SSL Labs ScoreHSTS Preloaded

Securing Joomla - Post-Installation

Article Index

What you do immediately after installation is very important. Fortunately, upon completing installation, Joomla offers to perform the very first necessary task you should do. When offered, delete the "Installation" folder! This folder may provide an attacker the ability to completely reconfigure your site. Because that is part of the installation process, it's listed in this introduction and separate of the items below.

Rename htaccess.txt to .htaccess

Many security configurations can be made in the .htaccess file. Some of these security configurations will be covered later in this article.

Although optional, this is highly recommended.
The list is long, but here are a few benefits of renaming the htaccess file:
  • Enables the next step in this list, hiding URL variables from attackers by using URL rewriting, making their task of infiltration more difficult.
  • Additional protection from a few known attack vectors are built into the default htaccess file.
  • With additional configurations (below), discourages fingerprinting (identifying that your site runs Joomla)
Browse to your Joomla root directory and locate the file named htaccess.txt. rename that file to .htaccess using whatever method you have available. In an SSH session, it is as simple as typing mv htaccess.txt .htaccess.
Please pay close attention to these possible pitfalls:
  • If you choose to copy htaccess.txt to .htaccess - be sure to move or rename this backup copy of htaccess.txt. One of the fingerprinting techniques used is to look for the htaccess.txt file and compare it to known versions of that file in order to determine that the site is running Joomla, and determine which version of Joomla is running.
  • The htaccess.txt file may reappear when you receive a Joomla update (if there was an update to the file). So each time you update Joomla - look for a new htaccess.txt file. It may benefit you to learn what changes were made and replace your .htaccess file with this new version - or incorporate the changes to your modified .htaccess file.

Enable "Search Engine Friendly URLs" and "Use URL Rewriting"

Using SEF URLs in your site not only helps with the search engine visibility, it also hides information present in non-SEF URLs which may help attackers to craft attacks that are tailored to your configuration or installed components.

Although optional, this is highly recommended. This depends on your decision above. If you did not rename htaccess.txt to .htaccess - do not enable "Use URL Rewriting".
Enabling this feature benefits you in two ways:
  1. Decreases the ability for fingerprinting by removing URL variables which can assist an attacker from identifying that your site runs Joomla.
  2. Boosts your search engine visibility by replacing URL variables that the search engines ignore with words that are (potentially) related to your content.
Follow these steps:
  1. In the Joomla /administrator backend, click the "System" menu and choose "Global Configuration".
  2. Click the "Site" tab if it is not already active.
  3. In the right column (at the top), locate the "Search Engine Friendly URLs" option and set it to "Yes"
  4. In the right column (at the top), locate the "Use URL Rewriting" option and set it to "Yes"
To fully benefit from SEF URLs, take the time to learn about how search engines treat keywords in the URL.

Turn off "Show Joomla Version"

This default setting is absolutely unnecessary, and should never be left on. A website that identifies its software and version is an attackers dream.

Although this is not an attack vector or specific vulnerability, it discloses important information that should not be revealed. Do not overlook this setting!
Information disclosure is reduced in one case, and removed in another:
  1. The joomla version number is removed from meta generator tag.
  2. When GZip compression is also enabled, the "X-Content-Encoded-By: Joomla!" HTTP header is not sent.
    • This was once very difficult to remove, and required the administrator to either hack the Joomla core files (not recommended), or use the RicheyWeb "Clean Response" plugin.
Follow these steps:
  1. In the Joomla /administrator backend, click the "System" menu and choose "Global Configuration".
  2. Click the "Site" tab if it is not already active.
  3. In the left column (at the bottom), locate the "Show Joomla Version" option and set it to "No"
This is just one of several steps necessary to fully remove this disclosure. Others will be detailed later in the "Fingerprinting Countermeasures" section.

Disable Unnecessary Extensions

Joomla ships with many components, modules and plugins that you may not need. Most are enabled by default. For example, I rarely use the Banners component, yet it is enabled by default. Likewise, if you don't plan on using the Joomla Contacts component, there is no reason for it to be enabled.

Do some research into the extensions Joomla ships with, and make a list of the features you plan to use. If it isn't something you need - disable it.

Fewer active extensions means fewer attack vectors.
Here are a few:
  • Reduces the number of attack vectors to your site.
  • Reduces clutter in the /administrator component menu, module, and plugin management screens.
  • Makes you more familiar with what's on your site, which can't be a bad thing.
Follow these steps:
  1. In the Joomla /administrator backend, click the "Extensions" menu, hover over "Manage" and click "Manage" in the submenu.
  2. Browse, search, or filter your way to the extensions you wish to disable.
  3. Clicking the green checkmark or selecting the checkbox and clicking the "Disable" menu option will disable the extension.
This can be a dangerous process for those not familiar with the necessary extensions.
  • If you don't know what it is or does, don't disable it.
  • Disabling the wrong thing can make your site unusable.
  • If an extension appears with a lock instead of a green checkmark - it cannot be disabled.

Hide /administrator

This isn't as hard as it sounds, but although you have options, some are just as bad as leaving it visible.

There are several popular methods, one of which is a RicheyWeb extension called AdminExile and another is a very new RicheyWeb extension called Clipper. Without naming extensions or developers, I'll describe the methods and associated pitfalls.

.htaccess/.htpasswd/HTTP Authentication

This method, while secure, fails to address the fingerprinting aspect of securing the site. Upon arrival, an authentication popup appears - indicating that something exists at /administrator. Additionally, HTTP authentication is vulnerable to brute force attack - as it isn't CSRF token secured like Joomla forms (generally) are. An attacker can hammer away knowing that the only way he's getting caught is if an administrator sees it in the log files.

URL Tokens

This is a method used by Clipper and AdminExile as well as several other security extensions. One key difference is that Clipper and AdminExile prevent the Joomla session cookie from being sent. Other URL token extensions block access to /administrator - but allow the session cookie to be sent. If the cookie is received by an attacker, he immediately knows that something exists at that URL and can continue to probe for a means of entry.

IP Whitelist

This is a method used by Clipper and AdminExile and others. Again, this method is secure if the session cookie is blocked. As with URL tokens, AdminExile and Clipper block the session cookie where others do not.

You can't hack a form that is inaccessible.
The list is long, here are two:
  • Prevent fingerprinting
  • Stop brute force attacks
Choose your method and follow the instructions included with it. There are so many options, it is not practical to list them all.
Whatever method you choose, determine how to circumvent it. My number 1 support request for AdminExile is how to recover from forgotten keys.

Thomas Mann had the right idea:

Order and simplification are the first steps toward the mastery of a subject.

Thomas Mann