Diaries of a Webmaster, Entry 5: Joomla! Security Tips |
|
The topic of this journal entry is site security, specifically Joomla! security. Joomla! ships with a bunch of default settings that if left untouched can give access to information or administrative tools. I will discuss some tips and tricks on how to change some of them to make your Joomla! install a bit more secure. Note, these are some of the basic things to do, but there are other more advanced tricks that can be performed to make it even more secure. Before making any of these changes to a live site first test them out on a test or development site until you understand what these changes are doing and have all the bugs worked out.
First we will take a look at administrator accounts. By default, Joomla! creates a Super Administrator account called admin. A malicious person can use this account to perform a brute force attack to figure out the password for this account. As soon as they have access to it, they can do anything and everything to your website. The easiest way to combat this is to create another Super Administrator account with a different name and block the default one. To do this, login as admin and go to the User Manager. Create a new user with your desired username and set this user to be a Super Administrator. Next, logout of admin and login to this new user account. Go again to User Manager and edit the admin user. Set this user to be a “registered” user and hit apply, then click the “yes” radio button next to “block user?”. The steps must be done in this order as you cannot block a Super Administrator.
When you install Joomla! the installer asks you what you want the database prefix to be. Most of us ignore this and just hit next to get the installation over and done with. This makes all of your database tables have the same prefix that Joomla! defaults to, which is to say anyone who knows how Joomla! works can figure out the names of all of your tables pretty easy. This leaves your site vulnerable to an SQL injection attack, where a malicious person can run queries against your database to do Bad Things ™ to your website. In this article on the Joomla! Community Magazine website the author discusses an easy way to change all of these tables after you have Joomla! installed (http://magazine.joomla.org/topics/item/108-the-prefix-has-nothing-to-do-with-telephony).
After doing these two steps your site is secure against two of the most common attacks against websites. Do not think your site is invulnerable at this point. There are still plenty of ways more advanced hackers can get into your site. If you are interested in more advanced ways of securing your Joomla! site you can check out the Security Checklist http://docs.joomla.org/Category:Security_Checklist.
blog comments powered by Disqus
