The 11th Safer Internet Day will be celebrated worldwide today, February 11, 2014.The theme for the day is: "Let's create a better internet together" It is like any other Tuesday on your calendar, but should it be? Just how secure is YOUR website? Just how safe is the information you store about your customers, clients and users?
Sadly, when it comes to security, any system can ultimately be compromised. But there are numerous small steps you can take that make the pathway to your data just a bit more difficult. Each little barrier adds up, making the task of breaking into your site just inconvenient enough for a hacker to move on to the next site instead of spending more time on yours.
1. Hide the Administrator folder!
Why leave the welcome mat out for all to find? By default Joomla! displays a very nice login module to you if you simply put /administrator after the site name - now all a hacker needs is a username to try, such as "admin" and to guess at a password.
While the /administrator folder cannot be renamed, you can make it harder to access. One method is to use the Web Firewall tool in to redirect the administrator URL if it doesn’t have your site’s unique codeword added to the end of it.
2. Add an extra deadbolt to the back door!
Use the "Password Protect Directories" tool found in your hosting Control Panel.
You can also create your own .htpasswd and .htaccess files that will prevent direct access to the Joomla! backend login module.
Together these tools and files require an additional password to access the Joomla! login and can restrict access to a whitelist of IP addresses.
While this doesn't completely block hackers, it does add another roadblock and can sometimes be enough to deter them from trying further attacks.
3. Take the username off of the mailbox!
Once you find the Joomla! login module, it takes two pieces of information to log in.
Don't give away one of them by keeping the "admin" username in the database of active users.
That's like leaving one of two keys always in the safe deposit box, leaving only one lock to pick with a brute force attack.
Rename or remove the admin account!
4. Update your software!
Both the PHP developer community and the Joomla! developer community are working hard to stay many steps ahead of the hackers with dramatically improved security software. All those improvements will have no effect if you don't install them!
Most hosting companies are doing their part by forcing websites to move from versions of PHP that are older than 5.3.x. You need to do your part by checking for and applying Joomla! security releases within a month of their release. It takes just a click!
This also applies to your extensions! If you are finding the check for updates to be tedious and time consuming use one of the site monitoring tool like myjoomla.com or watchful.li to alert you to important updates that you should apply to your site.
5. Enhanced security!
The latest releases the Joomla! 3.x series have higher levels of password encryption.
With the release of Joomla! 3.2, the CMS introduced a new feature called, Strong Passwords. The intent was to enhance the encryption of password hashing and storage through the use of BCrypt, thus increasing the security of Joomla! 3.2 user accounts.
This doesn't have any impact concerning someone trying to break into your site, but it has a substantial impact on protecting the customer and client password data you are storing in your site.
For example you may be protected against an ex-employee or hacker taking a copy of your user database, deciphering the passwords and attempting to access other websites that use the same username and password pair.
It is a significant security feature.
6. Don't reuse passwords
One of the more common exploits is to record the username and password you use to access one insignificant site and using that same username and password information, or slight variations of it, to access an account you created on other, more critical sites.
This is where password locker and two-factor authentication schemes are worth the effort to setup. They allow you to use complex passwords which you don't have to remember, and to require something you 'have' in addition to something you 'know' - which reduces the chance that somebody might be able to access your sites if they do happen to find your username and password.
7. Double-up against brute force attacks
If one password is good, two are better - especially if the second one self-destructs!
Since version 3.2 Joomla! is equipped with a robust two-factor security scheme that will accept a temporary, one-time only password sent to you through another channel, or via a unique security fob called a Yubikey that you keep in your possession.
Having two passwords that must match and one changing with every attempt or after a certain amount of time fully discourages brute force attacks. Joomla! has available one of the most rigorous security schemes attainable for a CMS.
Don't become a statistic that has to spend time and money restoring a hacked site. Celebrate Security Day by implementing AT LEAST ONE of these tips today!
Credits: Article by Duke Speer; Images collected and edited by Shirat Goldstein.