The Joomla! Community Portal ™

  • Print
  • Email

August 2008

2008-08 Joomla! Community Magazine

Joomla! Community Magazine - Learning

Site Integrator: Improve the security of your Joomla! Administrator

Help protect your Web site using 5 easy-to-implement ideas

Written by Sam Moffatt
Secure your Web site

By default, Joomla! allows access to your site using the built in username and password systems. For the most part this is fine. But, if you aren't using this feature, it's good to disable it and remove any possibility of brute force attacks on your site. In addition, it is good to protect your site from others getting into the Administrator. Depending on the site you're trying to run you might have disabled the front end Login Module and links, but you can't disable access to your Administrator Login Form. Bummer! So we'll work through this and give some options on how you can secure your Administrator to make it a little bit harder for the bad people to get in, but to begin with we are going to really fully disable front end logins.

Before we get started, I advise using a testing or development environment, maybe only on your own desktop, to test some of this out. As with everything, do not experiment with your production site.

1. Fully disable front end Logins

You might have disabled the Login module and removed all links to the Login Form but if you don't want anyone to log into your front end you can take one more step to ensure that no one can login to the front end with the default install.

In the Administrator, navigate to Extensions -> Install/Uninstall, then select Components and disable the User Component. In my system, this option is towards the bottom of the list and it is also protected so that you can't uninstall it. However, you can disable this Component which will prevent users from logging into the front end of the site and it will completely disable Registration. If you decide to use front end Logins later, simply re-enable this Component.

Following this process prevents users from getting directly to the front end Login Form via a link similar to index.php?option=com_user&view=login or index.php?option=com_login, if Legacy Mode is enabled.

2. Utilize Web Server Access Control

A great way to help secure your site is to implement another layer of security clearance before anyone can get to the Joomla! Login Form. This doesn't need to be anything fancy or special, it's just a simple level of protection. It is aimed at an attempt to slow down people who don't know the password. It is a simple protection against direct file attacks in your Administrator.

What I'll be covering is securing your site with Apache using .htaccess files primarily, so you must enable .htaccess for your site or set things up in the main Apache configuration. For flexibility, it is easier to enable .htaccess files for your Joomla! directory.

To secure your Administrator site you will need to create a password file. You can do this on most Linux or Mac OS X machines with the htpasswd command, and if you don't have access to this then there are many generators online. Since this is a password file, you don't want to place it in your web accessible directory, you will want to put it in a subdirectory.

You may also wish to apply access restrictions to the following front end directories as well: cache, tmp, modules, libraries, languages, and logs. You can do this simply by putting in a .htaccess file in each of these directories (or symlinked back to a common file, such as htaccess-deny in your site directory):.

Deny From All

This will prevent any access from the Web server to these directories. Some of these folders and files should not be accessed directly anyway, so, this extra bit of protection ensures that the folders and files are not accessed by anything other than Joomla!. Unlike the earlier setting, there is no username or password to get access to them either.

You may also wish to apply this to your plugins and includes directory as well, however this will cause issues with JavaScript and WYSIWYG editors. But, even this challenge can be resolved by individually unprotecting specific directories, such as the editors directory in plugins and the js folder in includes. The following line in a .htaccess file, or symlinked from a common file such as htaccess-allow, will allow access to those directories:

Allow From All

The Allow From and Deny From directives also accept IP addresses that you can then use to allow access or deny access to specific IP addresses, hostnames and wildcards. For more information on how to use these features, check out the Apache manual. So, if you've got Apache, you can do IP-based access control as well.

For more information, see Apache Access Control Restrictions.

3. Ban IP Address or Range

But, what if you can't enable .htaccess or aren't using Apache? In response to a posting on the Joomla! forum, a while back I wrote a plugin called Ban IP Address/Range for 1.5 that allows you to do the above, except from the Joomla! interface. The plugin doesn't accept hostnames, however it does accept IP addresses and optionally ranges.

This System Plugin that can be configured to whitelist certain IP addresses (other addresses are blocked) or blacklist certain IP addresses or ranges from visiting your Administrator or your site. If you are deploying your site in an environment where access is restricted to a certain range of IP addresses, then you can use this method to limit access to your Administrator for only those IP addresses that fall within that range. You may also use this approach to limit access to your front end, as well, if required.

4. Implement jSecure

This is another approach one can use if Apache or .htaccess is not available, or to simply add another layer of security protecting the Administrator. jSecure is an interesting project that requires a user to enter a key before the Administrator Login Form appears. If the value is not entered, then a 404 page appears, instead.

jSecure is available for 1.0 or for 1.5 and is configured with a key to enable logins. This may be used as an alternative protection if you cannot enable .htaccess files. The extensions supports 1.0 via an Administrator module with a slight alteration to your Administrator template (if you are using the default, I suggest you make a copy of it and change the copy and then use the copy as the default template) or as a System Plugin for 1.5 installations.

5. Follow the recommendations on the Joomla! Administrator Security Checklist

The simplest is last, which is to work through the Joomla! Administrator Security Checklist to ensure that you've got your site running on the most secure settings available. The list might look long but it is well worth working through and trying to get things to work.

Also, remember that your site is only as secure as the Extensions that you install. Keep in mind that your hosting environment contributes to your security, as well. So whilst a lot of this can help your site, there are a lot of things that Joomla! can't control that can cause your site to be vulnerable. Simply using good hosting will go along ways to protecting your Web site.