Nobody wants to be hacked. Nevertheless, many people still ignore the necessary security measures. This article will poor light on the most common mistakes web admins make that threaten the security of their Joomla sites. In this article, you’ll see the top mistakes to make to get your Joomla site hacked.
Security measures are only necessary for large sites
My website is fairly small and has a small number of visitors. This is not an online store that processes card transactions. Therefore, it is not interesting to hackers.
Unfortunately, you are wrong. Any website and any web server is of interest to hackers. To penetrate the site, automatic scripts are used that do not see the difference between a large and a small website.
Hackers break into a website for several reasons:
- Data theft – obtaining confidential data – logins and passwords, as well as users’ credit card numbers.
- Spam – sending spam.
- Spreading viruses, adware, and other malware.
- Incorporation of a site into a botnet (a network of compromised computers\devices administered remotely) usually for DDoS attacks.
Conclusion: every site is attractive to hackers. So does not be open to mistake to get Joomla site hacked.
Update or not update
I am not regularly updating my website because:
- It is unnecessary due to the reasons stated in the first misconception.
- I cannot do it myself.
- I made some changes to the site code and therefore cannot update it.
All software contains bugs and vulnerabilities. It does not matter where it operates – on a computer or a server, and what it is: a CMS like Joomla or a tiny extension. Software developers release updates regularly. Security updates should be in as soon as possible. It is desirable to configure all updates to run automatically. In addition, it has become much easier to install Joomla updates recently.
In conlusion: it is important to update Joomla and its expansions regularly.
I downloaded this software from the Internet
I downloaded this Joomla extension or template from a useful website. Or I liked a paid extension, and I wanted to test it first, so I downloaded the free version from some 3rd party website. If the test is going to be successful, then I will definitely buy the original version.
- Always download programs only from developer sites. This is the only way to minimize the risk of downloading fake or hacked products.
- Paid templates and extensions downloaded from a torrent or file hosting site almost always contain hidden components. For example, some unwanted spam links that Google dislikes or scripts that can help hack your site. Do not use commercial software downloaded from a free resource for testing.
Conclusion: Download software directly from the developer’s website.
My hosting provider always makes backups
My hosting company makes backups regularly, so why would I bother doing backups myself?
- A good backup is a well-tested backup. Have you ever tested a backup from your hosting provider?
- What will you do if your hosting goes bankrupt? Or will all hardware be by law enforcement agencies for the prohibited content of one of the sites?
Conclusion: create your own backups regardless of the hosting provider.
A cheap and reliable hosting: Mistakes to get Joomla site hacked
It is not hard to find a hosting provider that provides its customers with many resources for one dollar per month.
- When choosing a hosting provider, pay attention not only to the price but also to quality, especially with regard to security. It is very important. Consult with other web admins and developers on forums and online communities.
- Choose a hosting that pays attention to security.
- Make sure you can update Joomla and its extensions from the admin panel.
Conclusion: Do you remember the expression: “Penny-wise, pound foolish”? So, it is better to make sure your hosting provides quality services.
I will be using this extension soon
It is easy to add extensions to Joomla sites. Why not install as many extensions as possible, especially since they will be useful to me very soon, maybe next month.
- Installing plenty of extensions harms the security of your site since all these extensions should be up to date.
- Install only those extensions without which your site will not work. Remove unnecessary extensions (of course, only after creating a backup.)
Conclusion: install only those extensions that you need in your work.
This seems to be the right extension: Mistakes to get Joomla site hacked
But I can only find out about it after installation and testing.
- Firstly, do not turn your site into a testing environment.
- Secondly, test the extension first on a copy of the site on a local webserver.
Conclusion: test new functions on a specially prepared environment, not on a live site.
Installation is possible only with permission 777
Installing extensions or uploading images is only possible with permissions 777. I know that this is unsafe, but I will change the permissions to 755 right after the installation.
- Firstly, permission 777 is very insecure, even if done temporarily. You will not be the first or the last person to forget to change it.
- Secondly, reread the fifth point of this article and look for a better hosting provider.
Conclusion: unsafe permissions are always unsafe, even if used temporarily.
Oh, no, too many passwords… Mistakes to get Joomla site hacked
OK, I understand the need to use different passwords for different sites. I follow this principle diligently, and I store my passwords in my browser or FTP client.
Modern viruses search for passwords stored in the software and send this info to cybercriminals so that they can then successfully hack your site.
Conclusion: do not store passwords in plain text.
I take care of everything that is present here
I have already followed everything mentioned here but somehow was not thinking about HTTP, FTP, and email traffic. This traffic is open, which means that logins and passwords are in plain text.
- Do not use public Wi-Fi in your work, despite the fact that it is very convenient. Remember that everything you do can be tracked by other users on this network.
- Even if you connect to a secure network, some of your traffic is unencrypted and therefore vulnerable.
- Use secure protocols HTTPS (for browsers), SFTP (for FTP) and TLS (for email), and SSH. It is also advised to check the best VPN services and use them for all connections.
Conclusion: keep your logins and passwords from being intercepted by interested parties.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.