Joomla – Eight tips to secure your site from brute force attacks

If you’re running a Joomla website you may be just like me, naively assuming the CMS is secure from attack. Unfortunately that is far from the truth.

In fact, when I took a closer look I could see my Joomla website was under attack hundreds of times a day. When I installed a Joomla plugin called Login Failed Log what I found appeared to be either multiple people trying to gain access to my admin page or some sort of DOS attack.

The tips below are provided to help you secure your Joomla install. Of course brute force attacks are only one of many ways your website may come under attack, nevertheless these should help manage that risk.

1. Ensure your Joomla install and any third-party plug-ins are up to date

Sounds simple enough, but an alarming number of websites continue to use outdated versions of Joomla – leaving themselves open to known vulnerabilities.

And of course – don’t forget your third-party plug-ins. Not all developers use the update service, so make a habit of checking for updates on the Joomla Extensions directory when you perform Joomla updates.

2. Disable any unused or unnecessary plug-ins

Each plug-in you install allows a third-party to run code on your website. Whilst the code itself may not be malicious, it may have holes which an attacker could take advantage of. By keeping third-party plug-ins to a minimum you are not only reducing this risk but also improving server load.

3. Use strong passwords

 A good password is an asset – I’m certain that this has saved my website many times.

Use a password generator to create strong passwords for at least the administrator and super user accounts – these accounts have the power to control or bring down your website.

Do not share your passwords or use these passwords elsewhere.

Store these strong passwords somewhere safe – such as a printed document stored in a safe place.

4. Keep user permissions to the minimum required

If you have multiple users ensure each user has the minimum level of access required.

Does the receptionist who updates content require super user access? – Probably not.

5. Change the default ‘admin’ account name

The first thing a brute force attack will do is assume you have an account named ‘admin’.

By changing this name you’re making the attack much harder.

Joomla 2.5 introduced the option to select your own admin account name, however a lot of people stuck to ‘admin’ – leaving another hole in their security.

See this article to change the default admin user name in Joomla 2.5.

6. Don’t post from administrator accounts

When you post articles on Joomla, most templates will display the user name that made the post.

If you’ve posted using an administrator or super-user account you’ve just given away half the information to an attacker to allow them access to your website.

7. Use .htaccess to restrict access

If you’re unfamiliar with .htaccess – it is a control file used on apache hosted websites (which is very common). The file can tell the server what to do with the content, such as who can access the ‘administrator’ directory.

See this article for more detail on how to restrict access using .htaccess. (or this article for WordPress wp-admin)

8. Monitor logon attemps

Finally, you need to monitor your website for successful and unsuccessful logon attempts.

This will allow you to act if the website is under attack or unorthorised access occours.

I use Login Failed Log to receive emails for unsuccessful logons

and Login Protector to receive emails for successful logons.