Introduction to Joomla!
Joomla! is the second most popular Content Management System (CMS) in the world, powering roughly 3.3% of the websites on the interwebs. A PHP based open source CMS launched in 2005 as a fork of Mambo, Joomla! has grown in popularity over the years courtesy to its simplicity and ease of use, extensibility, size of community and security.
Although Joomla! as a system is considered fairly secure, it has been subject to security breaches over the years. Here is a breakdown of the most commonly known vulnerabilities for Joomla!,
- Vulnerabilities in the Code or Code Execution Flaws
- SQL Injection Attacks
While the CMS being used plays an important role when it comes to security there are certain steps that a web administrator can take to minimise the risk of a security breach, some of these include,
- Updating Passwords regularly or not using the same password across the entire setup.
- Updating the Core Files, Theme Files and Extensions as and when new updates are released.
- Not going the extra mile to further harden the security of the system.
- Not taking regular back-ups.
- Not going through security documentation and coding recommendations put forward by Joomla!
Here is a list of 10 extensions suggested by our team of Joomla! developers that you can use to further enhance the security of a Joomla! setup,
- Akeeba Backup
- Admin Tools Core
- ECC+ – EasyCalcCheck Plus
- Securitycheck Pro
- Brute Force Stop
- Login One!
- Marco’s SQL Injection
- OSE Secure™
1. Akeeba Backup
Akeeba Backup is a handy little extension that allows you to take regular backups of your Joomla! setup along with the ability to transfer files between servers. Once installed on the Joomla! Dashboard, the extension can create a backup of all the files and the database in a single archive that which can then be transferred to another server with the help of an installer similar to the standard Joomla! Installer.
Some of the features of Akeeba Backup include;
• Automated configuration in order to provide optimal performance.
• Reliable and easy to setup & use.
• Ajax powered backup process which avoids any server timeouts.
• One-click backup process.
• Includes a site transfer wizard that allows you to transfer files across servers smoothly.
• Choice of backup file format.
• Automated or Scheduled backup using the Cron job scheduling functionality
• Archives can be restored on a different server as well.
• Select files that need to be restored or conduct a full restoration from an archive.
2. Admin Tools Core
Admin Tools Core is another great Joomla! extension developed by the Joomla! Experts at Akeeba that helps website administrators to further tighten the security of their Joomla website.
This is a free extension and provides the following features and functionalities;
• Update the administrator about any new Joomla! core releases.
• Fix files’ and directories’ permissions in order to minimise the risk of security breaches.
• Add password protection to the admin directory.
• Change the database prefix to protect the Joomla website or web application against SQL injection attacks.
• Perform one-click database management.
There is also a paid version of this extension, Admin Tools Professional. The paid version provides many more security features as compared to the free version.
3.ECC+ – EasyCalcCheck Plus
ECC+ – EasyCalcCheck Plus is a powerful spam protection tool developed for Joomla! based websites and web application that adds an extra layer of security by integrating a special syntax (security question or token, arithmetic problem, hidden field and time lock) to every form including the admin login screen. The extension also gives you an option to use third-party anti-spam services such as Google ReCaptcha, Akismet, Honeypot Project, StopForumSpam, Mollom, Bot-Trap, Botscout.
A comprehensive security extension, Securitycheck Pro is packed full of security features and allows a website administrator to manage the entire extension easily through a single interface.
Some of the features of this extension include;
• Web Firewall protects a website against commonly known web attacks such as SQL Injections, Cross-site Scripting, Clickjacking and Brute Force attacks.
• A File Manager allows you to check file/folder permissions easily and undertake repairs with a click of a button.
• File Modification Alerts notifies a website administrator when a file within the setup has been modified.
• A powerful Malware Scanner that is connected with 40 anti-malware engines and millions of hashes on its database.
• Apart from this there are plenty of other features such as .Htaccess protection, admin folder security tightening, Geoblock, URL inspector, Database repairer and more.
5. Brute Force Stop
This is a simple yet powerful Joomla! extension that has been specifically designed to protect a Joomla! website or web application against Brute Force attacks. The extension stores information about failed login attempts and automatically blocks an IP after it has reached a certain number of failed attempts. The admin has an option to configure notifications about failed login attempts and IP addresses.
6. Login One!
Developed by Innato BV and last updated on Oct 05 2017, Login One! is an ingenious little extension that allows for prevention of duplicate or multiple log-ins by the same user credentials. No wonder this is immensely popular for both front-end and back-end. So what this simply means is that a user must either sign off the first session, or wait until the first session has expired so as to protect potentially sensitive information or data being shared or exchanged amongst registered users. Login One! is compatible with Joomla! 3.8.1 and PHP 5.3 or later and PHP.
Based on LazyBackup by Stefan Granholm, the purpose of this extension really is to backup your Joomla! (only MySQL) database and send the backup files by e-mail which in turn can be kept in a special folder and downloaded by FTP when needed. this extension was internationalised (for Joomla! 1.5 and 1.6) and modified to run with Joomla! 1.6 and now Joomla! 2.5 (Joomla! 3.4.6 too)
A paid download extension, jSecure Authentication is a security component that provides multi-layered security protection for a Joomla! website. Whilst easy to install, and adding extra layers of security to any website, one drawback to this is the ease of access for any hackers to hack into the website once they can decipher the id and password for Joomla!. This is possible because any user can type the URL to access the administration area and know the website is created in Joomla!. And to prevent this, jSecure Authentication module prohibits access to administration (back end) login page without an appropriate access key.
Some of the Features include:
• jSecure Google recaptcha feature protects your Joomla! administrator access from spam attacks by providing secure authentication.
• Adding an extra layer of security, Secure Image Authentication function matches the MD5 hash value of uploaded image with the stored image
• Using spam protection API, Spam IP Protection is a very useful online security feature blocking the access of spammers to your Joomla! administrator system by to identifying the spam IP and blocking it.
• Website owners can block countries from where their website’s Joomla! administrator section is attacked most using the Country Block feature
• Change Database Prefix – prevents hackers from damaging the database by changing its prefix.
• Website administrators can find out the domain’s name servers (DNS) information used for service using WHOIS Lookup tool
• Email Scan – This feature allows website owners to blacklist spam email address in Joomla! administrator.
• An important user authentication feature, Multiple User keys can set multiple secret keys to different groups with whom you wish to grant access to your Joomla! backend without sharing the master passkey.
• Form Based Authentication – The first layer of security, Form-based authentication allows a user to enter a secret key in a form instead of a URL.
• Another important website security protection feature which helps your website from spammers attack is Auto Ban IP feature which altogether blocks specific IP addresses.
• Restrict access to other components installed on your site by setting passwords for them using Component Security
• Access Graph feature allows you to see the entire successful & unsuccessful login attempts on your site administration.
• Master Password Protection allows for blocking access of jSecure component to other users by selecting “Yes in the jSecure configuration settings in the Joomla! administration area.
• Login control feature restricts multiple users from logging into the site using same username and password.
• Added password protection adds more layers of security over the administrator folder using htaccess and htpassword.
• Assigning Black Listed IP’s and White Listed IP’s, bans an IP automatically after some specific attempts for a particular time period from accessing the admin area.
9. Marco’s SQL Injection
A free download extension, simple in nature yet powerful to provide protection against SQL injection and LFI (local files inclusion) attacks by checking the data sent to Joomla! and intercepting common exploits whilst notifying you by e-mail when a alert is generated.
10. OSE Secure™