Of course, life isn’t so simple. The reality of Joomla security is much more complex, as these are very generalized tasks. Other things to think about as you are securing your website.
- If you have a website – someone needs to be keeping it safe.
If it’s not you, make sure you know who it is (btw, its not your hosting company unless its a managed one like Simplweb). Unless you live in Vermont, you probably lock your house and car; do the same for your site! - You are being hacked all the time.
All sites are – check your logs! Hacker bots are continually scouring the web trying to find server weaknesses. The troubles start when they find one. - Just like insurance – Joomla security is only thought of *after* you have a problem.
You need to consider security a cost of goods. Would you drive with no car insurance? Time and resources for securing your site are an ongoing cost of running your website. - It’s not Joomla security – its web security.
Your CMS is only the front facing part of your website. There are lots of ways to hack into your site… FTP, apache, or simply poor password management. Make sure you are looking at the big picture. - Yes, keep extensions up to date!
Joomla has probably the biggest universe of 3rd party plugins for any open source CMS. Along with that, the quality insurance is difficult. Use only trusted sources and make sure you have the latest version. - Keep Joomla up to date (duh)
- Have a backup of your site.
You should be able to get back online from a dead server in 1 day or less. You might be backing up everything with tools provided by your host, using a Joomla-only backup tool like Akeeba, or maybe you are paying for managed hosting for them to it. - As your site grows, it paints a bigger target on itself for hackers.
If your site is doing well, then you need to make sure you are taking extra steps with security. This is most often non-Joomla steps like hardening the server, turning off FTP and installing Apache firewalls and security.
Joomla Security Resources
I have tried to gather a range of resources, from official news to useful 3rd party guides. Everything here is based on personal interaction rather than a quick untrusted search through Google.
Joomla Security Strike Team
http://developer.joomla.org/security.html
RSS Feed of Security issues (these appear to be the same feed)
Security RSS Feed – http://feeds.joomla.org/JoomlaSecurityNews
Vulnerability News – http://developer.joomla.org/security/news.html
Official Documentation on Joomla Security
http://docs.joomla.org/Category:Security_Checklist
Official Vulnerable Extensions List
http://docs.joomla.org/Vulnerable_Extensions_List
Useful 3rd Party Security Tutorials
http://www.howtojoomla.net/how-tos/security/joomla-security-primer
http://www.compassdesigns.net/joomla-blog/review-of-securelive-joomla-security-extension
http://www.joomlashack.com/university/intermediate-course/199-21-techniques-to-secure-a-joomla-website (requires subscription)
Security Consultants
Tom Canavan – http://www.joomlarescue.com
Phil Taylor – http://www.phil-taylor.com
Security Extensions
Secure Live – http://www.securelive.net
Fully Managed Joomla Hosting (all patches, backups and security monitored)
Simplweb – http://www.simplweb.com
Compass Designs 