In addition to understanding the threats, and implementing general defensive strategies, it is important to know more specific details about security in Joomla, as well some specific examples of how to implement security strategies.
The developers of Joomla are constantly striving to improve the overall security of the system by employing good programming techniques and addressing security issues as they arise. It is therefore important to try to keep up with the latest version of Joomla – ‘patches’ (collections of replacement files) are released periodically to address bugs and security holes as they are discovered (click here to subscribe to the official Joomla announcements forum)
Input boxes There are various input boxes that can appear in a ‘vanilla’ Joomla website – for example, search boxes, filters, etc., and the data entered in such features is always validated to ensure it does not contain quote marks – thus protecting against SQL injection attacks.
You can do this either by just not allowing user-submissions at all (which is the safest option), or by using 2 different HTML editors – the default one being restrictive, and an extra one which is assigned to your user record only (definable in Joomla’s User Manager) which can be less restrictive.
User Login The login features of Joomla – both for the back end administrator and the front end website – make use of one-way password encryption. When you type in your password, Joomla applies an ‘md5 hash algorithm’ to turn your password into a 40-character jumble of unintelligible text – the same 40-character jumble every time. It never actually decrypts this, it just compares the jumbled up version of what you type in with the jumbled up version that is stored in the database against your user record to see if they match.
In order to determine whether or not you are logged in at any given time, Joomla uses a ‘cookie’ – a small text file which is stored on your computer. This cookie does not contain your user name and password – it just contains a session id (or reference number), which Joomla can look up to find out who you are and whether you are logged in. So even if someone could steal the cookie from your computer, all they would get is a reference number – they couldn’t do much with it.
Release Notes The text files that ship with a standard Joomla installation include release notes such as a ‘change log’ – a list of changes made to the program since the last release. Such information can give away valuable clues about possible weaknesses that hackers can exploit. However, the text files are protected from casual viewing by being named as PHP files and by programatically preventing browsing over HTTP. Even so, it is quite safe to delete such files from your server – that way you can be absolutely sure that nobody can see them. At the time of writing, the release note files that can be safely deleted are: CHANGELOG.php, COPYRIGHT.php, INSTALL.php, and LICENSE.php.
.htaccess File There is a file which is supplied with Joomla called htaccess.txt. As long as the file is called htaccess.txt, it has absolutely no effect on your site. Once you rename the file to .htaccess ("dot htaccess" instead of "htaccess dot txt"), it influences every request that is made of your site (note: this applies to sites running on an Apache web server, not IIS – if you’re not sure whether your site is running on Apache or IIS, it is probably running on Apache! 99.99% of Joomla sites run on Apache web servers. Apache is the name of the web server software, not the operating system – Apache can be run on Windows or Unix or Linux or FreeBSD, etc. etc. IIS only runs on Windows).
Typically, you would only rename the file to .htaccess if you wanted to use search engine friendly URLs (or SEF URLs) – the instructions in that file allow meaningful page names to be translated internally (or ‘rewritten’) into a format that Joomla can understand. There are many other uses for an .htaccess file though, including setting password protection on a directory, to block users based on their IP address, and various other things. This little file can be very powerful! It is therefore important to ensure no unauthorised person can view it, or worse still, edit it.
In addition to setting the file permissions (see below), you can add the following directive to the top of your .htaccess file to prevent others from being able to read it:
order allow,deny deny from all
Version 1.0.8 of Joomla introduced significant changes to the supplied htaccess file, but even so it does not include the above directive for some reason. Maybe a future version will. In the meantime, adding the above at the very top of the file will provide an additional layer of protection against abuse.
It is also a good idea to protect your site against HTTP tracking and tracing, and if you use a shared server, the easiest way to do this is to add the following to your .htaccess file (somewhere after the "RewriteEngine On" command):
Please note, that making these changes to your .htaccess file is not supported by all server configurations. Always backup your .htaccess file before making changes to it, and if your website starts reporting errors, you may have to undo your changes.
Server Settings Joomla specifies certain settings that are recommended for proper functioning of the system. A list of the recommended and actual settings is displayed when you install Joomla. One of the recommended settings is to have ‘Display Errors’ switched on. This is not safe for a production website. It is very useful when developing and debugging a site, but there is a security vulnerability in PHP (not Joomla, but the language in which Joomla was written) which allows cross-site-scripting attacks when the display errors option is enabled.
