Securing Your Joomla Website

Connecting from:' . $_SERVER['REMOTE_ADDR'] . ''; ?>

Securing your Joomla installation needn't be difficult, time consuming or costly.

Here we outline a few simple steps for securing your Joomla installation that are free, easy to implement and will deter people from attempting to hack into your website.

If we design a site and don't secure it then we are simply asking for it to be hacked. Types of hacking vary but by far the most common we experience is the "Brute Force Attack" where someone will go to the administration area of your Joomla website and try the username "admin" with any variation of password.

By default the Super Administrator username and password credentials are "admin" and "admin". Why are we mentioning this...? Because we do not use them. You may be so we would suggest you continue reading...

Here are a few quick, simple and easy steps to securing your Joomla website.

Disable the admin Account

Disabling the admin account is the first step we take but we do three things in effect:

  • Create an account with the username "admin" and the password "admin"
    • These are the default admin credentials for the Super User "admin"
  • We make this account a normal "Registered" user
  • We then disable this account

You may think this strange but it works. Sure, hackers will brute force attack the site and will know the account exists and they will try and try and try. The last attempt we had on a site generated something like 500+ mails where the user had attempted to get in and couldn't. So clearly this works effectively.

Blocking IP Addresses

Receiving 500+ mails notifying you of a blocked attack is all OK but receiving fewer notifications would be better, no...?

Here's where we get a little more advanced in securing our site.

Let's say that you have identified the latest attacks and perhaps the majority of attacks are coming from a Chinese based IP address. We simply use the htaccess file to block that IP or even a whole range of IPs. One of our htaccess files on one of our sites reads like War and Peace it has so many IP ranges listed.

If you're not familiar with editing your htaccess file (and we wouldn't recommend doing this unless you are) then there are free tools available from the Joomla Extensions directory to help you with this. Just search for "IP Blocker" and you're sure to find something that works for you.

Disabling Accounts

One other common method we employ is to allow a user to login or attempt to login 3 times. On the third failed attempt the account is blocked, they are mailed and we are notified.

This reduces the risk of attacks using other users accounts or common usernames and ensures that a client's data is secure. If it was a genuine failure on the part of the client then the account is simply reinstated.

There are other methods we employ that are not discussed here and you're welcome to get in touch and find out more as we are always happy to help people secure their websites and data...

Using custom code

Another more effective solution for those that are familiar with PHP code is to insert a couple of lines of code into the login form that redirect the user based on a query string input.

Here's an example of code we might use:

if ($_GET['Foo'] != 'Bar') {
header('Location: http://www.whatnowebsite.co.uk/blog/joomla-related/securing-your-joomla-website?Attack=Yes');
}

The above code contains two query strings that have been highlighted. The first, on the login page looks for "Foo" in the URL and if it DOES NOT equal "Bar" then redirects the user to a page on our website.

The second query string is used on the capture page, this one actually, to capture the user's IP address and then block them permanently from the entire website.

Where to implement this code

In your Joomla installation directory you'll find the following file:

administrator/templates/bluestork/login.php

Put the PHP code above into that file, right at the top. Then test (remembering to change the location of course) and see if you get directed to another page when you yourself try and login to the administration area.

Now try login in this way:

http://www.whatnowebsite.co.uk/administrator?Foo=Bar

You should get presented with the login page.

Clearly "Foo" can equal anything you like, it doesn't even have to be "Foo", it could be any abstract term you choose and the more abstract the better.

Feel free to follow us on Google+ for more tips and tricks...!



  Share This With Your Friends !

Additional Info

Subscribe

Secure

Viewed Securely
seal by SSLs.com

Contact Us

+44 (0)845 527 3596 (UK)
+44 (0)560 000 6604 (UK)
+34 602 155205 (ES)
This email address is being protected from spambots. You need JavaScript enabled to view it.


See how you too can achieve an increase in online revenue.

(Refer to your operator for call costs)

Memberships...

What Others Have To Say...

  • Michael managed with attention to detail and monitors the status of accounts like a hawk without losing sight of the
    Timothy Barreiro Coral Hotel Group
  • What No Website offers a great and valuable service which is absolutely perfect for any new start business or entrepreneur
    Christopher Pennington Capecan Group
  • That is amazing thank you soooooo so much. Honestly, this is going to change the way we work here.
    Suzanne Lovell Age UK
  • We had an excellent level of communication with What No Website who completed all the tasks in a timely manner…
    CTO Paradise Park Hotel
  • 1

Recent Blog Articles

Popular Blog Articles

  • Default
  • Title
  • Date
  • Random
load more hold SHIFT key to load all load all