Joomla Security in 2022 - Best Practices To Secure Your Website

Advisories

Feature Articles

Need an in-depth introduction to a new security topic? Our features articles will bring up up-to-date on everything from buffer overflows to SE Linux policy development.

Discover LinuxSecurity Features

Joomla Security in 2022 - Best Practices To Secure Your Website

19.Laptop Bed

Looking to secure your Joomla website? Here are some best practices to prevent your Joomla website from getting hacked by cyberattackers in 2022.

https://lh4.googleusercontent.com/4y-B30JbuMfdS1P5bAVTdW32iixXPL0oliG0G9gKukfJS2AAy6AMrNci19Ckdy7afbspvpg7g_jE-LNL7BhSsCrb74GQcNILbKl_IM-WazntHwkE_FvenKKhv2d_LsG8mdbqjQWVkt577iwyQAThe evolution of internet services and better connectivity have improved content consumption among users. There are more than 1.7 billion websites on the internet. Businesses need to stand out in a market crowded with high content volume. This is where a content management system like Joomla can help. However, companies need to have specific measures in place regarding Joomla website security.

But before we discuss the problems with Joomla Security and its solutions. Joomla has been the second most preferred CMS after WordPress. There are more than 4,172,773 live Joomla websites on the internet. However, many security issues related to the Joomla website need reliable solutions. 

For example, CVE-2017-8917 is one of the most significant SQL injection attacks in 2017 that affected several Joomla websites. However, it is not a single occurrence, and there have been several cyberattacks on the Joomla website.

First, let’s understand the history of Joomla website security issues.

Brief History of Joomla Security Problems 

Like all other CMSes in the market, Joomla has its vulnerabilities, making it a problem for many website developers. According to a report, cross-site scripting (XSS) is one of the most significant contributors to Joomla website security issues. 

However, if you consider the competition, Joomla still comes out as a winner in security. There are several features Joomla has pre-built but different extensions and templates which can be vulnerable.

According to research from just last year, Joomla has been subjected to more than 100 vulnerabilities due to extensions. Different Joomla extensions were tested for cyberattacks like rXSS, sXSS, DOM XSS, and SQLite during the research.

Extension

Identifying path

Installation percentage

rXSS

sXSS

DOMXSS

SQLite

Akeeba Backup

com_akeeba 

59.6%

3

0

0

0

AcyMailing

com_acymailing

34.4%

5

0

0

1

Advanced Module Manager

com_advancedmodules

12.4%

0

1

0

0

JEvents 

com_jevents 

11.9%

5

2

0

1

eXtplorer

com_extplorer 

11.4%

6

0

0

0

Phoca Gallery 

com_phocagallery

4.7%

18

0

0

0

Community Builder

com_comprofiler

3.6%

1

0

0

0

Ark Editor

com_arkeditor 3

0.1%

5

0

1

0

Ozio Gallery 

com_oziogallery

1.7%

0

31

0

0

Sigplus

/media/sigplus 

1.2%

0

1

3

0

Another key security challenge is updates. Over the years, there have been several versions of Joomla with exposed vulnerabilities. For example, all the versions of Joomla before 3.9.5 suffered from the Cross-Site Request Forgery (CSRF) attacks. Also known as the CVE-2019-10945, it was a directory traversal bug that helped attackers execute the CSRF attacks. 

Similarly, there are several different vulnerabilities that attackers have exposed across different Joomla versions. Another key source of Joomla security issues is the underlying PHP. It is also important to understand that Joomla is written in PHP. Joomla is based on the Object-oriented programming approach, and MySQL acts as a database. 

So, problems in PHP can cascade to Joomla websites. You can find several Stackoverflow conversations on PHP causing Joomla website issues. This is why you need to have specific security best practices for PHP-related problems. 

For example, privilege escalation is an attack where attackers gain access to admin privileges. CVE-2016-8869 is one such PHP-based vulnerability linked to Joomla servers that provide elevation of privilege escalations. However, there are several key security best practices that you can use to secure the server. 

Joomla Server Security

Joomla website security depends on several factors, one of which is server vulnerabilities. So, before you install Joomla, it becomes key to ensure that PHP and server are secure. Fortunately, Joomla provides a security checklist that you can use to secure the server. Here are some of the points you need to consider from the checklist,

  • Use Apache .htaccess to password-protect sensitive directories and block exploits with access restrictions. Joomla provides preconfigured .htacess files, which you can place in the FTP root file and leverage the “Least Privilege” approach to run PHP tools.
  • PHP Being Run as an Apache Module can lead to ownership issues and security nightmares. However, you can select a server host that will run the PHP as a “cgi process” and phpSuExec configurations. It allows administrators to isolate each malicious script and manage them.
  • Use PHP disable_functions to disable specific functions that can harm Joomla security. The code that you can use is

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

  • Control server File permissions to ensure that attackers can’t gain access to admin controls, especially you can restrict code change access. 
  • Setup a backup and recovery process to ensure that you don’t lose out on the key website data, and if there is a ransomware attack, information remains safe.

Apart from the checklist, there are many Joomla security best practices that you can use to secure PHP and servers.

