The two most common reasons websites get hacked are:

  1. Out of date software.
  2. Easy to crack passwords.

Addressing these areas are a top priority to maintain a high level of Joomla security and protect your joomla site from hackers.

Protecting Against Out Of Date Software

Google calendar reminder to check for updates
Google calendar reminder to check for updates.

Websites exist to achieve a purpose and after the initial creation require little relative cost to continue to achieve that purpose. Because of this, it's easy to just let them sit, but they require regular maintenance and updates. Open source software, like Joomla (or WordPress or Drupal) benefits from a community constantly reviewing its code for security flaws. When a flaw is discovered, an update is released. If you install the update you increase your site's security. If you ignore it or are unaware of it you lower your site's security. There is no staying put: for every security update you either become more secure or less secure. If you want to keep from being hacked, keep your site software up-to-date. 

Because of this environment, you have to be proactive about keeping things up-to-date and secure. I recommend that you assign a specific person in your organization to be responsible for checking for updates for your site extensions and the Joomla core and applying patches as they are released. If this falls on your shoulders, the best way to make sure this gets done is to set an appointment on your calendar to set aside a few hours to do this every month. You don't want to stretch beyond a month and really it would be better if you checked every two weeks. If you don't have someone you can delegate this responsibility to and you know you can't keep up, we offer a support and maintenance service that includes this (if you want more details just contact us.)

Get Notified When There Are Changes in Joomla Security

Beyond updating regularly, the community provides two notification services that email out when Joomla vulnerabilities are discovered for the core or extensions. You can subscribe for these emails here:

You need to know what extensions are installed on your site in order to know when you need to update if you monitor these emails.

Protecting Against Weak Passwords

25 easiest passwords for hackers to guess.
25 easiest passwords for hackers to guess.

One of the most common attacks is password guessing. People are lazy and busy and generally choose poor passwords. Their passwords are easy to remember and easy to crack. Use this tool to analyze the difficulty of your password:

How Secure is My Password 

If the time it takes to guess it is measured in days, it's time for a stronger password.

I suggest using a short non-sensical word grouping. E.g. "broadcloud8catspine". Easy to remember and secure.

In particular, for web design and marketing firms I advise against storing passwords in your FTP clients unless you know for certain that those passwords are encrypted when stored. A friend of mine knew someone at his work whose computer was compromised by malware and all 16 of their company sites were hacked because they saved passwords in FileZilla (not encrypted.)

To get around the constant need for secure passwords and our inability to remember them, I recommend using LastPass. It's cross-browser, cross-device, cross-operating system compatible and you only have to remember one tough password. It makes logging into sites and filling in passwords a breeze. Additionally, if you regularly have to share passwords with clients, employees, or subcontractors, it has a secure mechanism for doing so. This is important because keeping your passwords in your email is one of the most insecure ways to store passwords. All it takes is one recipient or sender to be hacked and every password ever transmitted by email is available to the attacker.

LastPass

(I also recommend using LastPass for storing all your passwords, not just web application passwords. This makes life simpler for you and the people you work with, without lowering security. )

Being hacked can be extremely expensive, not only in the cost it takes to re-secure your site, but also the damage it can cause to your business and to your visitors. Keeping your site up-to-date and ensuring your administrators have strong passwords will go along way towards maintaining strong Joomla security.

Protecting Against Hacker Changes With Version Control

Finally, another good tool to prevent damage from being hacked is version control. Having your website under Git or another popular tool will enable you to identify file changes quickly and easily with 100% accuracy. This can change recovering from an attack from a multi-day process to a 15 minute process. Additionally, version control, along with backups, can help you to undo any accidental damage to your site done by a sloppy update.

Git Version Control

Final Thoughts

Due to the constantly changing nature of attacks, there is no tool which can magically fix your site, but I hope this information gives you a big leg up in identifying and fixing successful attacks. As importantly, I hope that it gives you the tools and techniques to stay secure in the future.

Being hacked is an enormous challenge, but staying secure requires minimal effort and many people don't make that effort until disaster has struck.

Questions, comments, and feedback can be directed to me at Contact Us.

John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.