Tips to keep your Joomla website secure from hackers

* Use the latest Joomla security update

* Use only secure third party plugins and keep them updated

* Use secure username and password for administrators

* Use an SEF component that makes your Joomla more secure

* Use a secure web host / secure server configuration

* Don’t tell everyone about your configuration

* Write-protect your Joomla configuration file (make unwritable)

* Delete Joomla templates and extensions that you do not use

I have explained most of the above tips in my previous article - Top Ten Joomla Security problems and how to avoid them.
I will go through tips that I have not explained before.

Use an SEF component that makes your Joomla more secure

A SEF component is used to make the url:s of your Joomla website more Search Engine Friendly. But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.

The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack. It also gives you the option to remove the generator tag from your site. The generator tag tells the world that your site is generated by Joomla. Of course it is a nice thing to give credit to Joomla, but there are other ways to pay back to the Joomla community that does not help hackers. If you do not tell the hacker that your website is built with Joomla, you make it a lot harder for him to know where to start hackning.

Don’t tell everyone about your configurations

* Make sure that no outsider can view php information (server configuration) by phpinfo.
* Hide the generator tag that shows that you use Joomla CMS. Note that we are not suggesting that Joomla would be insecure. This suggestion is just to make it harder for Joomla-specialized hackers to recognize that your website is Joomla-powered.
* Use an SEF component that masks what components are used on your website.


Write-protect your Joomla configuration file (make unwriteable)

You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

* PHP files: 644
* Config files: 666
* Other folders: 755

Check your site for vulnerabilites

There are a number of tools which test your Joomla for corrupt files, and vulnerable files. Amongst these, the following tool is invaluable. Using Joomla Diagnostics ,GuardXT etc you can easily scan for vulnerable files . It will also tell you which files are missing that should be there. Also, it advises you of any security issues which you have in your site. You simply need to upload the two files in the package to your server, access the page http://www.yourdomain.com/diagnostics.php and you will get a list of warnings and security issues you have with your site. Please remember to delete this file after you have used it! Otherwise you will be advising your issues to hackers!