1. Create strong passwords. You should change your administration password often and use a combination of upper and lowercase letters and numbers. Avoid using dictionary words, and make sure your password is at least eight characters long.

2. Monitor crack attempts. If you have your own VPS or dedicated server, you can run TripWire or SAMHAIN to frequently check for attempts to comprise your server’s security.

3. Create scripts to automate security tasks. With a busy schedule, you may forget to check for new versions of Joomla and any extensions you have installed. Setup scripts to make the process automatic.

4.. Check logs often. Many times, simply looking over access and error logs can reveal thinly-veiled attempts to intrude on your server, particularly if the attacker is trying to do so through a web application like Joomla.

5. Run checks for SQL injection vulnerabilities. There are free tools on the web that will perform these checks for you.

The important thing to remember is to always be diligent. Create a security routine and stick to it. Do not let months go by before you decide to check on your Joomla installation. You may find your site has already been comprimised.

Source: Joomla Security Checklist

1. Move the configuration.php outside of the root document directory. For example, if you directory is /home/user/www/public_html, you can move configuration.php up to /home/user/www where outside visitors cannot possibly access it. Read this guide for the detailed procedure.

2. Disable XML-RPC, if not needed. Unless you need to access and publish to your Joomla installation from another application (without logging into your website), this component just presents a security risk.

3. Check 3rd-party extension vulnerability. Joomla publishes a list of vulnerable extensions. Avoid them.

4. Use SSL for all logins and publishing. Joomla 1.5 has increased support for SSL.

Previous Joomla Security Tips:

Part 1

Part 2

All of these can be set within your local php.ini directory (if your server allows it), rather than manipulating the global one for the server.

1. Use the “disable_functions” to prevent the use of some dangerous PHP functions:
Example: disable_fuctions = show_source, exec, phpinfo

2. Use open_basedir. This will limit which files PHP can opened to the directory tree specified (i.e. in your home folder)
Example: open_basedir = /home/webguy/www/html

3. Disable register_globals. Joomla will actually warn you if you have this enabled:

Example: register_globals = 0

4. Disable allow_url_fopen. This is used when you want to create PHP wrappers to open remote URLs. You can probably imagine the dangers that would create if exploited.
Example: allow_url_fopen = 0

Source: Joomla Security Checklist

1. Delete the “install” directory. Joomla tells you to do this, and if you forget, the results can horrific.

2. Chmod configuration.php to at least 644. No one should be able to access your configuration.php file. The only reason to even leave it as 644 and not 600 is that some web servers on shared hosts require PHP files to be readable by the web server, which is a different user than the site owner.

3. Backup early and often – Create backups of Joomla’s MySQL database. If anything ever does go wrong, you will have a backup.

4. Install mod_security – ModSecurity is an application firewall designed for web applications like Joomla. It will protect you where a network firewall cannot.

5. Secure your database – Setup Joomla to access the database with a user with limited privileges, and make sure the password is not easy to guess.

There are many more security issues you should consider. Over the coming days, I will highlight some of them. Hopefully, they will help you keep your Joomla installation stable and secure.

One such annoyance is the “Welcome to the Frontpage” message that appears in the blog section of the front page of a new Joomla website. Even after adding your own custom content and tweaking your template, you might still find that awful message staring back at you. Fear not! There is a way to remove it, and it does not even involve any magic hacking. Just follow these steps:

1. Login to your Joomla installation as administrator (http://yourdomain.me/administrator)
2. Click “Menus” and then click the name of the menu you are using.
3. Find the default page, designated with a yellow star in the “Default” column.
4. Click the name of the page.
5. On the right side, click Parameters (System)
6. Next to “Page Title” you will see the dreaded welcome message. You can can change it, delete it, and/or click “No” next to “Show Page Title” to remove that title section completely.
7. Click “Save”, and you are all finished.

Photo Source: Flickr

The hackers are uploading malware to the sites, which visitors to the sites have been prompted to download. Network Solutions experienced a similar problem several weeks ago.

It is always important to keep CMS’s and other scripts up-to-date. This situation isn’t so much Go Daddy’s fault as the customers’ for failing to update their installations. However, Go Daddy’s large size also makes it an attractive target for hackers.

Photo | simonok

Are extensions and plugins a security risk? How can you make sure they do not hurt other users or the server? Like with any security issues, there are general precautions you can take.

1. Make sure the user has no additional privileges outside of his or her chroot environment.
2. Remind users to check the permissions on scripts so that attackers cannot use them to piggyback onto another system.
3. Do not allow root login under any circumstances.
4. Keep an eye on logs to see if any scripts are behaving unusually.
5. Disable scripts with known problems, and direct users to viable alternatives.

With a few easy steps, you can install new extensions in Joomla.

1. Visit http://extensions.joomla.org to find the extensions you want.

2. If you have a new Joomla installation, make sure the extension you find has a “1.5 Native” compatibility. Also look for free extensions, unless you want to pay for commercial ones.

3. Click download and save the zip file to your computer.

4. Login to Joomla, go to Extensions, and click Install/Uninstall

5. Click “browse” or “choose file” (depending on your browser) to find the file you downloaded.

6. Click Upload File & Install

If you installed components, they will now appear in the Components menu. All that is left is to configure the new extension and enjoy it.

Unfortunately, many clients come with their own baggage. More often than not, it includes a domain hosted by a company like GoDaddy and possibly a current website that is less than stellar. The worst situation that I ever encountered was a client who had chosen to use GoDaddy’s hosting service with a Windows server. Anyone who has tried to use PHP content management systems with Windows is probably already cringing at the thought.

Aside from the usual problems with GoDaddy’s control panel, I had to content with Windows and its strange compatibility issues with PHP. Theoretically, it should work fine with Joomla, but that requires proper configuration, something GoDaddy failed to do. Mind you, the Joomla installation was automatic from their own control panel, but it still never worked quite right. In the end, the client settled for a less-than-perfect site. My advice to anyone who wants a website: ask those who know first before you make purchases.

Photo Source: Flickr

There are a few things you should consider when using such services:

1. Does the provider’s service provide updates for the scripts?
2. Are they standard installs that can be modified the same way a manual install would?
3. Is the software open and common so that if the user decides to leave that host, they can take their data and design elsewhere?
4. What type of the support does the host offer for these third-party packages?

Depending on the answers to these and other questions, you may decide to use your web host’s services or install the applications you need on your own.