Joomla Security – Security Joomla

To create a site using Joomla or better if you want to provide hosting for Joomla CMS that you will set your server to optimize performance for security. Why does Joomla if used unwittingly could be exploited by hackers that can exploit the bug system Joomla in order to reach the management of the entire server.

We start from the beginning we have a website with php 5 possibly because of the safest php 4, mysql database, the operating system can be both Linux and Windows although it is recommended LINUX. Now install Joomla! we finished in 6 steps. Upload via FTP (SmartFTP) all files and folders in the space dedicated to you, call the index.php from your browser or the installation / index.php and follow the instructions on the screen.

After installation, remember to make sure your installation of Joomla, we begin to delete the "installation" with all files, right after we have forgiven all file permissions changed to its original place, usually in the folders 0755 to 0644 and files. Remember that the folder "media" and "images" must be writable so you can upload files to your website. The configuration file configuration.php and the most important thing to remember because the more usually used to change the settings of the site, but never forget to call edi permissions to that file is not writable.

From now on, we remember that we install enough, but if you install other third-party components have to be very careful, and check out where they are safe in all cases we have to always update both components and modules and mambots to bridge the latest versions as new versions are released which includes some new bugs. Also you have to do with Joomla issuing new versions that correct the bugs, so we must also upgrade to the latest stable Joomla same as soon as possible.
After installation, do not forget to set 0444 permissions to the configuration.php file
Changing permissions on files and folders chmod 0644 to all files and folders to chmod 0755.

We can also set the Joomla global configuration that permits to put new files and folders as above, at 644 and 755 for folders.

Use username and password are not easy to guess, also try to change passwords often administration. A good rule might be to use a combination of numbers and uppercase and lowercase characters. Never store your password on the site and not spread it on the net for any reason, if you have any suspicions immediately change it.

Another very important thing comes when you use the components of Joomla SEO-SEF, because this could jeopardize the entire site or even the entire server. Modified the file htaccess.txt to. Htaccess can change the functions of PHP, such as:

The "register_globals PHP is ‘ON’ instead of ‘OFF’. To put it safely in your. Htaccess

  php_value register_globals off 


  register_globals = 0 

There are other features that you can modify to make it more secure site, you must change the server’s php.ini file. To block SQL iniection , just put the following lines in your php.ini page:

  allow_url_fopen = OFF 
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

The first line disables permission to run malicious script through the url. The second disables a lot of PHP functions:

  • shows_source – a pseudonym highlight_file () which provides syntax highlighting for files;
  • system – allows execution of external programs;
  • shell_exec – allow execution of orders by a shell;
  • exec – allow execution of orders;
  • passthru – similar to the function of the exec (), allows the execution of orders;
  • phpinfo – outputs PHP information that could be used by potential intruders;
  • popen – opens a pipe to a process that is performed by a particular order;
  • proc_open – similar to popen () but provides better control over the execution order.

So this setting disables all possible executions of scripts. Again, this could cause problems with some components and modules that use the PHP functions for orders to launch, but their number is negligible.

To apply the above rules and to ensure complete safety of the portal, you can use the htaccess file. Since not all leave the webhosting and use this file because some functions can only be specified in the php.ini file server, we can intervene using the php.ini file to include the restrictions.

Finally: Copy the file php.ini in each folder or subfolder of your Joomla!. Possibly after your site is properly installed and fully functional, then check if everything works after you enable these changes.

Then, as an additional measure of security, protect folders with a htpasswd file. In / administrator, creates two new files: htaccess and htpasswd.

Htaccess file should contain the following lines:

  AuthType Basic 
AuthName "Joomla Administrator"
AuthUserFile / full / path / to / joomla / administrator / .htpasswd
<Limit GET>
require valid-user
</ Limit>

Specify a username (different from the one already registered within Joomla!) And a long and difficult password to guess, if you have trouble try to follow the link htaccess tools . You will have a double password to access Administration of your Joomla site, remember this data and store them safely also outside of the site, maybe on the agenda.

Delete the installation files and images that you do not need the subdirectories of the Joomla! You may also delete unused modules. Check all installed extensions to see if there are vulnerabilities and visit the database of the Secunia Vulnerability often. Visit Joomla! The category of Darkness forums and read what others have to say and, in case of disaster, following these guidelines . Also I suggest reading the Joomla! Checklist Safety Coordinator .

The main thing for safety is kept informed. Check security lists and update your extensions whenever new versions are launched.