If you just installed Joomla
or you want to ensure your current version of Joomla is properly secured, this complete Joomla Hardening Checklist
will help you manage current and future versions of Joomla installations. The purpose of “hardening”
is to pull the rope tighter around a new installation of software. Typically, a default installation of SQL for Microsoft, for example, has a default password, username, localhost pages, ports, and the list goes on – that anyone
on the Internet can find out and potentially gain access to. Hardening
in essence removes or changes the default values associated with a new install of software.
In this Joomla hardening guide, we also include tips for cleaning up unused files to free space and optimizing a general Joomla site. 1. Enable Search Engine Friendly URL’s
Any new website you build must have SEO Friendly URL’s
enabled. By default, Joomla disables this because it requires functionality from your hosting provider (or host software) to work in Apache.
You will need to enable rewrite_mod
module in your httpd.conf
file in your Apache installation. You’ll then need to modify your Joomla Htaccess
file to make the rewrite work.
See this link
for more information on accomplishing this and also this link
for trouble renaming your htaccess file. 2. Enable 404 Redirects
Whenever someone tries accessing a web page on your website that no longer exists or was recently deleted, by default they are redirected to what’s called a 404 page.
It’s basic page informing the user they reached a web page of your site that no longer exists. It looks bad and Google does not like when this happens on a site. You have several options for behavior when a user reaches a 404 site,
but most typically send users back to their homepage – so a user never sees a 404 error.
Check out this link
for getting 404 pages to redirect to your website homepage. 3. Delete and Remove any Unused Templates
A new installation of Joomla out of box comes with default templates
including Atomic, Beeze, Hathor, Bluestork,
etc. Joomla encourages the use of their templates to get started quickly with an out of box design. Additionally, the default Joomla templates are extremely optimized
and will probably be the fastest of any 3rd
party template you install.
In such cases, the default Joomla
templates aren’t really nice looking and almost everyone today uses a custom template. If you aren’t using the default Joomla templates, you can remove them any time.
Login to your Joomla backend and go to Extensions -> Manage.
drop down menu, select Templates
to reveal all Templates currently installed on your website. From here, you can select the check box for any of the default templates you aren’t
using and uninstall them this way.
Be sure to not uninstall the template you’re currently using! 4. Mask Administrator Backend Login
By default, all Joomla backend administrator pages are accessible by /admin directory. If not properly secured, anyone on the Internet
can get to your administrator login page and brute force guess username/password combinations to gain access. You never want
to give someone an opportunity for this – even if they don’t access your backend, your site can be taken down
You can mask your administrator login with a secret key. This adds an extra layer of security to your website. Check out AdminExhile 5. Disable “Allow User Registration” if Not Needed
By default, Joomla allows for people to create public login accounts to your website even if you don’t have a link published for them to do so. It is important to disable allow user registrations
if your site isn’t going to need this feature.
In your Joomla backend, go to Users -> User Manager.
at the top. Here you can select no
for Allow User Registration
6. Enable Google reCaptcha on Pages Users Will Interact with Such as Contact Form.
Google reCaptcha defends against automated processes on the Internet from interacting with components on your website. It is absolutely critical you use some type of captcha on your website today if you allow the ability for user interaction.
You’ll need to create a Google reCaptcha public and private key using a Google account first. Then, you can enable Captcha - ReCaptcha plugin in Joomla with the Google keys you created. You’ll also want to enable reCaptcha as your Default Captcha in Joomla Site Settings.
7. Review Access and Error Logs Weekly
Depending on your host provider or software, you should review your Apache access log files weekly and study for trends from unwanted visitors. Typically, you’ll be able to quickly see parts of your site certain IP’s are visiting that you aren’t typically allowing access to – or that don’t exist. You can quickly take steps to block unwanted IP addresses this way.
Your Joomla error_log (found in root/error_log) will contain front and backend errors about areas of your site. Most of the log may be informational; however it’s good to know what’s going in your site to help you understand why something else isn’t working. This log will also contain PHP errors you receive.
We hope this guide provides useful information for your future Joomla installations – so we can all make our Joomla sites happy secured!