1. Overview
2. Methods and Techniques
A. Implement Strong Access Control Measures
1. Secure the administrator’s login with a strong password
2. Maintain a proper Access Control System
Handling User Accounts
Handling User Groups
Handling User Access Levels
Handling Permissions
3. Enable Two Factor Authentication
4. Limit the login attempts
5. Enable CAPTCHA for the website.
6. Restrict access to administrator’s login only from whitelisted URLs
Overview
There will always be a risk of attack on websites, security will always remain a continuous process which requires a frequent assessment of possible attack vectors. This documentation is a completely comprehensive guide on techniques and steps that joomla users can undertake, in order to better secure their website from frequent attacks.
Methods and Techniques
A. IMPLEMENT STRONG ACCESS CONTROL MEASURES
1. Secure the administrator’s login with a strong password
Do not leave the administrator’s login password as the default password (‘admin’). This makes the site more vulnerable to attacks.
Change the admin password frequently. And set up a strong password which includes at least 1 uppercase character , 1 lowercase character , 1 digit , 1 special character.
The password should be at least 10 characters long, with no more than two identical characters.
Method 1: Changing the Administrator’s Password
Step 1 : Login using the administrator’s login.
Figure 1: Joomla Admin Login PageStep 2 : Click on the user tab and select the first option >> Manage Users
Step 3 : Select the User’s profile Figure 3: Manage Users Page
Step 4 : Type and Retype the password and then click the button >> Save & Close
Figure 4: Edit Profile Page - User
The password to the intended account will be changed. Sign out of the administrator’s login and Sign
in using the new password.
Method 2: Changing administrator's password
Step 1: Navigate to PhpMyAdmin tool of your server Login and select your Joomla database.
Figure 5: PHP My Admin backend
Step 2 : Browse and find the table with “_user” phrase after the table's prefix, for example,
prefixtable_user.
Figure 6: Tables of Joomla Database
Step 3 : Find the user whose password you want to change, in the prefixtable_user table and click
the Edit button or the yellow pen.
Figure 7: User table - Joomla Database
Step 4 : The Joomla password is MD5 encrypted before being stored in the database. Therefore type
your password and remember to select the field type from varchar to MD5 before saving changes.
Then press “Go” to save settings.
Figure 8: Edit user data - Joomla Database: User table
Password lists are often used by attackers to brute force Joomla websites. This is why you should
always use strong, unique passwords for all of your accounts.
2. Maintain a proper Access Control System
In order to maintain a strong secured website, the website should have a strong access
control system. Weak Access Control Systems would provide an easy opportunity for
attackers to crash the website using loopholes.
Handling User Accounts
Create new user accounts with the lowest level of permission.
Grant temporary permissions and revoke access when they are no longer needed.
Delete accounts that are no longer being used.
Ensure that the default user role is set to Public.
If you have existing usernames, make sure the least privilege applies to all non-admins.
Accessing User Accounts :
Step 1 : Login to the back end of Joomla
Step 2 : Navigate to User >> Manage
Step 3 : Click on the user tab at the left side of the page
Figure 9: Users page : Joomla Admin Backend
User permissions can be edited and new users can be added here.
Delete unnecessary user groups in the system.
Create new user groups with a minimum access level.
Select the appropriate parent group, since the permissions of a parent is inherited by the child
Accessing User Groups :
Step 1 : Login to the back end of Joomla
Step 2 : Navigate to User >> Manage
Step 3 : Click on the User Groups tab at the left side of the page
User groups can be created and deleted here
Figure 13: Create a new user group
Handling User Access Levels :
Keep track of the access levels a user has access to
Keep track of the permissions allowed, inherited, and denied by an access level defined
Assign appropriate access level to a user group
Accessing User Access levels :
Step 1 : Login to the back end of Joomla
Step 2 : Navigate to User >> Manage
Step 3 : Click on the Viewing Access Levels tab at the left side of the page
Figure 14: Joomla Access levels defined
These access levels can be manipulated to decide the groups having viewing access to a
particular resource handling
Figure 15: Modify user groups of an access level
Permissions :
Part 1 : Changing the default permissions for each action and group :
Step 1 : Navigate to the System >> Global Configuration
Step 2 : Configure the Global Configuration in the Permission Tab
Figure 16: Global Configuration: Permission tab
Part 2 : Changing the Component Options Permissions :
Step 1 : Navigate to the System >> Global Configuration
Step 2 : Configure the Components Permission in the Permission Tab
Component Permission can override the default permissions for this component(for example,
Articles, Menus, Users, Banners, and so on).
Figure 17: Components Permission
Part 3: Changing the Category Permissions :
Step 1 : Navigate to the Content >> Categories
Step 2 : Select the category you need to be changed and click the edit button
Step 3 : Navigate to the Permissions tab and configure the permission
Category Permission can override the default permissions for objects in one or more categories. This
applies to all components with categories, including Articles, Banners, Contacts, Newsfeeds, and
Weblinks.
Figure 18: Category Permission
Part 4 : Changing Article Permissions :
Step 1 : Navigate to the Content >> Articles
Step 2 : Select the article to be changed and click the edit button
Step 3 : Navigate to the Permissions tab and configure the permission
Article permission can override the permissions for a specific article. This level only applies to
articles. Other components only allow the first three levels.
