Joomla Security – Top 10 tips to secure your website

You might be familiar with JOOMLA!. It is a free and open-source content management system (CMS) for publishing web content. Behalf of its excellence JOOMLA had secured several awards. It is based on a model–view–controller web application framework that can be used independently of the CMS that allows you to build powerful online applications. The platform is user friendly, extendable, multilingual, accessible, responsive, search engine optimized and so much more, therefore Joomla is the most popular website softwares. Since Joomla is based on PHP and MySQL, you’re building powerful applications on an open platform anyone can use, share, and support. Joomla is free, open, and available to anyone under the GPL license.

joomla

JOOMLA Vulnerabilities

Have you ever faced an online threat? A critical criteria or chaos faced by the cyber field is Internet security. It is always better to keep an eye on online threats. Joomla is second largest CMS downloaded over 68 million times and latest research by SUCURI reveals second infected website platform. Joomla have large user base because of that it encounters a wide-range of security related issues.

1. SQL Injection Vulnerability

You might have heard the news that JOOMLA 3.7 became affected to SQL Injection Vulnerability. Any individual visiting your Joomla site stands to be exploited with a malicious intent. This was due to public access. The vulnerability stems from a new component, com_fields, which first appeared in version 3.7. Due to the widespread use of the SQL database on such web platforms Joomla, WordPress, and PHP are largely affected by this vulnerability.
The vulnerable component is accessible on the public facing site .Therefore it is extremely easy to exploit. All the attacker has to do is craft malicious URLs, insert his own SQL operations, and access the URL. To patch up with this vulnerability what you have to do is to update to the latest Joomla version.
Joomla SQL Injection Vulnerability

2. Cross Site Scripting Vulnerability (XSS)

Joomla versions 1.5.0 through 3.6.5 is affected by two Cross-Site Scripting (XSS ) vulnerabilities: CVE-2017-7985 and CVE-2017-7986. When users post or edit an article,the user inputs may be malicious ,JOOMLA fails to sanitize this, thus XSS vulnerability exists in these versions. An attacker can run a malicious code in the victim’s browser thereby gaining control of his/her Joomla account. If the victim has admin permissions, the attacker could gain full control of the server. Although Joomla has its own XSS filters, one could still find a way to bypass these filters. The immediate fix is to update to the latest version.

3. Privilege Escalation Vulnerability

Joomla versions 3.4.4 through 3.6.3 is affected by this vulnerability. A module will be created with an arbitrary account with administrative privileges. If an email server is configured in the CMS an e-mail is sent to activate the account. Once the account is activated, the attacker will have a valid account with permissions to log in to the administrator/ interface he can edit one of the templates, and inject PHP code. Affected versions can allow users in Administrator group to install extensions, thus creating further scope for code executions.

By exploiting this feature, an attacker could upload the PHP backdoors on the website and gain access to the server. Moreover, the attacker could also gain full access to the system while trying to elevate the limited Linux user. The fix to this is updating to the latest version.

Top 10 tips to secure your website

1. Updating your software

JOOMLA software is needed to be updated to the latest versions (as well as all of your extensions) because in almost all versions there are fixes for security issues. Updates can be done from administration area.

If you needed to migrate your software to a newer track of JOOMLA follow the following recommendations-

  • Migrate Joomla 1.6 to 2.5.x

  • Migrate Joomla 1.7 to 2.5.x

  • Migrate Joomla 1.7 or 2.5.x to 3.x.x

2. Smart Usernames and Passwords

In JOOMLA be smart with your usernames and passwords. It is always recommended to use a complex password. Never use “admin” as your username. This is the simple and easiest way to harden your security. Approximately 76 percent of attacks on corporate networks involved weak passwords. Joomla lets you update your administrator’s username from the dashboard. Follow these steps-

1. Click into “Users” → “Manage”, select your administrator’s (Super User) account and click on “Edit.”

2. Then simply change the value in the “Login Name” and click “Save.”

Use a password manager to generate long, complex password strings. Avoid keeping password with includes your name, site name. You may prefer to use Secure Password Generator

3. Running the latest versions of extensions

Latest version of JOOMLA alone cannot secure your site. The extension that you use in the JOOMLA site contain vulnerabilities, it will increase your sites attack. Therefore JOOMLA extensions are to be up-to-date. Thereby site is covered with the latest security updates by the extension’s author. Be selective when choosing extensions, By avoiding the installation of unnecessary extensions, you would automatically be reducing your site’s attack surface. The more downloads and recent updates the extension has, the more likely it is for a vulnerability found, to be fixed quicker.

