Step 1 - Use HTPASSWD protection
HTPASSWD is a common utility in Unix- and linux-based web servers that adds basic user authentication to a set of files and folders. Blocking HTTP requests to the Joomla Administrator folder is widely regarded as one of the easiest and most effective deterrents to intruders.
There are 3 ways to add HTPASSWD protection to your Joomla administrator folder. All these methods effectively do the same thing, which is to add the .HTPASSWD protection through an encrypted password. For the hacker this makes the Administrator completely invisible, since there is no need for anyone in the public to be able to see it why not protect it completely?
A. Manually creating a .HTPASSWD file
A .HTPASSWD file is simply a file that includes usernames and encrypted passwords, a .HTACCESS file can include directives to ensure the username and password need to be enter to access the folder. This method can be used without adding any extensions to your Joomla installation and relies on your server instead. It is recommended that the .HTPASSWD file is saved outside the public_html folder.
1. Create the .HTPASSWD file
The .HTPASSWD file contains the usernames and password and should NOT be found in the folder that needs to be protected. In order to ensure it is most secure it should be found outside the public_html folder.
The above creates a username "mysecretusername" with an ancrypted password "mysecretpassword"
- Using your FTP client or cPanel file management utility, navigate to the folder in which public_html is found, the path is likely something like /home/myaccount
- Create a simple text file name .HTPASSWD
- Generate usernames and encrypted passwords on http://tools.dynamicdrive.com/password/
- Copy the usernames with password into the .HTPASSWD file
2. Create the .HTACCESS file
- Navigate to the Administrator folder, the path is likely something like /home/myaccount/public_html/administrator
- Create a simple text file name .HTACCESS (or open the one that already exist here)
- Copy the appropriate directives at the top of the HTACCESS file
AuthName "Secured Area"
B. Using the CPanel password protection tool
Most hosting control panels provide some method to easily add password protection to your directories.
- Log into your hosting Control Panel
- Click Password Protect Directories
- Navigate until you see the /home/myaccount/public_html/administrator folder listed (Note that in many case clicking the folder icon opens the folder, while clicking on the folder name selects it to be protected)
- Select the Adminsitrator folder
- Fill in the Folder Name (It will display as part of the password Prompt), username and password
C. Use a Joomla Security Extension
There are extensions that help secure the Joomla Adminsitrator folder, one popular such extension is Admin Tools.
Admin Tools (the Pro and free editions) includes a tool to password protect the Joomla Adminsitrator folder. The tools creates the .HTPASSWD and appropriate .HTACCESS file in the easiest way
- Log into Joomla Administrator
- Select Components - Admin Tool - Password-Protect Administrator
- Enter a Username and Password
Step 2 - Change the admin Super User
Especially in Joomla 1.5 and older, the default username for the Super Administrator is admin. Newer versions of Joomla make it easy to change this, but many people still use admin when creating their first user account.
Intruders rely on this during a brute force attack since knowing the username means the difficulty of intruding is at least 50% less than on a site with a custom username. In fact, as the Sucuri blog described, the most recent brute force attacks are using this method.
Simply changing the name of the super user will provide protection from attacks that guess usernames and passwords. There are other attacks that may use other defaults such as the user ID in order to break the Super user account to gain access to the site.
The easiest way fix this is to recreate the Super User. Admin Tools has a simple utility for this (see image below). However, you could also simply create a new Super User account with a unique username and strong password. Afterwards, log into your Joomla backend as this new user, rename and remove the Super Administrator/Super User privileges for the admin account, and then disable the account entirely.
Step 3 - Update core and add-ons to improve Joomla security
Since the most common successful attacks are due to known vulnerabilities in outdated Joomla versions and add-ons, one of the most important tasks for anyone responsible for Joomla security is to ensure that all the software remains up to date.
Thus, one of the most important features that has been added to Joomla is the new Joomla Update Manager which can be used to easily update many extensions, as well as the Joomla Update component to update Joomla itself.
A. Update Joomla!
- Log into Joomla Administrator
- Select Components - Joomla! Update
- Click to Update
A special note for Joomla 1.5 users - A few weeks ago a critical vulnerability was discovered affecting all Joomla versions including Joomla 1.5. Patched files were posted for Joomla 1.5 but had to be installed manually via FTP.
Here at Anything Digital, we thought it would be alot easier if we created a simple installer for this specific purpose. Please read our previous post Joomla Security Patch Made Easy to Install to learn how to patch Joomla 1.5 for this very serious security issue.
B. Update Extensions
- Select Extensions - Extension Manager
- Select the Update tab
- Select Purge Cache, the Find Updates (ensure latest available supported updates are found)
- Select the Extensions (and languages) to update and click Update
Before updating Joomla or any extensions make sure to back up your site, a backup extension such as Akeeba Backup.
C. Monitor all your site updates in one location
Watchful will notify you if updates are available for extensions and allow you to apply many of them all from one convenient Dashboard.