Thankfully, as of Joomla 1.0.8, you can suppress error messages by going to Site->Global Configuration, and clicking on the ‘Server’ tab. Set the ‘Error Reporting’ option to ‘None’. If you are not using the very latest version of Joomla, it would be a very good idea to upgrade!
Otherwise, to turn off display of errors, you need to change some settings in a file called php.ini – you might not have access to this file if you use shared hosting, but it might be possible to add your own php.ini file to the root folder of your website which will only affect your site and nobody elses (or you might need to add it to every folder that contains php files). Alternatively, depending on the configuration settings on your server, you might be able to override individual php.ini settings in your .htaccess file.
The settings that need to be specified in php.ini are:
display_errors = Off html_errors = Off display_startup_errors = Off log_errors = On
For additional security it may be worthwhile disabling certain PHP functions. The following 2 lines, when added to php.ini will prevent the listed functions from working. If you have a third party script that relies on one or more of these functions, it will break when you turn them off like this. Joomla does not use these functions, but some third party components might do. Disabling these functions will help to protect your site from hackers though.
If you don’t have access to the global php.ini file, you might be able to add your own. More information about doing this can be found here: http://www.washington.edu/computing/web/publishing/php-ini.html. You might need to ask your host to restart the Apache web server before your overridden settings will take effect (this does not mean rebooting the server, just restarting Apache – which only takes a few seconds). Note: If you encode your PHP files with Zend Optimizer, adding your own local php.ini file can cause PHP to think that Zend Optimizer is not installed even if it is.
If your server configuration allows it, you may be able to just add the following lines to your .htaccess file to override the settings without needing your own php.ini file. Try adding the following to the end of your .htaccess file (if your server does not recognise the directives, you will get an error message when you try to access your site):
These settings will cause any PHP errors to be logged in a text file instead of being displayed in the user’s browser window. You could also write a custom error handler in PHP to display a user-friendly message when an error occurs, but that is a task for a developer and is beyond the scope of this article.
File Permissions Every folder and every file that your website contains has a set of properties called ‘permissions’. These properties define who is allowed to do what with the file or folder. On Unix-based operating systems (including Linux, FreeBSD, etc.), there are 3 actions that can be performed on a file: read, write, and execute; and there are 3 types of user that can perform these actions: owner, group, and other (things are a bit different on Windows, but most production Joomla sites are hosted on servers running a Unix-based operating system).
Typically, the permissions for a file are set using a 3-digit number: 000 being the most restrictive (nobody can do anything with the file – pretty pointless having a file with that level of restriction!), and 777 being the most liberal (anybody can read, write, or execute the file – that is, execute as in run a program, not execute as in chop someone’s head off). The first digit represents what the ‘owner’ of the file is allowed to do (that is, the specific ‘user’ who created the file); the second specifies what other authorised users are allowed to do, and the third says what the world at large is allowed to do. The command used by the operating system to set the permissions of a file is called ‘chmod’ which means ‘change mode’.
To get the balance between security and usability, all folders should be set to 755, and all files should be set to 644 unless a folder or file specifically requires a different setting in order to function properly. Joomla has the ability to set these permissions for you (you can tell it to do this while installing, and through the Site->Global Configuration option in Joomla administrator) when it creates new files. Using 755 and 644 for folders and files respectively generally means that the files cannot be edited – not even by Joomla (unless your server has PHP configured to use SUExec – highly recommended!).
So if you want to install a new component, module, template, or whatever, you are going to need to make sure the relevant folders are writeable (775 and 774 for folders/files respectively, or if that doesn’t work on your server, 777 for both) – otherwise Joomla will not be able to create the necessary files. To see which folders need to be writeable, go into Joomla Administrator, click on the ‘Help’ menu item, then click on the ‘System Info’ link at the top right, then click on the ‘Permissions’ tab. There is a list there of folders that need to be writeable for Joomla to function, as well as an indication of whether or not they are currently writeable on your server.
It is safest to keep files and folders unwriteable most of the time and only make them writeable when you need to – especially with reference to the configuration.php file, which stores your settings from Site->Global Configuration (keep that unwriteable [ie. 644] except when you need to make configuration changes – and make it unwriteable again as soon as you’ve finished making changes). If your website allows for users to upload files though, you will need to make the relevant folders writeable all the time, otherwise the uploads will fail.
You can change the permissions of files and folders using an FTP client, or a hosting control panel such as cPanel or Plesk.