The purpose of this tutorial is to show you how to secure your Joomla website. There are several steps you can take to protect your Joomla application. Joomla’s security can be improved significantly by following these simple steps.
- Change the administrative username of your Joomla
- Change the default table prefix of your Joomla database
- Password protect your Joomla administrative area Keep your Joomla up-to-date
- Use the .htaccess file to additionally secure Joomla
How to change the administrative username of your Joomla website
By default your administrative username is admin. The majority of the attackers would expect the username to be admin. Changing it will protect you against many attacks.
To do this, you should:
- Step 1. Log in to the Joomla administrative area and click on the User Manager menu.
- Step 2. Click on your administrative user in order to edit it. You can either check the box next to the user and click the “Edit” button or directly click on the user’s full name.
- Step 3. In the next page you should edit the Username field. Change it to something different than “admin” and click on the “Save” button.
How to change the default table prefix of your Joomla database
Changing the default table prefix will stop the majority of attacks against your database. You can use the DB Admin component in order to do this. Although it is originally designed for Joomla 1.0.x, it works on Joomla 1.5 too.
- Step 1. Install the component and go to Components > DB Admin.
- Step 2. Using the intuitive interface, change the default “jos_” prefix of your Joomla 1.5 tables to a different value.
- Step 3. Modify the configuration.php file in your main Joomla folder. In it locate the following line: var $dbprefix = ‘jos_’; You will have to edit it to correspond to the new table prefix you have set. For example, if you have changed the table prefix to “smth_” the line in the configuration.php file should look like this: var $dbprefix = ‘smth_’; The default table prefix of your Joomla database is now changed. This should block the majority of attacks against your database.
Password protect your administrative area
Password protecting the “administrator” folder will add an additional layer of protection to your Joomla website. For more information on how to do that you should refer to our tutorial on How to password protect directories. You should set username and password for your website different from the ones for your Joomla application.
Once you do this, you will have to login twice. First to access the login page of Joomla and then to login in the application itself.
That would make guessing your passwords a very difficult task for any attacker. In addition, even if there is a security breach within the Joomla script itself, a potential attacker won’t be able to gain access to your administrative end even if s/he knows your login details.
Keep your website up-to-date
You should always keep your Joomla application up-to-date. We recommend you to subscribe to the Joomla newsletter in order to receive news about new versions. You can do this at Joomla’s official download page.
Once you receive a notification that a new version of Joomla is released, you should upgrade your website immediately.
If your website is running Joomla 1.0.x it is recommended to migrate it to Joomla 1.5.x. In Joomla 1.5 there are many security improvements in the core elements of the application. The migration, however, should be performed with caution. You should always backup your Joomla before proceeding with the upgrade. For more information you can check our tutorial on How to upgrade from Joomla 1.0.x to Joomla 1.5.
Use the .htaccess file to additionally secure your Joomla
You should make the following changes to the .htaccess file in the Joomla directory:
- First, If you don’t have a .htaccess file in your Joomla folder, you should rename the htaccess.txt file that comes with your Joomla installation package to .htaccess. To do this, you can use the File Manager tool in your cPanel. In addition, doing this will allow you to enable the SEF functionality of your Joomla application. The rules in it will block the majority of well-known attacks against your website.
- Make sure you are running your website on PHP 5.2 or newer. All XeonBD customers have their accounts several PHP version.
- Block the access to all files except index.php and index2.php. Note, however, that you may have to allow the access to some additional files if your extensions require them. If certain parts of your website do not appear, you can check the files that they rely on. Then, you can add them to the access rules. Generally, if you add the following lines to your .htaccess file, everything should work just fine:
<Files?*.php> deny?from?all </Files> <Files?~?"(^index.php|^index2.php)$"> allow?from?all </Files>
The XeonBD Web Hosting servers are perfectly optimized and secured in order to provide you with the best environment for your Joomla website. Please do not hesitate to contact us if you have any questions regarding the security of your Joomla website.