We have heard lots of talk about Joomla Security and attacks on Joomla sites. Sucuri, the website security company posted a blog entitled “Big Increase in Distributed Brute Force Attacks Against Joomla Websites” in which they review some very worrying statistics:
“We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere.”
The alarming increase in attacks is showed by the following image over the past few weeks:
With this, we can easily identify how such attacks could easily be disillusioned. Such attacks were login efforts on the Joomla Administrator folders that are relatively easy to save.
Use HTPASSWD protection
HTPASSWD is one of the commonest utility in UNIX- and Linux-based web servers that allow adding basic user authentication to put of files and folders. One of the easiest and most effective deterrents is to block HTTP requests to the Joomla Administrator folder to intruders.
Users can add HTPASSWD protection in three different ways to your Joomla administrator folder. The good thing is all these methods do same thing. Concerning the hackers, it makes the Administrator completely invisible as there is no requirement for anyone in the public to be able to see it why not guard it completely?
A. Manually creating a .HTPASSWD file
HTPASSWD file includes usernames and encrypted passwords. Directives can be also added in a .HTACCESS file that makes sure the username and password require to be enter to access the folder. You can also use this method without adding any extensions to your Joomla installation and relies on your server instead. It is advisable to save the .HTPASSWD file outside the public_html folder.
- Create the .HTPASSWD file
The usernames and password is added in the .HTPASSWD file and should NOT be found in the folder that needs to be protected. It should be found secure outside the public_html folder.
A username “mysecretusername” with an ancrypted password “mysecretpassword” are created.
Navigate to the folder in which public_html by using your FTP client or cPanel file management utility and you will found path like /home/myaccount
Create a simple text file name .HTPASSWD
Now, create usernames and encrypted passwords on http://tools.dynamicdrive.com/password/
Copy the usernames with password into the .HTPASSWD file
- Create the .HTACCESS file
.HTACCESS file that found in the folder are required to be saved and includes directives that enforce the username and password and the full path to the .HTPASSWD file
Navigate to the Administrator folder, the path is likely something like
Create a simple text file name .HTACCESS (or open the one that already exist here)
Copy the appropriate directives at the top of the HTACCESS file
- AuthName “Secured Area”
- AuthType Basic
- AuthUserFile /home/myaccount/.HTPASSWD
- require valid-user
B. Using the CPanel password protection tool
There are some easy methods provided by most of the hosting control panels allow to add password protection to your directories. Furthermore, you will get simple tools that helps secure and password protects the Administrator folder.
First of all, Log into your hosting Control Panel
Now, Click Password Protect Directories
After that, you have to navigate until you see the /home/myaccount/public_html/administrator folder listed
Now, Select the Adminsitrator folder
Lastly, Fill in the Folder Name (It will display as part of the password Prompt), username and password
C. Use a Joomla Security Extension
Different extensions secure the Joomla Adminsitrator folder, one of them is Admin Tools. a tool to password protect the Joomla Adminsitrator folder are added in Admin Tools (the Pro and free editions). The .HTPASSWD and appropriate .HTACCESS file are also created by this tool in the easiest way.
Log into Joomla Administrator
Select Components – Admin Tool – Password-Protect Administrator
Enter a Username and Password
Change the admin Super User
Admin is the default username for the Super Administrator especially in Joomla 1.5 and older. If you have newer version then it becomes easy to change, however, many people uses admin when developing their first user account.
Hackers rely on this while brute force attack as they know the username means the difficulty of hacking is at least 50% less than on a site with a custom username.
Update core and add-ons to improve Joomla security
One of the most important tasks for anyone responsible for Joomla security is to make sure that all software remains to be updated as the most common successful attacks are due to known vulnerabilities in outdated Joomla versions and add-ons. Due to this, the new Joomla Update Manager has added that update many extensions along with the Joomla Update component to update Joomla itself.
A. Update Joomla!
- Log into Joomla Administrator
- Select Components – Joomla! Update
- Click to Update
B. Update Extensions
- Select Extensions – Extension Manager
- Select the Update tab
- Select Purge Cache, the Find Updates (ensure latest available supported updates are found)
- Select the Extensions (and languages) to update and click Update
It is advisable to back up your site using a backup extension before updating Joomla or any extensions
C. Monitor all your site updates in one location
Creating remote update service like Watchful is only possible after installing updates from within Joomla. Watchful is the award winning backup, update and Joomla security monitoring service that allows applying many of them all from one convenient Dashboard. If you want to develop risk free joomla website send your inquiry at [email protected]