrator area protection, among other tools within this package in addition to these two tools;
- Akeeba Backup for Joomla for backing up your Joomla website
- Akeeba Joomla Essentials Bundle which includes both of the above for a lower combined price than buying each of the above individually;
If you want to read our articles on the above three items, you might like to visit:
- Joomla Administration and Security Tools
- Joomla Site Backup Package
- Backup And Admin Tools Combination Package
When using FTP client Use SFTP
When transferring files via FTP (File Transfer Protocol), for example when using cuteFTP, to transfer files between your website and your local computer, or vice-versa, the files could be intercepted between your server and your local computer.
Using SFTP (Secure File Transfer Protocol) will help greatly in protecting your files being transferred by encrypting them during "transfer".
Do not keep backup archives within your website
A website backup package / extension may place your website backup archive in a backup output directory within your website directory structure.
There are two reasons why you might want to consider not keeping website backup archives within your website directory structure:
- The backup archive takes up an element of your allocated server space;
- In the event of your website becoming compromised - your backup archive may become accessible to someone you do not wish it to be accessible to;
So, what should you do ?
Take your backup - let it go to an output directory / folder within your website directory structure - if that is what it does, and then:
- Using your FTP Client download the backup archive to somewhere of your choice, for example to your local PC, or external hard drive, and then
- Returning to your website administrator area, go to the backup archive folder and delete the archive;
Or, as a bonus, the Backup software package we use here at UsingJoomla.com, any number of "Profiles" can be set up. Within any profile the backup process can be configured with Post-processing.
Post-processing allows for the backup to be transferred to a remote storage facility such as:
- Amazon S3;
- RackSpace Cloud Files;
- OVH object Storage;
- Google Drive;
Keep more than one copy of each of your backup archive(s)
If we keep only one copy of our backup archive - lots can happen.
- The hard drive can fail - we have lost our backup stored on it;
- The hard drive can become damaged - for example: water damage, fire.
Paranoia can be your friend !
Keep multiple copies of each backup archive on / in physically separate places / drives.
If you keep a copy of each backup archive on, for example, five physically separate drives - what are the chances of all five drives failing, or becoming damaged ?
Here at usingjoomla.com we keep a copy of every backup archive on five physically separate hard drives.
There are some excellent External Hard Drives available via Amazon
Keep backup archives for a period of time
Set yourself a minimum period of time over which you keep your backup archives.
On occasion it might be conceivable that a backup archive might become corrupt - for example if a hard drive begins to fail.
Here at usingjoomla.com we retain backup archives for a minimum of 12 months.
Test your backup
You have done all your hard, time consuming work on your website, you are rightly proud of it, taken your website backup, saved a copy of your backup (on more than one physically hard drive !) - but - do you know that your backup is all good ? Have you tested it ?
Waiting until you need to restore your website from a backup is not the time to find that your chosen backup does not work !
How can we test our backup ?
In a nutshell - there are two ways: The first one below is the preferred method for us here at usingjoomla.com
- Create a (password protected) "Test" directory within your hosting account and restore your backup to that directory, using a separate database created specifically for restoring your backup to;
- Download and install a "local web-server", such as XAMPP and restore your backup to the local web-server. There are some "ifs and buts" associated with this method which are outside the scope of this article, but never-the-less is an option.