I have written a post earlier about why you should keep your Joomla sites updated for safety reasons.
Phil Taylor published this Tweet today:
A lot of people getting old versions of #joomla 1.5 hacked today - been fixing sites all day for customers...
UPGRADE NOW to #Joomla (latest version)
I couldn't say it better myself. It's crucial that you upgrade to the latest version of Joomla.
When you've done that, there are several other actions you can and should take to avoid being hacked:
- Follow the Joomla Administrator's Security Checklist
The guys at joomla.org have put together a Joomla Administrator's Security Checklist - use it and secure your Joomla site as much as possible using the guidelines.
- Install the jSecure Authentication plugin
Every Joomla back-end has the same URL. If you install a security plugin, you can add a suffix to your back-end URL to make it look like this: http://www.yoursite.com/administrator?helloworld
If the URL is not entered with a correct suffix, the site will redirect to a 404 (not found) page. Change the suffix regularly. The plug-in is $4.99 and it's worth it!
Buy and download the jSecure Authentication plugin here
- Don't use the jos_ prefix
The standard prefix for Joomla tables are jos_. However, many security exploits rely on your database tables being called jos_XXXXXX.
By simply using your own prefix you would have been protected from these exploits.
It should also be unique for every site.
Read more about this over atthe blog of Brian Teeman.
- Change your admin user
The default ID for the admin user in Joomla is always 62, and this may be used by a hacker. To avoid this, do the following:
- Create a new super-administrator with another user name and a strong password
- Log out and in again as this new user
- Change the original admin user to a manager and save (you are not allowed to delete a super-administrator).
- Now, delete the original admin user (user ID 62).
Thanks to Brian Teeman for this tip!
- Use a unique and strong password
Create a unique passwords from a combination of upper- and lowercase letters, numbers and symbols. For instance WsHc3_#7
Use an Online Password Generator to make the process easier.
- Change your username and password often
At least every 3 months.
- Don't use the root user in mySQL as the user of your database
You should always create a new database user when installing a new site, and give rights to the new database only. This way, the user will only have access to the specific site. If not, you can have one site hacked and the rest are wide open as well...
- Always update to the latest Joomla version
Can not be said too often ;)
Have any other tips? Let me hear them in the comments field!