Once you install Joomla on your server the first thing you should do is take a few minutes to lock down your site to keep spammers and hackers at bay. While nothing is fool proof, a few simple changes to your site will keep most hackers and spammers away from your web site.

Step 1 - Secure the Administrator Directory
The best way to secure the admin section is through a combination of SSL and htaccess, but not everyone wants to fork over money for an SSL certificate. So at the very least you need to drop an .htaccess file in the administrator directory that restricts access to your IP address or addresses.

Create an .htaccess file with the following:

order deny,allow
deny from all
allow from xx.xxx.x.xxx
allow from yy.yyy.y.yyy

Substitute your IP addresses for the x’s and y’s. Just remember, if you need to access your site from another location you need to make sure you have FTP access so you can update the IP list.

Step 2 - Move your configuration file
Take your current configuration.php file and move it outside of your public_html folder (or whatever the name of your root folder is). Once you relocate the file, rename it “joomla.conf”.

Now create a new configuration.php file with the following code:

require( dirname( __FILE__ ) . ‘/../joomla.conf’ );
?>

make sure that your new configuration.php is not writable. Remember, this means that you will not be able to make configuration.php changes through the Joomla admin interface. You will need to edit the file directly in your secure folder. Here’s the official documentation on this subject.

Step 3 - Install the Bad Behavior Bot Extension
Adding captcha and other tools to your Joomla site will help prevent some spam, but I have found that the Bad Behavior Bot plugin does a great job of keeping spam bots away from web sites.

There may be times when you need to give a client or someone else access to the Admin section of your site but you find that the Manager / Administrator / Super Administrator groups don’t provide the level of detail that you need. I have read that Joomla 1.6 will address this issue, but in the meantime there are some things you can do to address admin access levels in Joomla 1.5. I’ll detail those in my next post.

Tags: joomla security

This entry was posted on Monday, October 26th, 2009 at 3:44 pm and is filed under Joomla. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.