Figure 19: Article Permission Tab
3. Enable Two Factor Authentication
Two factor authentication adds an extra level of security to your site. This procedure adds a singleuse
code, received on your smartphone or a Yubikey, to your existing passwords. Usually when you want to log in to a website, you have to provide your username and your password. The biggest problem with this approach is that the username and password can be stolen, intercepted or guessed by attackers. If the username and password is compromised, the site can be hacked.
Two-Factor Authentication system secures your site login with a secondary, single use secret code
along with the username and password. This is called Two-Factor Authentication or shortened to
2FA. Method : Enabling Two-Factor Authentication
Step 1 : Login to the administrators login
Step 2 : Click on the Extension tab >> Plugins
Step 3 : Search for the plugin “two factor” in the plugin search box
Step 4 : In the results generated select the type of two factor authentication you want :
Yubikey or Google Authenticator
Figure 22: Two factor authentication plugins
Step 5 : Now navigate to the user’s profile (shown in changing password technique).
Step 6 : Click on the Two Factor Authentication tab
Figure 23: Edit profile page : Manage Users
Step 7 : Select your authentication method from the drop down box
Figure 24: Two factor authentication tab : Edit Profile page
Step 8 : Now follow the detailed instructions given in the administrator's page, in configuring the
two factor authentication method you selected. : Yubikey or Google Authentication
Google Authentication Setup Instructions :
Figure 25: Google Authenticator setup instructions
Yubikey Setup Instructions:
Figure 26: Yubikey Setup Instructions
Step 9 : After completing the configuration save and close the user profile.
The Two Factor Authentication will be activated. Sign out of the administrator’s login and Sign in
using the Username, Password, and the Secret Key.
Figure 27: Joomla Admin Backend with Secret Key
4. Limit the login attempts
Unlimited login attempts is a default setting in Joomla. This leaves your site vulnerable to brute force
attacks as hackers try different password combinations to enumerate the actual password.
We recommend adding an extra layer of protection by limiting the number of login attempts against
an account through an extension, installed from Joomla's extension directory, or by using a Web
Application Firewall (WAF).
Some popular plugins that provide you with this feature are AdminExile, and Brute Force Stop
5. Enable CAPTCHA for the website.
Native CAPTCHA or RECAPTCHA can be used for this purpose. RECAPTCHA, introduced by
Google, is a plugin, which protects your contact and registration forms against spam. This feature is
extremely useful for stopping automated bots from accessing your Joomla dashboard, as well as a
precaution from users or attackers submitting unwanted spam through front-end forms.
Method :
Step 1 : Log in to your administrator back-end
Step 2 : Click on the Extension tab >> Plugins
Step 3 : Search for the “ReCaptcha” plugin in the search box
Figure 28: Recaptcha plugin : Plugin page
Step 4 : Edit the Plugin Captcha - ReCaptcha, Set Status to Enabled, and Copy and paste the
Public and Private keys in their appropriate fields.
You can get the Public and Private keys by signing in with your Google account (create it if you
don't have one). Once you have registered your website domain, Google will provide your
ReCAPTCHA keys.
Figure 29: Recaptcha configuration page
Link to create reCAPTCHA key with google: Create a reCAPTCHA key
Step 5 : Click Save & Close
Enabling ReCaptcha for the Contact and Registration Forms
Step 1 : Go to System >> Global Configuration in the menu.
Figure 30: Joomla Admin Backend : System tab
Step 2 : Select the Site tab and Choose Captcha - ReCaptcha in the Default Captcha field.
Figure 31: Site Settings : Global Configuration
Step 3 : Click Save & Close.
Native CAPTCHA can also be used to protect the Joomla website. This feature can be added to the site,
in the form of an extension. Popular extensions that add a CAPTCHA to your Joomla login page are
SecurImages Captcha Plugin, Antispam by CleanTank, Custom reCaptcha, or OSOLCaptcha.
6. Restrict access to administrator’s login only from whitelisted URLs
Limiting the access to your login page from authorized IP’s will only prevent unauthorized entries.
This can be done by two ways :
Modifying the .htaccess file is done through the FTP or file manager.
Method :
Step 1 : Connect to your server using FTP credentials to where your site files are, using FTP
client of your choice. [Credentials can be obtained from the hosting provider]
Step 2 : Navigate to your admin folder
Step 3 : Create a new file there with the name .htaccess. If such file exists already, simply open it
for edit.
Step 4 : Add the following code to this .htaccess file, by replacing 123.123.123.123
from the code below with your IP address [The IP address from which the Joomla
back end will be accessed].
You can allow multiple IP addresses by adding a new Allow from lines keyword followed by the other IPs.
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
Step 5 : Then save, and upload the file.
2. Through third party security extensions
Here the .htaccess file need not be modified. The same functionality can be achieved with
a more user-friendly interface from the Joomla admin back end by using third party extensions.
Eg : RSFirewall, AdminTools, Joomsecure
We will discuss more secure hardening steps in future posts.
0 Comments