Securing a Joomla installation

Things every Joomla installation needs to be secure.

The following instructions are based on Joomla 2.5 and were last updated 17 February 2013.

This article considers only those things to be done after installation. For security measures to be taken before or during installation, see Installing and configuring Joomla.

In the Joomla docroot, insure that the installation directory has been deleted, not merely renamed. Check to make sure, even if you accepted the installer’s offer to delete itself for you.

In Users – User Manager, confirm that no user has the default name “admin” nor the default user ID 42. If there is, create a new superuser, log out, log back in to the newly created superuser, and delete the default user.

Install a backup extension such as Akeeba Backup. Perform a manual backup now and set up automatic periodic backups.

Merge the contents of Joomla’s htaccess.txt into the existing .htaccess. Test to make sure you haven’t broken anything.

Install a security extension such as Admin Tools. Perform a manual security check now and set up automatic periodic checks.

Take measures to receive security or new release announcements for Joomla and for each extension you use. Feeds work well for me, so I add Joomla’s security announcements and the new release feed of each of my extensions to my feed reader. Other common options for staying informed include mailing lists and Twitter. When security or bugfix releases are announced, update Joomla promptly.

Many extensions do not have means of announcing security or bugfix releases. Consider what that says about the developer’s commitment to security and stability.

Enable Apache webserver logging; consult your web host for instructions. Wait 24 hours to review the log and correct any issues. If this is a new site, you will want to repeat this step after the site has been publicly available for a few days.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

One Response to Securing a Joomla installation

  1. Pingback: Installing and configuring Joomla | Warren's tech notes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s