Here are some popular JOOMLA security extensions:

  • ACL Manager: Easily discover & fix issues with your JOOMLA assets (permissions) table / ACL.

  • AdminExile: Brute force detection, blacklist and whitelist IPs.

  • QuickLogout: Get rid of logout confirmation prompt to ensure people log out.

  • Securitycheck Pro: A global protection suite designed to protect your website without affecting your server’s speed.

  • jomDefender: CSRF prevention, remove Joomla PHP header, Admin password prompt.

4. Use secret key to login into JOOMLA Admin

Use a secret URL to access the administration area and hence hide your administrator backend from attackers. You can use login protection extension like KSecure that helps you to add a secret key. Whenever you need to access admin login page you can enter the secret key after administrator.

5. Use Proper File Permissions & Ownership

To control what you and other people can do with a file or folder file permissions is a method. Your account can be used to access files and folders only when you configure your permissions and thereafter outside visitors can’t read important Joomla configuration files

  • All files should be set with a CHMOD value of 644
  • All folders should be set with a CHMOD value of 755

  • Your configuration. php file should be set with a CHMOD value of 640

6. Harden HTTP Security Headers

Another layer of security for your JOOMLA site can be provided by HTTP security headers. Only small configuration change are required on your web browsers.These headers will well handle your sites content.The commonly recommended HTTP security headers are listed.

  • Content-Security Policy

  • X-XSS-Protection

  • Strict-Transport-Security

  • X-Frame-Options

  • Public-Key-Pins

  • X-Content-Type

7. Monitor Your Website

Monitoring your website continuously is an important factor and is quiet difficuilt also.Is your site is still up and running? how do you know that? You need to monitor your website continuously to make sure it has not been hacked. If a problem is detected, you will get an email or SMS. Do you want to keep an eye on your site? There are several tools like updown.io or Pingdom.

8. Block Bad Bots

Does your bandwidth ever get stolen because of bad bots, scrapers, and crawlers hitting your Joomla sites. At botreports.com a list of bad bots can be identified. The security extensions mentioned above can block bad bots. This is needed to be done at server level. To block multiple User-Agent strings at once, you could add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(Botname1|Botname2|Botname3).*$ [NC]
RewriteRule .* – [F,L]

9. Install an SSL Certificate

The communication between your visitors and your website are needed to be protected, for that you need to encrypt it using SSL. Even if you are not running e-commerce sites or payment gateways, running on HTTPS, Having a SSL certificate will add to your site security by protecting your username and password when you or your colleagues log into on your website. Otherwise these login details are sent over the internet in plain text. Obtaining and installing a certificate has become free and easy to do. Once installed, you can test and improve your SSL configuration using the SSL Server Test.

10. Use Web Application Firewall

Web Application Firewall (WAF) is used for any website to protect from top OWASP 10 security, known vulnerabilities & malware. If the host of your JOOMLA website is on VPS ,then you may use ModSecurity which is free. On shared hosting or don’t have time, then you may consider cloud-based web application firewall. Using WAF will help you from following.

  • Bot protection

  • Login protection

  • Backdoor protection

  • DDoS protection

  • SQL injection

  • XSS attack

  • Joomla specific vulnerabilities

  • Brute force attack

  • Layer 7 DDoS protection

SUMMARY

There are many ways you can harden your Joomla security. There are several other methods too but these seems to be the more applicable. Keeping Joomla and extensions up to date, being smart with usernames and passwords, using security extensions etc. Most of these recommendations can be completed within few minutes and thereby we can ensure that our JOOMLA site is secured from attackers or hackers. If you find some other tips more applicable than these or if we missed something please don’t fail to let us know.