The Most Commonly Known Joomla Security Issues
Your Joomla Allows Uploads Without Any Restrictions
The worst hack we've ever seen came from a site that allowed users, once registered to upload whatever they wanted. This is absolute madness, their dedicated server 'got owned' and the clean up was a long and expensive process. If you have a forum or allow uploads for any other reason, please set restrictions on file types, file sizes and in your '.htaccess' file use clever coding to detect common exploit terms.
Badly Coded Third Party Joomla Extensions
We're going to publish a list of badly coded add-ons / extensions that we've come across. We've seen some that access the database with a URL query, this means someone could type a piece of code into a URL bar on a browser and access your database. These badly coded add-ons get reported to the Joomla Extensions Directory (JED) and removed from their listings, unfortunately people will have already downloaded them and started using them. There are websites that list extensions with known issues, if you are serious about your website's security and that of your users, you should check on all of your third party extensions.
Old Unused Joomla Extensions In Your Site
This is obvious, if you are no longer using extensions or you've installed something and never used it, delete it. This can only cause you trouble and offer nothing positive in return. Removing unused extensions greatly improves the security of your website!
Joomla Website Re-hacked - Missed Hacker Files
Oh dear - time and time again.
About 20% of our de-hacking jobs come from other developers or site owners who have cleaned out a hacking incident and very quickly been re-hacked. De-hacking a Joomla website is a skill, you can overlay a clean set of files to your current files but what about new files that have been added?
We've created our own script that we add to a client's site, we then search for anything that is not a part of the core Joomla files, we then investigate what these files are, some will be legit and others might be hacker files. Our scans are set-up to find anything that shouldn't be there, report it to us and we take the necessary action against the found issue.
One thing is for sure, our clients never get re-hacked from the same incident.
No Security Measures For A Joomla Website
Database prefix, super admin id, upload limits, hot linking, blocking terms in URLs, block all SQL injections etc.
Some of these are basic, some are complicated and should be done by Joomla professionals. From our point of view if you are a serious business and you've not implemented these and other Joomla security measures, you are begging to be hacked and made a fool of. Your website is your online shop window, defacement, spam emails in your name, outbound links to porn sites, user information taken and used can ruin your reputation and lose potential customers. We see it a number of times every month, and funnily enough it's never ourselves.
Keeping on top of your website will save you money should something go wrong, a recent large hacking incident set someone back over £2,600 for the de-hack and a further £480 to correct other weaknesses. They needed to retrieve their user's information no matter what, and keep an online presence throughout. With some expert Joomla Security measures none of this would have happened, a £350 Joomla Security Audit would have shown all of the potential issues and pointed out how to fix and 'seal the cracks'. A further £360 would have paid for us, true Joomla Security Experts to do the necessary work, this would have stopped the hack and also fixed other weaknesses that the site audit would of highlighted.
Joomla And Server Login Details Taken From Infected Computers
Malware, Spyware and other computer infections once accounted for the vast majority of website hacks. Peoples awareness of viruses and better quality antivirus has reduced this form of hacking, however it does still happen and we've seen an incident of this in the last two months (May).
Run regular full system checks against all machines that are used to access your website, be careful / vigilant when browsing the Internet and opening emails. Don't risk your businesses reputation, keep your computers clean and free from infections with the added benefit of helping to keep your website clean.
If you are concerned about your website's security or believe you might have already fallen foul to hackers, do not hesitate to get in touch.