Secure Joomla from hackers
To help secure your Joomla website from hackers follow some of the tips below
Block access via IP
Here are a few simple tricks to protect your website in view of the recent massive brute-force global attack:
Limit the access to the administrator directory by IP address:
If you are the only person who needs to log into your admin area, you can deny access to the administrator folder to everyone but yourself via an .htaccess file.
Create a file called .htaccess using a plain text editor or simply edit the existing one (if any) and add:
# Block access to administrator.
allow from x.x.x.x
deny from all
Where x.x.x.x is your IP address. You can add multiple IP addresses by adding the line: allow from x.x.x.x in accordance with the number of IPs you wish to whitelist.
Place the newly created .htaccess file inside the administrator folder. To find your public IP, just Google "my ip".
Change database prefix
Change the default jos_ to something other eg: 7ht53_ on your database (if you do this post installation, you can export your mysql db, open with notepad if you do not have another editor and find and replace jos_ with your new prefix. Then do a mysql query and paste the notepad contents into the query then go. You will then need to remove the jos_ db entries once you are confident all is working, remember your config.php file must also be updated to the new prefix.
The latest versions of Joomla! already incorporate this method.
Configure PHP settings
Our Hosting enables the configuration of PHP settings and the choice to use PHP4, 5.2, 5.3, 5.4, 5.6, 7 and 7.1 although the latter are still in experimental stages.
Below is an example of the configurability of PHP settings in our hosting control panel.
note: this is just an example and your requirements may be different to what is displayed
Use .htaccess, Joomla! ships with a preconfigured .htaccess file, but YOU need to choose to use it. The file is called htaccess.txt. To use it you are required to rename to .htaccess and place it in the root of the Joomla site. Once you have renamed the htaccess.txt to .htaccess you may start receiving "error 500" messages, this could be because of the "Options +FollowSymLinks" in the .htaccess file, just comment out the directive by placing a "#" infront of the command eg: "#Options +FollowSymLinks".
Configure Apache mod_security and mod_rewrite filters to block PHP attacks mod_rewrite in glogal config settings
Disable PHP allow_url_fopen if not required
allow_url_fopen = 0
Disable PHP safe mode
safe_mode = 0
Enable magic_quotes_gpc = Off - Joomla! 1.5 ignores this setting and works fine either way
magic_quotes_gpc = 0
register_globals should always be off
register_globals = 0
Consider Using PHP open_basedir more information can be found here http://us3.php.net/manual/en/ini.core.php#ini.open-basedir
Make sure permissions are correct Chmod DocumentRoot directory: (e.g. public_html)
Chmod files: to 644
Chmod Directories: to 755
Password protect the Joomla Administrator folder
RFI - Remote File Inclusion is the latest method hackers are using to hack Joomla websites. The hackers make POST requests to com_installer or com_templates and then a shell php file is posted to the server by which they can then manipulate files and folders.
Password protecting the administrator folder can help to prevent this and adding to the .htaccess file an RFI protection code.
Password protecting a folder is an easy task with our hosting control panel
Backup! JoomlaHosting.uk.com provide free daily backups
Most importantly make sure you make regular backups of your site, so if your site is comprimised you can just restore via the backup.
JoomlaHosting.uk.com perform daily backups of your site automatically, giving you peace of mind at no extra cost.
Install the latest patches from Joomla for the core, http://www.joomla.org/announcements/release-news/ and ensure plugins and extensions are updated
There are many hackers who have nothing better to do than cause misery to those hard working and honest people, just for fun and to boost their ego's.
One of the most popular methods of hacking is mysql injection, just do a google search and get informed.