Protect the /administrator URL
Although listed above, this change is important enough to mention again.
One telltale signature of Joomla is the presence of an /administrator URL. Simply visiting a domain and adding /administrator could disclose that the site is running Joomla. Early versions even gave the Joomla version on the /administrator login page. Since those early days, much has been learned by the Joomla core developers and many 3rd party developers.
Years ago, an attempt to make the /administrator URL a dynamic configuration failed due to technical reasons. It was possible, and many did it successfully, but it required constant maintenance and was frequently broken after Joomla updates.
Today, many extensions exist to protect the /administrator area - but which is the "best" solution to secure /administrator, but to also prevent detection.
- AdminExile system plugin
- Clipper system plugin, with the Admin Protect plugin installed and enabled
Remove the Joomla generator meta tag
The generator tag is a fingerprinting item used by attackers to determine that your site runs Joomla. If configured, your site may also disclose the Joomla version inside of the generator tag content. Many options exist to remove this meta tag.
- ByeByeGenerator system plugin
- Clipper system plugin, with the Remove Generator plugin installed and enabled
- Several others exist, but few are as efficient as the two RicheyWeb options above.
- Feel free to browse them yourself here: https://extensions.joomla.org/category/site-management/seo-a-metadata
Clean references to com_ajax and other component options
- Using something like Re-Replacer from Regular Labs - create a new entry that searches the output for "index.php?option=com_ajax&" - replacing it with "component/ajax?"
- Look in your output for any URL containing "index.php?option=", and use a similar replacement technique to prevent disclosing that your site runs Joomla.
Hiding SQL, XML and INI files
.htaccess to the rescue!
Using just 3 rules, it's possible to make SQL, XML and INI files completely inaccessible from the web - but still accessible to the Joomla processes that need to use them.
RewriteRule .*\.xml$ - [F,L,NC]
RewriteRule .*\.ini$ - [F,L,NC]
RewriteRule .*\.sql$ - [F,L,NC]
These 3 rules block any attempt to access a file ending with .xml, .ini, or .sql.