SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Securing Joomla - Updates and Backups

Article Index

Stay Up-to-Date

It is more likely that a software update is issued to fix a bug or security flaw than it is a new version or feature. It is important to check often, because a security vulnerability report spreads like wildfire through the internet hacking and cyber crime communities. When it becomes possible to exploit a large number of websites, hackers take notice. Even though Joomla doesn't have the largest market share - it's number 2 and that is an appealing target.

Joomla is the product of a very active community. Vulnerabilities don't go unnoticed for very long and as a result, Joomla receives frequent updates. Because of these frequent updates, Joomla has evolved to contain a built-in upgrade notification for both the CMS and extensions. When properly configured, your site can notify you when updates are available.

Something you should plan to do on a regular basis is check for both Joomla and extension updates. Set it as a calendar item, or program your phone to remind you at regular intervals.

Yes, it's that important!

Backups are your Lifeline

Murphy's Law: Anything that can go wrong, will.

Richey's Law: Anything worth backing up, is worth backing up twice.

No Cookie Cutter Solutions

Whatever backup method you choose, don't just assume that it works. Be sure you know how it works and that it works. Make a backup, take that backup to another server, and restore it. Understand the process so that if you need to restore from a backup, you aren't spending your time reading a manual or trying to figure out what comes next.

Do you need it? Yes you do!

My standard backup for my websites consists of everything on that server, for that website.

  1. Nightly backups of:
    • The site file system
    • The database
    • The server config for the site
    • The SSL certificates
    • The site access and error logs

Do you really need the log files? My log files rotate every seven days. With my backup rotation strategy, I have 14 days of logs I can review in case of a security breach. I don't know if I'll need them until I do, so I keep a copy and that is my suggestion.

How long to keep them

This depends on your application. I have a customer that requires 1 year of logs. My standard, however, is seven days for all server files. Additionally, I keep six months of monthly backups. The last backup of every month is kept for six months. Maybe it's overkill, but I'd rather err on the side of caution. Besides, storage space is cheap.

I suspect that Mr Hill learned this lesson the hard way.

The majority of men meet with failure because of their lack of persistence in creating new plans to take the place of those which fail.

Napoleon Hill