logo wide 2000x350
Now that we better understand the need for taking every possible precaution to protect our websites, we will provide a brief overview of the first ten essential steps for protecting our website. These steps are presented in the order that they are done – not the order of importance. All of the steps are important. Skipping any one of them will leave your website more open to attack. The NSA motto is “Collect Everything.” If we are going to have a secure website, our motto must be to “Protect Everything.”

01

Here is an overview of our first ten steps:

#1 Use a Secure Linux Computer to Build Your Website

#2 Use XNView to Batch Clean All of Your Images

#3 Use a Secure ProtonMail Email Address to Set Up your Hosting Account

#4 Use a Secure Canadian Linux Hosting Account such as Fullhost

#5 Use Strong Passwords for your Email Account, your Web Host account and your Joomla Login page.

#6 Change from PHP version from PHP 5.6 to PHP 7.1

#7 Encrypt your domain name even before installing Joomla

#8 Use your secure ProtonMail Email Address when you install Joomla

#9 Change your User Name and Password after your first log in to Joomla

#10 Log into your Joomla Control Panel and change your user name and password.

Let’s take a closer look at each of these ten steps:


#1 Use a Secure Linux Computer to Build Your Website
Let’s be very clear. It is not possible to build a secure website with a Windows or Apple computer. Both are NSA Prism partners and both allow the NSA access to all of your data. The same back doors used by the NSA can also be used by any knowledgeable hacker to access your Windows or Apple computer any time your computer is hooked up to the Internet. The only way to have a secure website is to use a secure Linux computer to create and load your website documents,

This is why Learn Linux and LibreOffice is our first course at College in the Clouds. It is because it is an essential first step in building a secure interactive website. With the help of our Learn Linux website, you can create and learn how to use a Linux computer in a matter of days. Best of all, buying an Acer C910 15 inch high resolution Chromebook and modifying it to be a fully functioning Linux computer costs less than $400 – about one quarter of the price of a less secure Windows or Apple computer.

After you have a Linux computer, you want to have a document with a table of all of your websites and all of the access information and passwords to all of your websites. Also keep a copy of this information on a thumb drive in a safe place in case you lose your Linux computer.

While the file and folder structure will eventually be transferred to your Cpanel File Manager using the Joomla Interface, the initial structure of your website should be built on your own secure Linux computer. We will provide more information on this file structure later. But your website structure begins by using your Linux File Manager to create a “root” folder for your website, such as MySite.com. In this folder, create folders for your articles, images, extensions and web articles. Here is what your website root folder will look like:

02

The web articles are simply copies of your articles with the images replaced by placeholder text and the images themselves moved to folders in your images folder. The articles themselves should be written in a free open source document creation tool called LibreWriter which comes with nearly all Linux Distributions by default. For more information on how to set up a Linux computer and use LibreWriter, see our website:
https://learnlinuxandlibreoffice.org/


#2 Use XNView to Batch Clean All of Your Images
It is important to compress every one of your images in your Libre Writer documents. This is done by right clicking on each image, selecting Compress then selecting OK. This should result in reducing the file size of the image to something less than 100KB. Failing to compress even a single image will greatly reduce the loading speed of your website. It is equally important to “clean” all of your images before posting them to the back end of your Joomla website as a common hacking trick is to hide malicious code in the properties section of images – which are then uploaded by you to your site if they are not cleaned. There is a free program called XNView which can batch clean hundreds of images in a matter of seconds. Simply open XNView. Then select the folder that has all of your website images. Then create an output folder for the clean images. Then Add the Action “Clean Metadata.” Then click Convert.

03


#3 Use a Secure ProtonMail Email Address to Set Up your Hosting Account
Major email providers like Google and Yahoo are also NSA Prism Partners. As sensitive security information will be sent to your email address, even before we set up our hosting account, we should get a secure ProtonMail email address and use this secure email address to set up a secure hosting account. We will use this same ProtonMail account when we install Joomla on our website. Here is the link to get your free account. https://protonmail.com/

04


#4 Use a Secure Canadian Linux Hosting Account such as Fullhost
As we explained in a previous chapter, it is no longer safe to put either your domain name or your website on any server located in the US. It is also not save to put your website on any Windows server regardless of where that server is located. We recommend a web host in Canada, Fullhost, that uses only Linux computers and takes several additional precautions (including giving us a Free Let’s Encrypt tool) to protect our website. Here is the link to Fullhost. https://www.fullhost.com/

05

Fullhost has a basic shared hosting option that is only $7 Canadian per month (about $5 US dollars per month). This allows you to set up several websites on a single Cpanel account. However, if a hacker manages to break into any one of your websites, they can destroy any other websites that are on the same Cpanel account.