Harden Your PHP Configuration

PHP is the core of your Joomla website security, and that is why it becomes vital to harden its protection. One way to achieve high-level PHP security is by making specific changes in the php.ini of your Joomla website.

Here are some best practices to follow,

  • Hide PHP versions so that attackers are unaware of specific vulnerabilities in the underlying architecture for exploits.
  • Whitelist specific directories through PHP configurations
  • Disable error display to the end-user device.
  • Disable PHP functions like Exec, passthru, shell_exec, system, proc_open,  proc_close,proc_terminate, popen, curl_exec,curl_multi_exec, etc.

Change the default database prefix

Changing the default database prefix can help you prevent SQL injections which attackers use to gain access to super administrator privileges. All the latest versions of Joomla already do this during initial installation, but here are the steps to follow for changing the default database prefix for existing installations and to understand more about how to access the Joomla! database directly.

  1. Log in to your Joomla! backend and go to the global configuration
  2. Find a database option and change the database prefix to something random
  3. Now phpMyAdmin and access your database to export the default configurations
  4. Select all the code from your exported information and copy it on notepad
  5. Next, go to phpMyAdmin and delegate existing data
  6. Now, replace jos_ with your default database prefix in notepad
  7. Copy the code to your SQL in phpMyAdmin and run queries.

Install a Digital Certificate

A digital certificate is based on cryptographic encryptions ensuring secure communication between a browser and your website server. SSL or Secure Sockets Layer certificates help secure Joomla websites from attacks like Man in the middle attack(MITM). Apart from that, it also prevents code injections into your Joomla server. 

The best part about installing an SSL certificate is that it helps with higher search engine rankings for your Joomla! website. One of the critical aspects of Google’s guidelines for search engine optimization is the HTTPS protocol. SSL certificates allow your Joomla websites to enforce HTTPS protocol. 

Installation of individual SSL certificates for a multi-domain Joomla website can be costly. Fortunately, you can install a multi-domain SSL certificate that secures all the domains through a single certificate.

While these Joomla security best practices help ensure your server and PHP, you need other measures to cope with extension vulnerabilities.

Joomla Application Security

Securing your Joomla web apps needs more than configuring the PHP right. It's not just about the server either, as you will be dealing with several extensions and templates which enhance customer experience.

Keep your Joomla core up to date

The first thing you should do is check that your instance is running the latest patch of Joomla. Official releases will update with new features and functional bug fixes, but more importantly patch security vulnerabilities.

Keep extensions up to date

After updating your Joomla core, check your third-party extensions. Vulnerable plugins are a common attack vector for adversaries targeting a CMS-based site.

Remove unused and known-vulnerable extensions

More third-party code means a larger attack surface. Frequently audit the plugins installed on your site by visiting the Extension Manager in Control Panel and remove any that aren’t in use.

Audit privileged users

Joomla allows three privileged user groups to access areas of the Control Panel:

  • Managers — access to content creation features and system information in the backend
  • Administrators — access to most administration functions but not Global options
  • Super Users — access to all administration functions with complete control

Enable two-factor authentication

Two-factor authentication is an excellent defense measure which you should take advantage of, especially for privileged users who hold Manager, Administrator or Super User status.

See our reference to AdminExile in the Extensions section below for ideas on how to do this.

Monitor your site for malicious content

Check the status of your Joomla site on a regular basis and take immediate action if issues are detected. When investigating a potentially compromised website, use the on-demand VirusTotal URL scanner to narrow down the manner of infection.

Subscribe to Joomla’s official Security Announcements

Joomla publishes vulnerability advisories on the Security Announcements page. Subscribe to email notifications via FeedBurner or add the RSS feed to your reader of choice to stay up-to-date with resolved issues in the core software.

Extensions and template security

Extensions and templates can be obsolete, deprecated, and have legacy vulnerabilities. So, it becomes essential to monitor for security patches that are released time and again for these extensions. 

Apart from that, you can use the approach of lean data access. Restrict access to data through these extensions and secure your Joomla websites.

Here, you can use multi-factor authentications to ensure that the data access is secure. It is a security best practice where you validate the data access through multiple authentications.

One example of multi-factor authentications is 2FA or two-factor authentications. Here, users need to verify their email address, password, and a separate passcode sent to their devices.

Make Use of Web Application Firewalls (WAF)

Web Application Firewalls to help secure your websites from different OWASP-defined malware, ransomware, and cybersecurity attacks. It helps monitor, filter, and block malicious traffic to your web application. Further, WAF can prevent unauthorized data access and secure information on the app.

The best part of using a WAF is how you can customize it according to security needs. It adheres to your security policies and helps identify secure traffic. All of the above security best practices are a great way to secure your Joomla website, but you need to scan it regularly for sudden changes.

