In this post we’re going to be discussing Joomla, and it’s security. We will also explain how to ensure that your copy of Joomla is up to date and fully secure.
What is Joomla?
Joomla is becoming one of the most popular content management systems (CMS) on the internet, it’s thought to power roughly 3% of the Internet’s websites with around 30 million downloads. So it’s quite possible that during your daily surfing fix, you might have browsed at least one website which was powered by Joomla.
As Joomla is so popular, it is quite common for exploits and vulnerabilities to be sought out by malicious Internet users. They may/may not be serious exploits, some do it just “because they can”. Rest assured, the Joomla project has a dedicated Security Team on hand to combat all these problems. Any critical updates are always released immediately to ensure Internet-wide security.
What can I do to make sure I’m secure?
The first thing to start with is making sure your installation of Joomla is up to date. The best and easiest way to find this out is to visit the Joomla website and look on their downloads page. This will usually display their latest stable and development versions.
If your current version doesn’t match the latest stable release, then I’m afraid it’s that dreaded time to update your website!
If you installed your Joomla via our Softaculous system. You’ll receive an email when updates are released and available. This will help you to keep up to date and secure.
If you’ve installed manually, you’ll be able to log-in to your administration page at yourdomain.co.uk/administrator (or your custom admin log-in url)
At the time of writing, the current version of Joomla! is version 2.5.
How do I update?
There are two ways to update your Joomla installation. First option is to upload the new files via FTP, making sure you take a backup of the files first, just in case. The second one is to install “Admin Tools (external website)” which will provide a one-click update option.
Should I migrate to the new version tree?
If you’re using any version below 2.5 you should seriously consider migrating over to the latest version. The main reason is that security updates are only available and supported on the latest versions. This basically means that you’re open to a whole world of potential exploits and vulnerabilities if you’re using older versions.
With upgrading to the newest version from an older version it is important to remember that many changes would have been made in the background running of the system. You will possibly need to reinstall/re-download any plug-ins you have installed along with finding an up to date version of any templates you’re using.
Are your extensions up to date?
Another way for exploits and vulnerabilities which the Joomla Security Team aren’t able to fend off, are those that get through via extensions for your Joomla installation. These are usually coded by third party developers. This is probably the most common way for exploits to be found and used. It is also a good idea to make sure an extension you’re using isn’t listed on Joomla’s “Vulnerable Extension List” Those listed in Green have been fixed since being added to the list and are considered safe to be used, those in red however, are not.
To update your Joomla extensions, within Joomla version 2.5 and above, you can automatically have them updated as they are available. However, with older version of Joomla, you will need to manually update them. Information on how to do this is usually supplied by the developers of the extensions. Ensure that you backup any current data before you upload new data.
Is your Administration panel accessible to the world?
One of the best ways to secure your Joomla installation is to hide that fact that you’re running Joomla. To do this, you can change or edit the location of your administration panel. To do this, access your files via FTP and rename your administrator folder to something else. Such as “keepoutofmysite” for example. This would mean anyone going to yoursite.co.uk/administrator will have a 404 error (page not found). Another option that you have, if you use Admin Tools as described previously, would be to have an additional word required in the URL of the admin page, such as yoursite.co.uk/administrator/?mysecretpassword – This means that if anyone visits yoursite.co.uk/administrator they will get a blank page, or an error message saying the page isn’t found/accessible.
Is the default username still active?
By default, Joomla will have a standardised username and password to access the Admin area (Those who install via Softaculous may not have this problem). It is always best to make sure that you create a new admin username and disable/remove the default one. The best solution, would be to have one main master admin account with all the permissions and then have a “moderator” account with less permissions, that you use on a regular basis. This means that if your user account is compromised, they don’t get 100% access to your website and data.
The best way to think about the Administrator account is the following: Would you give your keys to your house or expensive car to someone you didn’t know or trust?
Are you taking regular backups?
Another thing to think about, is backing up your data. If in the unfortunate event that your website does get compromised, you’ll want to ditch all information currently stored and restore a backup of your site from before the incident.
The best thing to do is to back your data to a secure off-site backup location. If you’re a shared hosting customer you can back your data up yourself. If you have a cloud or dedicated server you can look at our backup options.
Ways to keep on top of this.
The key to keeping on top of things is creating a backup schedule. Find yourself a calendar solution, such as Gmail as most people have one these days! You can then set it to send you an alert when it’s due. Then you’ll be able to keep on top of things. Also, it’s an idea to keep an eye on the Joomla News section for upcoming releases and up to date information. Alternatively subscribe to their RSS feeds.
In conclusion, as long as you stay smart and keep up to date, follow the steps and guidelines above, you shouldn’t experience any issues with your site. There is nothing worse than having to recover your website from an attack.
Last modified: 14/08/2019