Joomla is the second most widely used open source Content Management System based on PHP and MySQL. It was originally forked from Mambo and its version 3 is currently powering 70.6% of the websites available on the world wide web. Joomla offers advantageous features such as better user management, flexibility in displaying non-standard content and built-in multilingual support. However, being popular on the web also means increased security risks. Certainly enough, Joomla also faces threats and risks. Hence in this article, we shall discuss in detail about the multiple Joomla security mistakes that Joomla CMS may face.
After reading this article, you shall be benefited as you shall get a comprehensive overview of dealing with Joomla security mistakes. For more articles on Joomla CMS click here.

1. Weak Administrator Password

 
A new Joomla CMS website comes with default usernames and passwords. Now, it should be the duty of the administrator to take password security seriously. Some of the default username and password combinations are:
  • admin – admin
  • admin – nimda
  • admin – password
  • nimda – drowssap
Yes I know, it is very cumbersome for an individual to remember difficult passwords. But password based attacks are the most common attacks and one of the greatest Joomla security mistakes. If an attacker gains access to the admin console of your company’s Joomla website, then it would be a nightmarish experience for you, your team and your customers.

What you should do?

Hence, the administrator username should be changed to something unusual yet memorable. It should not be short as it would be vulnerable to brute-force attacks. Recommended is passwords of longer length with an alpha-numeric and symbolic combination. This would definitely give a tough time for a software which can run millions of guesses in a second. Apart from this, the servers can be configured in a manner to block ‘brute-force attempts’ on passwords associated with accounts holding administrative or other important privileges.

2. Re-infection Due to Missed Hacker Files

This Joomla security mistake creeps in when another developer or a website owner cleans out a hacking incident but it gets re-infected. One must understand the hacking removal of a Joomla website ain’t a child’s play. The steps need to be trodden very carefully. The files that you are removing may be legitimate or hacker’s files. In case, you are thinking that overlaying infected files of your Joomla website with clean files would help you resurrect, you’re mistaken.

What you should do?

You must also give a thorough check to the new files that you’re adding to your website. This also includes an investigation of files and directory which look different from the core Joomla files.

3. Out of date Joomla Core Files

While you may believe the fact that “Old is Gold”, but on the web old means known vulnerabilities. And since your weaknesses are known to the hacker, it wouldn’t take much time for them to hack you & your business. Joomla is constructed using a database and certain PHP files. There are multiple software and tricks which can make a Joomla website running on PHP files crash. One of them being PHP SQL injection.

What you should do?

These files receive updates as security vulnerabilities are discovered. On average, one release is done every two months only for security reasons. Hence keeping the core files updated can help prevent these Joomla security mistakes. There are now add-ons available which inform about an update in the administrator area which can help you update your Joomla website.

4. Allowing Unrestricted Uploads

 
A hacker often looks out for an upload section in any website. Now, if a careless Joomla website administrator doesn’t put in proper file authentication measures in that upload section, then the hacker can upload a PHP reverse shell and gain access to your Joomla website. The reverse shell can be uploaded with an extension specified and then by intercepting the request on the browser, change the file extension and then gain access to your Joomla website directory. The hacker can then get full access to all the information and resources available on your website. The servers can be compromised in this manner.

What you should do?

There have been multiple cases of these Joomla security mistakes and the recovery was a long and extensive process. Thus, if you have a forum or allow uploads for some reason, then you must ensure that restrictions on file types are set. You should also do mindful coding in your .htaccess file for detection of common exploit terms.

5. No Joomla Backup and Security Audit Routine

There have been times when we have received complaints on a security breach of a Joomla website. When asked whether they had a backup of their website or not, they answer “my host does that for me, don’t they?” Well, it is an additional paid service. Until then, it is your responsibility to take backups. If backups are not taken then Joomla security mistakes may infect your website and then you may be required to start over with a fresh new website.

What you should do?

Also, most of the companies undermine a security audit of their Joomla website citing its unnecessity and budgeting issues. This is something dangerous as it makes their Joomla website vulnerable to the Joomla security mistakes lurking in the vast world wide web. One best solution that they can do is have a real-time web monitoring system such as the Astra’s firewall. It protects your website from malicious traffic.