Therefore, if you have more than three websites, a much more secure option is to get a Reseller Hosting account at Fullhost for $20 Canadian per month (about $15 US dollars per month). The reseller account will allow you to have up to 15 separate Cpanel accounts each with their own file manager. This will prevent hackers from bringing down more than one or two of your websites at a time. I currently have about 30 websites on 15 different cPanel accounts. The cost per website per month is about $1 US for the domain name and 50 cents US for the hosting for a total cost of $1.50 per month or $18 US per year per website.

#5 Use Strong Passwords for your Email Account, your Web Host account and your Joomla Login page.
First, avoid using default user names like "admin" or "administrator". Those are first in the list of words a potential attacker will try. Next, use a strong password. Many attackers try to brute-force your login details. This means that they use a list of commonly used passwords to guess yours.

As for the password itself, do not use common words like pass123 or admin123. Do not use your name in your password. Do not use a password generator because these can also be compromised. Instead use a strong password that is at least 9 characters long and include a combination of upper case and lower case letters, numbers and special characters such as # and $. The following is an example of a very strong password with 3 capital letters, 3 lower case letters, 3 numbers and 4 special characters: $Ea!275(Fv)Zx

Do not use this same password for any other account. This means that your website administrator password should be different from your hosting account password and different from your email service password. Each password should be unique. Keep a record of all of these passwords in a file on your hopefully secure computer.


#6 Change from PHP version from PHP 5.6 to PHP 7.1
PHP is the language your Joomla website uses to control the information on your website database. Nearly all Joomla and Wordpress websites use currently use PHP version 5. This is no longer a very secure version of PHP. A new version of PHP was introduced in 2016 called PHP 7 which is twice as fast as PHP 5 and much more secure. After getting your Fullhost Shared Hosting Account, log in to your Fullhost account using your ProtonMail email address and a secure password. Then click on the red Services button. Then click on the green Active button. Then click on Log into Cpanel. Scroll down to SOFTWARE. Then click on Select PHP version. Then select the latest version of PHP. Then click Set as Current.

06

Then click on Cpanel to return to the Home screen. Note that the latest version of PHP may cause excessive warnings to appear on our website. If this turns out to be the case, return to this screen and change the version from PHP 7.1 to PHP 7.0. As 98% of all Joomla and Wordpress websites still use PHP 5, taking this single step will make our website faster and more secure than 98% of all websites.

#7 Encrypt your domain name even before installing Joomla
Cpanel now comes with a free way to encrypt your domain name even before you add an application to it. Go to your Fullhost account, then click on My Services. Then click on the green Active button. Then click on Log into cPanel. Then scroll down to the SECURITY section. Then click on SSL/TLS. Here is what the screen will look like:

07
If you click on Generate Private Keys, you will see that a set of private keys has been generated automatically for you.

08

If you do not see any keys in the table, wait 24 hours for these keys to appear. Once the private keys are shown, click on the Browser back arrow. Next click on Generate, view, upload or delete SSL certificates. You should see that a free Let’s Encrypt Certificate has been automatically generated for your website domain name.

09
You can click on the Edit button and then click on Update Description to see the default information and add more information to it. But this is technically not needed. Instead, click on the back arrow. Then click Manage SSL sites. This is where you can add sub-domains, Add On Domains and Parked Domains. The certificate will be set to expire in about 90 days. Do not worry. The certificate will automatically renew itself. You do not need to take any further action after activating SSL on your Joomla site.

What is SSL and Why Do We Need It?
SSL (Secure Sockets Layer) is the standard encryption technology which establishes a secure connection between a web browser and the server. This ensures that all the data which passed during the connection remains private and encrypted. SSL is used by millions of websites to protect the sensitive information entered by visitors. Most people can spot a secure SSL site from a non-secure site by the presence of a green bar or lock in the URL box and the beginning prefix that includes an S after the initial HTTP.

10
As a website owner, you have a big responsibility of keeping the privacy of your visitors intact. Installing an SSL encryption on your website is a good start and prevents the interception of submitted information by hackers.SSL hides your vital information and your readers vital information from hackers. Failing to use SSL not only might cause your customers to be harmed, but it also increases the chances of your website being hacked using the customer’s log in credentials followed by a program that elevates their privileges. Using SSL not only increases the security of your website, and increases the trust of your readers, it also increases the Google Page Ranking because Google gives priority to sites using SSL.

11
What is Let’s Encrypt?
Let’s Encrypt is a Free Automated Open Source SSL certificate created to benefit the public. It allows you to get browser-trust certificates for your domains at no cost that renew automatically every 90 days. There are no difficult configurations, no validation emails and you can install multiple certificates on your hosting accounts, for each domain and subdomain you choose with Let's Encrypt Free SSL. All popular browsers support Let’s Encrypt Free SSL. Thanks in part to Let’s Encrypt Free SSL Certificates, 80% of all visited sites now use encryption.

