As Joomla site recovery specialists, we are regularly approached for help and see the same Joomla vulnerabilities come up time and again. What's sad is that they are incredibly easy to correct, but once a Joomla site is hacked it comes at considerable cost to get it fixed and secure again.
In this blog post, we will look at the five most common security issues and how to correct them.
The number one cause of hacked sites is lack of maintenance. It is incredibly simple and doesn't require much investment in time, but most sites get hacked simply because they do not stay up-to-date with the security releases for the Joomla core or its extensions.
If your Joomla login looks like this and you haven't updated in years you have a major security issue.
The problem stems from the fact that hackers are more and more aggressive and use automated tools to execute attacks at scale. 10 years ago you could leave a site as it was for several years, but these days any open source software, including Joomla, requires maintenance and security patch application.
The web is wild west and your website needs to stay up-to-date if you're going to keep the desperadoes out.
If you're the site builder: make sure and offer your clients some form of maintenance service. Include it on any estimates or proposals you provide them along with the rationale for why it is important.
Preventing your site from getting hacked by taking password security seriously is the best measure you can take. An incredibly common attack on websites is password guessing because of how often it is successful.
No one likes to have to remember difficult passwords but it is essential to security.
A tool that is very helpful in realizing how quickly a password can be hacked is How Secure Is My Password. This extremely insightful tool will simply show you Passwords that are simple words with numbers or relatively short are quickly guessed using automated "brute force" attacks.
Use long passwords that are nonsensical and use a few special characters, but that you can remember. This works because password length creates complexity which makes using a computer script to guess them difficult so long as there is some variation.
For example, president!Tokyo!furious!zebra
If you're the site builder: make sure and explain to your clients why this is important and provide them with these longer passwords.
It's not difficult to get a virtual private server, dedicated server, or even in-house box set up. For some agencies and freelancers, it's attractive because you can host many sites at cost savings compared to shared or reseller hosting.
However, it's critical that the server environment is set up with the security packages and configured correctly. Additionally, just like for any Joomla website, servers require maintenance in order for the security to remain effective.
ConfigServer common Linux firewall on servers.
Even if your Joomla site is in good shape, if your server is vulnerable, you're going to end up hacked. Self-hosting or choosing bottom barrel hosting providers is a common issue we run into that will ultimately end up in trouble.
Either use some form of a managed server or hire a system administrator to regularly audit your server security.
Poorly chosen extensions and templates often create flaws in Joomla security
A couple of common scenarios:
The above are a not so "free" templates on Pirate Bay.
Both of these scenarios could incur and when they do, they not only allow holes to be created in the Joomla security itself, but that the site builder may actively be incorporating malware and other malicious code without realizing it.
Use extensions and templates from reputable sources. If you can't find one, either hire a Joomla developer or Joomla development company to create it bespoke or find another solution if you can't afford custom work.
Sometimes it's better to do without then to do with!
For any site that's been on the web for more than a couple years, it's likely that it has accumulated some legacy code. If this code isn't cleaned up, it significantly increases the chances that the site will be compromised. This is because over time more and more vulnerabilities are discovered by hackers.
Time to clean up your filesystem.
The 3 most common scenarios:
Joomla is developed by veteran developers who are highly aware of the security environment of the Internet and the risks involved. Joomla has a built-in security model to combat common vulnerabilities in web applications. Because of these factors, even though the core application is under an incredibly high level of scrutiny by hackers it rarely has significant security issues and when they are discovered they are patched very quickly.
Security holes are more likely to appear in poorly coded extensions that don't use the Joomla security model due to the inexperience or laziness of the developer. This is why it's critical to be particular when choosing extensions and not haphazardly installing everything that might work.
These are the most common vulnerabilities that we see and their fixes. If you're interested in doing an in-depth audit of your site security, check out our blog post on Joomla security best practices which covers these vulnerabilities and more.