Internet security is a fast moving challenge and ever present threat. There is no one right way to secure a website, and all security methods are subject to instant obsolescence, incremental improvement, constant revision. Luckily, there are well-established principles that upon which to base your defensive plans. The following checklists point you toward current best practices for Joomla security.
The most important guidelines
These checklists are long and growing because the full plot is thick, complex, and expanding, but don't despair! Here are a few essential guidelines for securing any website. Following them will protect you from most catastrophes.
Backup Early and Often: Setup (and use and test) a regular backup and recovery process. When done well, this ensures that you can recover from almost any imaginable disaster.
Update Early and Often: Promptly update to the latest stable version of Joomla! and any installed third-party extensions. This ensures that your site is protected from the newest vulnerabilities as soon as a fix is released and from the latest attack methods as soon as a defense is developed.
Use a secure host Use a high-quality Web host. Do not be fooled by offers of 'unlimited bandwidth, unlimited hard drive space, unlimited databases, etc.
Use the community Don't forget the truism, "If a deal is too good to be true, it is." It seems that nothing on Earth is unlimited--except perhaps the gullibility of fools and the greed of those who prey upon them. Consider hiring professional assistance if you have inadequate experience or knowledge in this area. One of the advantages of GNU software is that user support is free. Take good advantage of this by asking good questions within the Joomla! Forums. When doing so, be sure to use the the most appropriate board, such as Installation, Migration and Updating, Administration.
There are many other important security considerations that you can learn about in this checklist and in the Security FAQ's.
The bad news
There is no perfect security on the Web! As economists would say, "There's no free lunch." Don't be fooled by Joomla's award winning ease-of-use. Maintaining a secure Web site on the open Internet is not easy. Maintaining adequate security requires a wide and ever-growing range of skills and knowledge, constant watchfulness, and a robust backup and recovery process.
There's no one right way! Due to the variety and complexity of modern web systems, security issues can't be resolved with simple, one-size-fits-all solutions. You (or someone you trust) must learn enough about your server infrastructure to make valid security decisions. Strong security is a moving target. Today's expert might be tomorrow's victim. Welcome to the game...
There's no substitute for experience! To secure your Web site, you must gain real experience (some of which will be bitter), or get experienced help from others. If you haven't invested the considerable time it takes to learn how to maintain a secure Web site, be sure you can consult with someone who has. Read this tongue-in-cheek description of the Top 10 Stupidest Administrator Tricks which illustrates typical, blow-by-blow examples of how to learn Web security the hard way.
Even a beginner can start at the head of the herd User forums for many systems are clogged with Help! I've been hacked posts by people who did NOT follow standard security practices. If you are studying this checklist before your site is attacked, congratulations, you're already ahead of the herd.
You can get help If you believe your website was attacked, do not simple post an announcement with full details in the Joomla! forums. If you are dealing with a new vulnerability or new form of attack, publishing that information could put other websites at risk. Instead, report possible security vulnerabilities to the Joomla! Security Task Force.
How to read these documents
Not all techniques are appropriate for every level of experience. Apply the techniques you understand and read up on the ones you don't.
Not all techniques are appropriate for every server. If you use a shared server, you must depend on the settings established by your hosting provider. If you are using a virtual or dedicated server, you can apply more creative security tactics.
Not all security tactics are appropriate for all versions of Joomla. Where a technique applies to only one version it is noted by one of the following icons: .
Are you ready?
Can you administer a dynamic, 24x7, world-accessible, database-driven, interactive, user-authenticated web server?
Do you have the time and resources to respond to the flow of emerging Internet security issues? The Top 10 Stupidest Administrator Tricks is a comic/tragic look at what can go wrong. Don't learn these tricks the hard way! Depending on your recent experience, reading the Stupidest Tricks will either make you laugh or cry.
Stay informed of security issues
Given the complexity of web servers, new vulnerabilities and conflicts are discovered all the time. To receive all security announcements, just subscribe to Joomla Security News. There are several ways to subscribe: