Secure Joomla From Hackers
Recently we wrote an article on "Wordpress Mass Defacement Tool "and On "Securing Your Wordpress from being Hacked', However I was requested by one of our readers to write an article on securing joomla blog from hackers and preventing it from being hacked, Joomla just like wordpress is a very widely used CMS platform, Joomla itself is quite secure by default, However the extensions are developed by common developers and most of them have no proper knowledge about security.
Now a days, it has been observed by me that most the hackers do not target vulnerable joomla extensions or joomla itself, however they target websites on the same server and use them to extract the configuration file of joomla that contains the database information. This vulnerability is commonly known as Symlink bypass in the black hat community and Server bypass in our white hat community. So in this article i will talk about the common methods to secure a joomla from hackers and preventing it from being hacked.
Secure Joomla From Hackers [Common Methods]
Choose A Secure PasswordJoomla uses MD5 for generating password hashes, Though MD5 hashes are prone to some weaknesses, However Joomla makes them secure by adding a salt to it. Here is how a joomla hash looks:
4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT
The first part represents the MD5 hash and the part after the colon represents the Salt, This adds up an extra layer of security to joomla passwords, However these hashes can still be cracked with some softwares like PasswordsPro and OCIhashcat plus, Moreover now a days Graphic cards are being used for password cracking that makes the job much easier and take very little amount of time. For a good guide on choosing strong passwords, Kindly refer to my article "How To Create A Strong Password".
Securing Admin Panel
It's not a good idea to leave your admin panel open for the normal users, it should be only accessible by administrators. Imagine if an attacker has managed to extract your database information using SQL Injection, he would surely need the admin panel to log in, If you hide the admin panel, he won't be able to access it.
You can do it either by using changing blocking access to the Public_html/Joomla/Administrator directory and making it accesible by only your IP by modifying the .htaccess with the following commands:
Order Deny,Allow
Deny from all
Allow from Your IP Address
Alternatively you can use a extension called Jsecure, It protects your admin panel by generating a Key, which is only known to you, So the administrator panel can only be accessible if you would have the proper key.
Update Update And Update
Scanning For Vulnerable Plugins Extension
Protecting From Shell Uploads
Once an attacker gains access to your administrator panel, He will usually upload a PHP backdoor to maintain access to your website commonly known as "Shells" in the black hat community, All you need to do in order to protect the Shell upload is to protect the change the permissions of the images directory to 400. Which will make the whole directory non writable. This will prevent hackers from uploading the shell and also from penetrating further.
An attacker can alternatively try to upload the shell via your FTP, so you should also make sure that you disable port 21/ Disable FTP access.
Securing From Symlink
Symlink bypass is one of the most commonly used attacks, Even if your joomla website is completely secure, it's still possible for an attacker to extract your configuration files "Configuration.php" which contains database username and password via an attack called Symlink bypass. In order to protect your configuration.php, you need to change the permissions to 400.
You can do it by applying the following command:
CHMOD 400 Configuration.php
Protect From Mass Defacement
Lots of time it happens that hackers manage to gain root access to the server on which your joomla blog is hosted, In these cases the attacker runs a Mass Defacement tool/script, which changes the index files of all the websites running on the server, In order to protect your blog from mass defacement attack, All you need to do is change the permissions of index.php to 400. However, this does not provide complete protection, because the once the hacker has root on the server, he can manually change permissions of your blog, hence defacing your website.
I hope you have liked my post on "Secure Joomla From Hackers". Though there is lot left, but i have highlighted important steps in order to protect your website from being hacked.