Having your website hacked can be one of the most frustrating things that can happen to your website. It's like having a stranger go through your underwear drawer (OK, maybe not that bad) but close enough.
This week I had the 'joy' of cleaning up a few websites that got hacked. The culprit was a Joomla extension that had a code vulnerability in it that allowed a hacker to get access to your server and do very bad things on it.
While I was cleaning up the mess, it got me thinking about best practices for keeping a website secure, especially with Joomla since that's my preferred choice for building websites. Now don't go thinking Joomla is the blame for the hack because any site can get hacked. Look at the NY Times. This week they published an article that they were hacked persistently over the last four months. The hackers were able to get into their computer systems and get passwords for its reporters and other employees. Now if any company can afford to keep their computer system secure it would be the NY Times.
While we can't be 100% safe from getting our website hacked there are precautions and best practices you put in place to help reduce the chances of being hacked and recover quickly if your website is hacked. If you're maintaining your own Joomla website here are some best practices to have in place to keep your website secure (these apply too even if you're not running a Joomla website).
1. Create a full backup of your entire website.
Create an initial backup of your entire website. Save this backup either on your personal computer or save it to a site like Dropbox, Google Drive or some other online storage site. Having a full backup of your website is important to the recovery process. A worst case scenario is one where all your website files have been deleted. You can recover from this type of hack fairly quick if you have a full backup of your website.
You don't need to create a full backup often. Joomla stores all the content you create in a database so you really only need to do a full backup when you've installed or updated extensions and plugins on your website.
2. Backup your Joomla database often.
Now as I mentioned, your content is stored in a database so you'll want to backup your Joomla database more often. If you're constantly adding new content to your website weekly, I suggested a weekly backup for your database. If you have a lot of daily activities on your website, such as event registrations, online shopping, donations then I would suggest a daily backup of your database.
My favorite backup tool for Joomla is Akeeba Backup. There's a free version and a paid version. The free version allows you to manually backup your website. The pro version allows you to automatically backup your website and store the backup offsite. It also offers a lot more options too. I like and use the pro version.
3. Have a restore process in place.
If your website is hacked, having a restore process in place makes the recovery process go smoothly. Whatever backup tool you're using, find out how to restore that backup in the event that you'll need to. If you're using Akeeba Backup, the free or pro version, you have access to Akeeba Kickstart which is a free tool that easily restores your Akeeba backups. When you create your backup, it's always good to do a test restore to make sure the backup was done correctly. Without testing your backup you'll have a false sense of security.
4. Keep Joomla and all third-party plugins and extensions updated.
Stay on top of the new releases for Joomla and any third-party extensions you may be running on your Joomla website. If you don't have a trusted Joomla expert that you can turn to then take inventory of all the third-party extensions that you have on your website and join the mailing list of these companies so you can be aware when new releases come out.
Here are two Joomla mailing lists you should be on:
Joomla Security Updates:
Joomla Vulnerable Extensions:
5. Audit Your Joomla Website Often
It's hard to know if your website has been compromised if you're not monitoring the files on your site. Sometimes hackers may add compromising files to your website but may not act on it immediately. But the fact that the compromise files are there puts you at the mercy of the hacker, when they decide to act on the hack. Having a good Joomla audit tool allows you to see if there are any suspicious or malicious files on your website. An audit tool can also tell you if the core files of Joomla has been changed.
The Joomla auditing tool I use (and love) is MyJoomla. I recommend this tool because it provides the most extensive website audit you can find for Joomla. Some of the features I like and find extremely helpful are:
- Identify hacked files and suspect content in files
- Locate modified core Joomla! files, and identify changes
- Revert core files back to their distributed state
- Identify issues with your site you never knew you had!
- Highlight areas of concern and fix them quick and easy
If you're managing your own Joomla website this is definitely a resource to consider. Your first audit is free so give it a try: http://myjoomla.com/
Two other website auditing tools to consider are Watchful and Sucuri. Although these tools are not as extensive as MyJoomla, they do provide some auditing capabilities for your website. Sucuri provides audit for most website, even if it's not a Joomla site.
6. Use a good hosting company.
Not all hosting companies are created equal. Although some may boast really low prices you don't want to make a decision for your hosting based on price. Here are some key things you need to know about your hosting company:
- Backup Policy. Some hosting companies do backups but with restrictions. You need to know what those restrictions are if you're with a company like that. Most hosting companies will say you are responsible for your own backups, which means you're pretty much on your own if your site is hacked and you have no backup.
- Server Update Frequency. Some hosting companies do not update their server software in a timely manner. This can be a problem if the technical requirements that Joomla needs to run properly are not met by your hosting company. Find out how quickly your hosting company updates their software when new releases are made available.
- Availability of Technical Support. Not all hosting companies have 24/7 support or even live support. With some hosting companies you can only communicate with them by email, even in the event of an emergency. Live support can be very helpful especially when you need assistance for a website being down or hacked.
7. Partner with a Joomla Expert.
Even if you maintain your own website, it still good to have a Joomla expert you can contact when you need help. Someone who specializes in Joomla can give you advice and offer suggestions that are specific to your Joomla website. Having a trusted resource when you have questions can make such a difference with the experience you have with your Joomla website.
So there you have it. If you haven't already, get your full website backup in place and setup your daily or weekly database backups. If you don't have a good hosting company, consider making the switch to one that will best meet your website needs. It's not a complicated as you may think to make the switch to a new company. If you need a Joomla expert to consult with give me a call. I'll be happy to advised and assist.