Securing Your Small Business Joomla Website

My previous blog post contained some security steps but they are a bit buried. So I thought I’d write a dedicated post about some steps that small business owners can take to securing their Joomla site. The following ten steps will help protect you from most of the low-level security risks that many small businesses expose themselves to. This is by no means a comprehensive list and all small businesses need to be aware that true security is about monitoring your website and making sure you have a proven disaster recovery plan in place should the very worst happen. Anyway, on to the checklist:

1. Do not share your domain name registrar (ie. GoDaddy, Netfirms, etc) password and username with anyone. You may lose your webhost and your site may get hacked but as long as you control the domain, you can recover.
2. Remember the username and password you registered your domain with. It will probably be a year or three before you will ever need it again but I’ve seen many small businesses struggle with their domain registrar because they used an old email address that no longer works.
3. Hide your whois information so that people cannot enter your domain into http://whois.domaintools.com and get your name, address and phone number (which in the case of many small businesses is the business owners home phone number and address).
4. Don’t forget to renew your domain. Or better yet, just set it to auto-renew. I’ve seen small businesses have their website “hijacked” because they forgot to renew it and someone scooped it and redirected all of their traffic to one of their competitors. And while you’re at it, register your domains for longer than a year. This has nothing to do with security but it will cost you less per year and is good for SEO because Google recognizes that longer-term domain registrations are less likely to be spam sites.
5. Don’t mess with your DNS or MX records unless you know what you are doing. This won’t hurt you per se. But if all of your company email starts bouncing because your MX records are setup wrong, you might be a bit upset.
6. Get a good webhost. You get what you pay for, so if you have a $5 / month deal, your site is sure to be on a server with a hundred other sites. In essence, you are only as secure as the most unsecured site on that server. Something to think about.
7. Make sure all your passwords get a good score on the password meter. The higher the score, the harder it is for a person or a program to guess your password. And you may want to install JSecure to give you an added layer of security.
8. Remove any unused extensions, files, directories from your Joomla site. This may take a bit of work in the backed of Joomla to “uninstall” various extensions (including templates which is how the old Yardstick website got hacked). And it may also require you to use an FTP client to browse the directories and delete any that are lingering. And be aware that if you have a shared webhost that provides Fantastico, when you upgrade your Joomla installation using Fantastico, it will reinstall a bunch of the default templates which you will want to remove again.
9. And now that you’re in there looking at the files and folders with your FTP client, you might as well set all the permissions – called chmod (short for change mode) commands. If you’re using Filezilla, then you want to select all of the files in your root directory, right click on “File Attributes”, set the number to 755, and click on “Recurse into sub-directories -> apply to directories only”. Then do the same but set it to 644 and “apply to files only”. This will sweep your entire site and set the recommended chmod permissions of 755 for folders and 644 for files.
10. Make sure you are using the most recent version of Joomla as well as updated version of all of your templates and extensions. Upgrading Joomla via your FTP client is pretty easy to do but always check with the original extension/template provider for their upgrade procedure.
11. Use the mod rewrite function that Joomla 1.5 provides in the Global Settings. This simply requires you to rename your htaccess.txt file to .htaccess and you’ve got another little bump in security. And if you’re really keen, you can add a few more line to your .htaccess file to fight canonical URL’s and other annoying Joomla-syndromes. This article includes a few comments on that and some database work for you intermediate Joomla security buffs. And here is Joomla’s official security documentation.
12. OK, and lastly, always make sure you have backed-up your site and know how to restore it. I wrote an entire post on Joomlapack which you can take a look at if you’re interested. It’s in my list of absolutely awesome free extensions.

If you really don’t know where to start then I recommend installing GuardXT which is an extension that identifies security issues with a green-light, red-light system. It even fixes some for you. Otherwise, just start doing your own research and you’ll see that Joomla is a very secure and stable cms. But it is still up to the individual site owners to make sure that they have done their due diligence.