Hacker's Calling Card
A local organization contacted me this week in a panic. Their Joomla CMS website had been hacked... AND the hackers left their calling card.
Joomla Security Tips
Below are some tips to help you secure your Joomla CMS site. This isn't an exhaustive list, but taking these steps will certainly make it more difficult for hackers to break-in and infect your site.
- host your website with a reputable hosting company
- make sure your host is using the latest version of PHP
- keep your Joomla core and extensions up-to-date
- make sure all your extensions are:
- developed by reputable developers
- not on the Vulnerable Extensions List
- delete unused templates
- disable the Joomla generator tag
- move your Joomla tmp folder outside of the root folder
- set your permissions properly: 644 for files and 755 folders
- your configuration.php file should be unwrittable - permission: 444
- set PHP register_globals OFF
- enable open_basedir
- disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
- block typical exploit attempts with local Apache .htaccess files
- make sure all passwords are at least 12 mixed alphanumeric characters and contain no common word phrases
- do not use standard Admin user
- disable anonymous FTP
- password protect your Joomla Administrator directory
- install a Joomla CMS firewall extension
Back-up, Back-up, Back-up,
Remember no website is 100% hack-proof so make sure you back-up your site after each update so that if it is hacked, you're able to roll back to the latest clean version.
For more information check out the Joomla Security Checklist documentation.
Posted in Website Security