Since the start of the year, Alltraders has been flat-stick with work from new and existing clients alike. What has unusually stood out during this time period has been number of Content Management System websites (Joomla and Wordpress) which had been compromised by either groups or individuals looking to unleash mischief on any target they can access. The annoying part of these attacks, is that many could have been prevented through simple maintenance and updates.
Like with a car requiring frequent servicing, websites require updates to their software to ensure that all publicly aware exploits and general nasties are either repaired or removed and unused elements are removed.
The below 5 areas are essential in making a website as hard to access as possible to malicious use. If you do not know how to do these, I would recommend giving us a call to ensure they have been deployed to your Joomla! website.
- Joomla! & Extension Updates
Over time, like with an operating system, the software used to run your website requires the code to be updated to a more recent and secure version. Joomla and Wordpress are Open Source Solutions, meaning that whilst there is a large and deep community out there to support and find/solve issues, it also means that malicious users are also made aware of issues as they occur. It is very important to keep Joomla and Wordpress up-to-date as a minimum, as well as for the same reasons, the Extensions should be updated regularly as well.
This is the number one cause of many of the hijacks or hacks we have seen over the years. We recommend that our clients set up a monthly calendar alert to check for updates, or sign up to our mailing list to learn when important Joomla updates are released as they occur. If you need help, we can assist you or your business with updating. - Folder and File Permissions
This is overlooked by most website owners and new developers, not out of negligence but due to generally and honestly being unaware of the issue. These file permissions say who can access what files, and where from and if not set correctly, all the best security software or updates will not stop an intruder. Think of it like a house with the latest alarm and security doors, but when you leave you forgot to turn them on. Here at Alltraders, we set these up for all our clients when we launch a website. Over time with modifications these can change.
File permissions are easy to allocate to files and folders through FTP access. Folders should be set to 755 and files to 644. If you need help with this, please get in contact with us. - Different Usernames & Passwords
Using the same username and password for everything may seem like a really good way to save time and hassle. The issue is an intruder/hacker loves the setup for the exact same reason. The worst part is that when a single account fails, it can then leave the open the door to a compromised email, Facebook and even a bank account.
Ensure as a minimum, your hosting account, Joomla or Wordpress access, database and FTP access are all different from each other. This way if something along the way gets compromised, the attacker(s) will not have access to everything. Also keep a different email password to be really safe.
Also "password", "abc123" or combinations of publically avaliable information about yourself are not good choices for passwords. Use a combination of letters, numbers, symbols to create a secure password, ie: "A^s7bc". If multiple staff manage the website, educate them about online security and the need for secure passwords. - Removal of all non-required Joomla! Files
When a CMS is first installed, it installs a large amount of sample data (even when asked politely not to) which uniquely identify that a website is running the CMS. Using scripts, hackers can determine the version of Joomla or Wordpress simply by looking at what files exist.
Removing these files make the process significantly harder for unskilled intruders (such as those using pre-built scripts made by other skilled individuals) as without the version, they are unsure how to attack or find what flaws exist in the website. In many cases, they will get bored and simply move on.
If you have a website built by us in the past two years, this should have already been done for you. - Avoid Cheap Hosting
Whilst using cheap hosting to get started is sometimes an only option, using it to purely save money puts you at risk and can cost you up to 15x the annual cost of hosting in a single hacking incident. So why risk it?
So what makes a cheaper hosting environment a bad idea? Well, that is primarily due to the amount of websites hosted within a single environment. Think of it like living in a bad neighbourhood. You are more likely to attract attention, especially if a neighbour website is "broken into" at some point. In some cases, it’s quite easy for the attacker to simply jump the fence into your website.
Finally, these types of environments are normally chockfull of websites promised big usage limits creating a crippling fight for resources on the server, and in turn, leads to performance issues for all involved. Crashing sites by simply by causing it to "over-think" or send/receive too much data will cause it to cease function. Business and professional class servers are equipped to handle these types of strains. If you feel you require such a service, please see our hosting page here
In conclusion, whilst these five areas are not definitive, they are a great way to ensure you heavily mitigate the risk of an intrusion by those with malicious intent. There are still many other ways to lock a website down. For those out there who are keen to learn, please use this as a starting guide, and for our clients who need help, please let us know by contacting us - we're keen to assist to keep you safe.
Next week were are launching a new set of Maintenance Packages for our Joomla clients - please keep an eye out, as it covers the above and much more.
