Actionable Security Tips for Joomla
A secured website is a myth. This has been proven over and over again with the breaches the biggest corporations face every next year.
But does that mean you shouldn't invest in security?
Absolutely not!
Keep in mind, Hackers are going to hack anyway. Your job is to prevent invasion for as long as possible.
The process is called server-hardening. It is achieved by incrementally increasing the security of your server or web application, like WordPress or Joomla.
The following Joomla Security Guide focuses strongly on system administrators and assumes you've already implemented the following security practices on your Joomla instance:
- Updated Joomla and PHP
- Applied User access control
- Enabled regular backups
- Installed security extensions
- Enabled strong login-password
- Disabled FTP access
- Applied robots.txt
Make sure you have a good understanding of Linux systems and are comfortable with editing server config files. or hire a Joomla Security Consultant
Let's get started:
1.Configure Joomla Web-application Firewall
Almost every web application is, at some stage, found vulnerable to serious aVacks like XSS (cross-site scripting) or SQLi (SQL Injection).
If there's a vulnerability in PHP discovered recently, you can expect bots to exploit and drop malware on your server.
At the server level, you can prevent XSS aVacks.
Open you nginx configuration file:
sudo nano /etc/nginx/sites-enabled/yoursite.conf
and add the following lines inside your server{} block
1.1 Reduce XSS Risks (Content-Security-Policy)
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';" always;
1.2 Prevent categories of XSS attacks
add_header X-XSS-Protection "1; mode=block" always;
1.3 Enable Rate Limiting
Enabling rate limiting on the server level is the best way to prevent brute-force aVacks whilst keeping your website performant.
Our server experts always enable Nginx rate limit feature during server hardening.
Most importantly, we tweak the limit_req_zone parameter in the Nginx configuration file “/etc/nginx/ nginx.conf“, to rate limit the requests.
For instance, you can add the below code to your nginx.conf:
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
This adds a zone called one, that can hold up to 160,000(as 1m =16,000 IPs) unique IP addresses, at a rate of 1 request/second.
But that's not enough. There's still SQLi, malware prevention, SSH brute-force, and signup spam is leb to tackle. Which continuous monitoring of the application and cannot be solely handled on server-level.
We offer premium Joomla security consultation and services. Request a free demo and one of our brightest minds will get on a call with you to show how we can help prevent breaches.
2. Enable Site-Wide SSL Encryption
Enabling encryption prevents you from insider aVacks too. Hackers can easily eavesdrop on your network conversation, which can lead to admin credential compromise in the worst case. Enable SSL on your site to prevent eavesdropping.
Step 1. Install certbot on your Linux instance and request a free SSL certificate.
sudo add-apt-repository ppa:certbot/certbot
Hit [ENTER] to continue
Step 2. Now, Install Certbot’s Nginx package with apt:
sudo apt install python-certbot-nginx
Step 3. Request a free SSL certificate from LetsEncrypt
sudo certbot --nginx -d yoursite.com -d www.yoursite.com
Upon running the above command you'll see the following:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
- No redirect - Make no further changes to the webserver configuration.
- Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Step 4. Enter "1" and continue.
Your certificates should be installed and enabled now.
Optionally, you can request for stronger encryption keys from LetsEncrypt. We recommend you to use only
4096-bit key pair. To do that, run the following command instead:
sudo certbot --nginx -d yoursite.com -d www.yoursite.com --rsa-key-size 4096
Enable HSTS Strict Transport Security
Enabling SSL is not enough these days. It's very easy for hackers to strip down the encrypted connection down and listen to the conversation. Enable HSTS (HTTP Strict Transport Security) on your server.
Enabling it will let the telling browser save the security standard of the website. That means the site MUST be loaded under SSL always and not HTTP.
To enable HSTS headers, go to your nginx server config: /etc/nginx/sites-enabled/yoursite.conf and add the following code inside the server{} block
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
NOTE > 63072000 (S) TELLS THE BROWSER TO STORE THE SSL CERT FOR 2 YEARS IN CACHE
3.Enable Multi-factor Authentication
Joomla 3.2 and higher ships with native support for Multi/Two-factor authentication.
To set up the Two-Factor Authentication, go to the User Manager, edit a User and go to the Two-Factor Authentication Tab:
Select your desired authenticator app, we recommend Google Authenticator and proceed with the instructions shown.
4.Protect Admin Login
Block all access to Joomla's administrator login page. Add these lines to the Nginx site configuration.
Disable Joomla Admin Access:
location ~* /administrator.* {
deny all;
}
As a fallback, add a new user beforehand with a manager/editor role.
Hope you found the guide useful.
Thanks.
Trending
-
1 How Does SaaS Differ From IaaS And PaaS?
Fabrice Beaux -
2 Single Page Applications vs Multi-Page Applications
Fabrice Beaux -
3 Top 7 Effective Strategies for Multi-Language Website Development
Fabrice Beaux -
4 Boost Engagement to Infinity and Beyond: Unleashing AI-Driven Support
Anas Bouargane -
5 The Cheapest And Most Beautiful Stickers in CS2
Daniel Hall
Comments