| 22 October 2009
Posted in Tips and Tricks

Last week i've made an custom work for client. The site was made with 1.5.7 . The deal was installing our popular requirement component Jobs! and checking Joomla security issues

I will try to explain the security part that i've done for that client.

1. Keep your Joomla updated: I believe this is the most important think for your web site security. As I told above, The client was using J! 1.5.7 . The first think that i've done is updating the J! version to the latest one. I've writted a few weeks ago. There is an extension to update your update joomla. 
2. Password protected administrator directory: Another useful tip I can write here is using your administrator directory password protect your Joomla!. You can do this under an Apache web server using a .htaccess file . This can be done with cpnale easyly. By password protecting the /administror directory you will have to enter a username and password prior to reaching the Joomla! administrator login page. It means that even if your Joomla! admin password is stolen then your site is still largely protected since the attacker will not be able to reach your administrator login page. (I want to make remind for this tip. it is important to use a diffrent password on the /administrator directory)
3. Use Latest Php Version: I know most of you is using shared hosting and you can not change PHP version . Force your hosting provider to use latest php version. If you are choosing a new hosting company, Choose the the company who is using latest one. It's not a good idea to use PHP4 anymore as it is now “End of Life” and potentially open to security issues. Honestly, Stay away from the hosting companies who offers you php 4
   
4. ModSecurity: Using mod_security on your server will stop a lot of attacks against web site. I can suggest you to install it , if you have an option to install it
5. Extensions: The best side of Joomla is that it has too many extensions. The bad side of Joomla is that it has too many extensions. The suggested think is that only install the ones you need. While you are removing them, You should also ensure you remove any components (including the files themselves via FTP) for any extensions you are not using. And another important point is using the latest version of the extensions.
   
6. The Joomla! FTP Layer: It's developed to as a work around solution in case a user was hosting a site on a server that did not run PHP under the account user. It may be useful but it also opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. If you are hosting in a secured and tuned environment, You will not need to enable the ftp layer.
7. Super Administrator usernames: Joomla is using "admin" username for Super Administrator user account.  Change it from the default "admin" to something else like "use_somethink_difficult_to_guess". Make it that bit harder for an attacker to compromise your site. 
8. Passwords: Ensure you are setting secure passwords for both your Joomla! administrator user but also your web hosting account control panel and FTP logins. It would be a real shame to have spent lots of time securing your Joomla! install to then let an attacker in through a weak password. I recommend a password that is at least 8 characters in length and containers letters (both upper and lower case), numbers and at least one symbol.
9. Files and Folder Permissions: You should ensure all of your files are CHMOD to 644 and directories to 755. You should never CHMOD any files or directories to 777, especially your configuration.php file.

What do you think about my security tips? Am I missed somethink?