6. Poorly Coded Third Party Extension

 
Sometimes, in order to get a competitive edge over other businesses, companies start using poorly coded third-party extensions and templates. The website owner requires functionality and has a tough time finding extensions. They also look for something which is economical and resourceful. When they stumble upon something that fits fairly well with their requirements, they install those extensions and trust that everything will work out. What they don’t understand is that these ‘not-so-good-looking’ extensions may expose their Joomla website to multiple Joomla security mistakes.
These third-party extensions are often found querying the database with parameters being passed straight from the URL. This would let an adversary perform Cross-Site Request Forgery (CSRF) and SQL injection attacks on your Joomla website. Thus, your website database is accessible to the adversary. Apart from these attacks, there can be Black Hat SEO being done inside these extension codes which may cause blacklisting of your Joomla website by search engines. Such poorly coded extensions get reported to Joomla Extensions Directory (JED) and are then removed. However, website developers, due to lack of knowledge, may download them and use them.

What you should do?

If you’re serious about your Joomla website’s security and your users’ security, first get adequate knowledge about the extension that you’re going to add in your Joomla website. Try gathering as much information as you can about that third party extension through exploit databases and making yourself aware about the various Joomla security mistakes that your Joomla website may be exposed to after installation of that third-party extension.

7. Old unused extensions in your Joomla Site

Apart from old Joomla core files, even old extensions in your Joomla website can be parasitic. If an extension is not being used, it won’t be updated. If it isn’t being updated then it is old and vulnerable. If it is vulnerable and inside your filespace and the hackers will find it and exploit it.

What you should do?

Hence, it is best that you delete whatever is unwanted in your Joomla website. Keeping old and unused extensions would be troublesome for you as there’s no positive in return. The fact that you haven’t used a certain component to publish a page won’t stop a hacker to craft a malicious request for it. Thus, you must remove it from your Joomla website and prevent other Joomla security mistakes.

8. No Security Measures for Joomla website

 
It has often been found that some of the basic security measures are not implemented by Joomla website admins. Some of them being:
  • Database prefix
  • Super admin’s credentials
  • Limit to the upload
  • Hotlinking
  • Blocking terms in URLs
  • Blocking attempts on SQL injection
If you are not taking your website’s security seriously, then I’m afraid very soon the organic traffic that your Joomla website is generating will be lost as hacker’s will infect your website in and out. Falling prey to hackers damages your business reputation. The recovery is also cumbersome and may cost a lot than prevention.
What you should do?
With Astra’s Web Application Firewall, you can take care of the majority of Joomla security issues. It blocks cyber attacks like SQLi, XSS, CSRF, bad bots, OWASP top 10 and other 100+ attacks. With its continuous monitoring system, it keeps an eye on your Joomla website and protects it from any coming threats without any hiccups to your website’s performance.

9. Joomla and Server Login Details from Infected Computers

Sometimes, a potentially unwanted program i.e. virus, trojan, spyware, etc. accounts for a compromised Joomla website. Do not risk your organization’s business by not following the best practices on the security of information, system, and website.

What you should do?

Hence it is important that full system scans are done on a regular basis against all the machines that access your organization’s Joomla website. The developer team, the officials using the Joomla website and the administrator themselves must be wary about opening any malicious hyperlinks. You can take the assistance of Astra’s malware scanner, which helps scan your Joomla website and get rid of any malware residing in your website.

10. Cheap Joomla Hosting

Sometimes, in order to save costs, businesses often choose shared servers for hosting. This may help in cutting operating costs on your Joomla website. But it exposes your Joomla website to various Joomla security issues. The malware residing on another client website hosted in the shared server can spread out to your website. The shared server’s security may get compromised thus compromising the websites hosted on it. The shared servers may be offering premium services of security and backup at a higher cost. Shared hosting has several other security risks.

What you should do?

Having an exclusive server will remove the hosting risks to the maximum level. However, if you must engage in shared hosting verify the hosting service provider well in before. In addition, review the security measures they are taking before hsoting your business with them.

Summing It Up

Thus these were some of the Joomla security mistakes that a Joomla website owner must be aware of in order to keep their website safe. The website, as well as the computers accessing the Joomla website, must be scanned on a regular basis to get rid of any malware. There must be a thorough security auditing of the website done. Scrutiny must be done on any third-party extensions which are being installed or added to your Joomla website. The security updates must be installed so that your website remains secure. Remove anything which you have received as a legacy. Update your credentials to something more strong. Invest in a premium & reliable security solution like Astra’s to fortify your Joomla website from various Joomla security issues without affecting your website’s smoothness. Click here to get an Astra demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sourish Das

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close