How to secure your joomla website

There is no CMS on earth which is 100% secure and hacker proof. It is in the hands of website administrator.  However, you can follow these simple steps which will increase the security of your joomla website significantly.
 
Important Steps 01:
Add the following in .htaccess in the public_html. This will prevent execution any malicious files if uploaded. Joomla needs only index.php access.
    <Files *.php>
         Order Deny,Allow
         Deny from all
    </Files>
    
    <Files index.php>
         Order Allow,Deny
         Allow from all
    </Files>
 
Important Steps 02:
Protect your administrator directory with .htpasswd

Step1:  Always try to use the latest version of Joomla. You can follow the below URL for upgrading the existing website
http://docs.joomla.org/Upgrade_Instructions

Step2: Avoid using vulnerable third party extensions. You can check the 3rd party/non Joomla! Extensions at below URL.
http://docs.joomla.org/Vulnerable_Extensions_List

Step3:  Change the default ‘admin’ username to something safe and unique and choose a strong password. Password should contain minimum 8 letters with special characters,  numbers and alphabets.
a)Please go to Users -> User Manager from your Joomla admin backend and choose the user group as Super Users as shown in the below image.
[Image: changeadmin1.jpg]
 
b) Then Open the super admin by clicking in the user name and change the username from admin to your desired new username and click save icon as shown in below image.

[Image: changeadmin2.jpg]
 
Step 4: Always use correct hosting settings such as safe_mode should be ON,  Joomla's Register Globals Emulation OFF (for Joomla 1.0.x) , use PHP5 rather than PHP4.
 
Step 5: write-protect your Joomla configuration file. You can set 044 permission to the configuration.php file.
Please make the following changes in your PHP.INI file for securing your Joomla website.
disable_functions ="show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen"
file_uploads = Off (If you don’t want file upload, then make it off)
safe_mode = On
 
Step6: Delete unused templates and unwanted files/folders from your root directory
 
Step7: It is a common practice to give 777 permission to the folder in joomla pack, which is a security threat. Correct permission of folders in Linux environment is 755.
You can use this in Linux:
find /home/$i/public_html -perm 777 -type f -exec chmod 644 {} \;
find /home/$i/public_html -perm 777 -type d -exec chmod 755 {} \;
 
Step8: Change the default database prefix  from jos_ to some other string
 
Step 9: You need to make sure that your local machine from which you make changes in live website is virus free. This is very important. You can scan your computer with any updated antivirus available in market
 
Step 10: Use SEF component. The SEF component includes a security feature that sends you a warning whenever your site has been exposed to an attack. It also gives you the option to remove the generator tag from your site.
 
Step 11 : Delete the version number of installed extensions by editing the config files.
 
Step 12: Install jsecure authentication plugin, this helps you in adding a suffix to your admin URL to make it look like this: http://www.yoursite.com/administrator?gunsnroses
If the URL is not entered with a correct suffix, the site will redirect to a 404 (not found) page. You can also change the suffix regularly. This plugin is not free, you need to pay for it but it’s worth it. 
If you need any assistance in this regard, you can contact us at http://www.hostingraja.in/support/