12
Once we verify that our Let’s Encrypt cerificate is installed in Cpanel, we are ready to install Joomla to our domain name.


#8 Use your secure ProtonMail Email Address when you install Joomla
While we are in Cpanel, after verifying that our domain name has a Lets Encrypt certificate, we will next install Joomla. Scroll down to the Softaculous Apps Installer section. Then click on the Joomla icon. Then click on Install.

13
Delete the Joomla30 from the directory box in order to install Joomla in the root directory of our domain. Then type in your domain name and slogan.

14

Leave Import Sample Data set to None. Type in your initial User Name and password (we will change these later).

15
Then click Install. This will provide a link to our Joomla Administrator login page. However, before we click on this link, we should activate our HT Access file with the Cpanel file manager.

#9 Activate the HT Access File in Cpanel
The HT Access file can help to protect your website against a set of common exploits. But we need to enable it to get this protection. We enable it by renaming it. From the Softaculous Installer page, click on CP at the top of the page to go back to the Cpanel control panel. Then click on the file manager. Then click on the public_html folder to open it. Below a bunch of folders, you will see a file called htaccess.txt. Click on it to select it. Then right click and select Rename.

16

Delete the ,txt and put a dot before htaccess:

17


Then click Rename File. Sadly, this will hide the file. To see it, click on Settings in the upper right corner of the screen. Then click on Show Hidden Files. Then click Save.

Now we can see the file. Now click on the .htaccess file to select it. Then right click and click Edit to open this file. Then click Edit again. Then click Use Code Editor so we can see the line numbers.

At about line 62, you will see

# RewriteBase /

Delete the hash tag so the line looks like this:
RewriteBase /


This will allow us to use Search Engine Friendly URLs for our site which in turn will make our site harder for hackers to attack with automated programs by hiding typical Joomla URLs.

Next, copy and paste this code just after “RewriteEngine On” on about line 29 :

RewriteCond %{REQUEST_URI} ^/images/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/media/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/logs/ [NC,OR]

RewriteCond %{REQUEST_URI} ^/tmp/

RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]

This code will block all attempts to run scripts outside the Joomla control. This tip is from the following URL

https://www.gavick.com/documentation/joomla/how-to-secure-your-joomla-3-1-site-against-hacker-attacks

Then click Save Changes. Then click Close. Also while we have the file manager open, click on the images folder to open it.

18


Even though we did not want the sample data, Joomla loaded the sample images anyway. We could delete these later with the Joomla Media Manager. But it is quicker to delete them with the Cpanel File Manager. Click on the Banners folder to select it. Then right click and select Delete. Check Skip the Trash and click Confirm. Repeat for the headers folder and the sample data folder and the joomla black file and the powered by file – leaving only the index.html file. Now close the file manager browser tab to close the file manager. This brings us back to the Cpanel control panel.

#10 Log into your Joomla Control Panel and change your user name and password.
In Cpanel, scroll down and click on the Joomla Icon. This will bring up our current installations. Click on the Admin icon to reach our Joomla Administrator log in page.

19


If you go to your Joomla admin page and it says "This webpage is not available." it is likely that the domain has not yet been directed to the Fullhost servers. Log into yor Fullhost account, click on Domains, then Manage NameServers and direct this domain to the Fullhost servers. They should be ns2.fullhost.com, ns3.fullhost.com and ns1.fullhost.com.

Then log into your new website admin page. The good news is that our Administrator page is fully encrypted as we can see from the green bar to the left of our URL at the top of the screen. Log in with your Initial User Name and Password.

20

Joomla wants to collect information. Click Never. Then click Read Messages and Hide all three messages. Our next task is to change our user name and password. When you create a new Joomla Site with the Cpanel one click install, an email may be sent to your email account with your Installation User Name and Password plus sensitive information about the name and password of your website database. If you have a ProtonMail account, this email may be encrypted. But if your email account has been compromised, this User Name and Password will also be compromised. To change your user name and password, click on Users, Manage. Then click on your name. Change your log in name and your password. This is especially important if you did not set up a Proton Mail account as there may be a record of your initial user name and password in an insecure email file. Then click Save and Close. Now view the front end of our site by clicking on the link in the upper right corner of our screen.

21

The front end of our site is also encrypted. But we will soon have problems with spammers and hackers if we continue to display the log in form on our Home page. In the next section, we will take ten more steps to secure our website – beginning with hiding the Front End Log In Form.