Joomla Security & Vulnerability Detection Extensions

  • Securitycheck by Texpaok is a modular interface designed to manage the entire extension quickly and easily with a firewall that has been tested against more than 90 SQL, LFI, and XSS attack patterns, and includes features such as IPv6 support, blacklist, whitelist and more.
  • OWASP Joomla! Vulnerability Scanner is an open-source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture.
  • RSFirewall! was developed by RSJoomla!, to be used to protect your Joomla! website from intrusions and hacker attacks. It's backed up by a team of experts that are trained to be always up to date with the latest known vulnerabilities and security updates.
  • Watchful Client is a webmaster toolbox that automates tasks such as creating website backups, scanning for signs of intrusion, and bulk-updating the extensions you trust. You can also scan your site for the use of security best practices, perform a deep scan to look for potential security threats, and generate website reports for your clients. 
  • The AdminExile Plugin has long been a favored and highly rated extension in the JED. AdminExile is a Joomla system plugin designed to secure access to the /administrator URL and prevent unauthorized access to the /administrator login form itself. AdminExile implements many different types of access control, including access keys, IPv4/6 Block/Allow Lists (IP and CIDR netmasks supported), Brute Force detection, front-end Restriction, ost Key Recovery, and stealth mode to prevent access by unauthorized actors.
  • The Brute Force Stop plugin stores information on failed login attempts, so that when reaching a configurable number of such failed login attempts the attacker's IP address can be blocked. 

Monitor Site for Changes

There are a number of resources at your disposal to identify something that has gone wrong on your Joomla website. In the event of a security breach, it is important to employ a tool such as integrity monitoring and auditing/alerts.

Eyesight

Eyesite scans your directory structures, storing the details of every file in a database table including the file date/time, size, and md5 checksum of the file. Every time Eyesite re-scans the directory structure, it re-calculates the md5 checksum of each file, and compares it to the one stored in the database. Eyesite is then able to detect any files in the directory tree that are new, changed, or deleted. If any changes are detected, Eyesite sends you an email.

Mail Catcher

Mail Catcher is a utility component for Joomla! that catches, logs and monitors emails sent in your site. It is useful for developers and administrators by monitoring and keeping track of all emails sent from Joomla site for debugging and administration purposes. Mail Catcher also tracks extensions that send emails regularly and frequently like newsletters or subscription systems, and will help you see if the emails were sent as intended.

Integrity Monitoring

Integrity checks are crucial when auditing your Joomla installation by giving you an early warning of an intrusion on your website. File Integrity Monitoring tools should be installed on a server where a baseline cryptographic checksum of the critical files and registry entries can be created and you’ll receive a notification if a file or record is modified.

Consider using Samhain or OSSEC Syscheck or Tripwire Open Source for these tasks. Let us know if you’d like to see more on these topics.

Auditing / Alerts

Auditing tools provide visibility into user activity on the website. Some things the administrator should be questioning include:

  • Who is logging in?
  • Should they be logging in?
  • Why are they changing that post?
  • Why are they logging in when they should be sleeping?
  • Who installed that plugin?
  • Why are they taking that action?

Logging activity is also extremely important which is why you must use a tool that logs and alerts you of any actions taken on your website, including:

  • User authentication successes and failures
  • User creation/removal
  • File uploads
  • Article and page creation
  • Article and page publishing
  • Extension installation
  • Template modifications
  • Settings modifications

Protect phpMyAdmin Security

PhpMyAdmin is a MySQL/mariadb administration application written in PHP that allows an admin to interact with the database through their web browser, greatly simplifying many common administrative tasks.

Many admins choose to use phpMyAdmin to help with more advanced Joomla database functions. However, it is critical that you ensure access to the Joomla database is limited and protected with the best security settings.

Here are a few tips you should know about to ensure you’re not allowing threat actors to subvert your Joomla security by attacking the database directly through a vulnerable phpMyAdmin configuration.

  • Be sure you are using a digital certificate to encrypt access to your phpMyAdmin installation.
  • Be sure you have protected phpMyAdmin with a password, and don’t allow direct root access.
  • Change the default phpMyAdmin login URL to something only known to you.
  • Restrict access to the phpMyAdmin application by IP addresses.

Many of these options and parameters are set in the apache configuration included with the installation.

Final Checks: Run a Security Scan

If you want to ensure the Joomla website tweaking the configurations is not enough. You need to monitor the website and scan for vulnerabilities. Especially any new version update or addition of a feature can lead to unknown vulnerability. It can open a backdoor for attackers to execute cyberattacks. 

Another security best practice to secure the Joomla website is to conduct extensive penetration testing. A pen test helps ensure the resilience of systems against the penetrative force of different cyberattacks. 

There are many Joomla vulnerability scanners and pen test tools that you can use. Here are a few to get started. 

  • Security Check - protects your website for more than 90 attack patterns, and it has a built-in vulnerability check to test installed extensions for any security risk.
  • Joomscan - finds known vulnerabilities of Joomla Core, Components, and SQL Injection, Command execution

Many of these can be found in the Joomla Extensions Directory. Also, consider PHP code scanners and other more general web application security scanners.

Conclusion

As the number of internet users grows, the risks of a possible cyberattack become more prevalent. Joomla security will need more aggressive monitoring, altering and restricting the data access policies. The best practices we discussed here will help you overcome the security challenges of Joomla websites and ensure adherence to security policies. However, which best practices to use will depend on specific website requirements. 

Comments (0)

There are no comments posted here yet

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.