logo wide 2000x350
In this section, we will describe ten more important steps for creating a secure Joomla website. Here is a list of these ten steps:

#1 Hide the Front End Log In Form

#2 Change Joomla Global Configurations

#3 Download and Install Free Joomla Encryption Tool (if not using Let’s Encrypt)

#4 Download and Install Brute Force Stop

#5 Download and Install Marco SQL Injection Monitor

#6 Download and Install Spam Protect Factory

#7 Download and Install Eyesite File Monitoring Tool

#8 Replace the Default Joomla Templates with the Sparky Template Framework

#9 Delete the Joomla Generator tag

#10 Create and Download a Site Backup in Cpanel

Below is a brief description of each of these steps.

#1 Hide the Front End Log In Form
We ended Section 3.2 by displaying the front end of our website with the Log In form displayed in the right side position. We will now hide this log in box to cut down on spammers and hackers. Log into the backend of our website with /administrator added to your website front end URL: https://ourinteractivewebsite.org/administrator

Then click Extensions, Modules in the top menu. Then select the Log In Form and click Unpublish. A red X will appear to the left of the Login Form.

01

Then click on the front end of the site again to verify that the log in module is now hidden. Here is what our site now looks like:

02


#2 Change Joomla Global Configurations
Our next task is to change the Global Configurations settings. In the Admin Panel, click on System, Global Configurations in the Top Menu. There are several changes we need to make here. First, change URL Rewriting from No to Yes. This will allow us to use Friendly URLs – but only do this if you have already enabled the HT Access file. You can also add any key words you want here. Next click on the System tab and increase the session lifetime from 15 minutes to 99 minutes. Then click on the Server tab. Change Force HTTPS from None to Entire Site. Then click Save and Close.

03


We are now ready to download and install several important free Joomla security tools.

#3 Install Free Joomla Encryption Tool (if not using Let’s Encrypt)
If your site does not have Let’s Encrypt (perhaps because you are using a web host that does not offer Let’s Encrypt), then the administrator log in page will be a huge security risk because it will not be encrypted. To encrypt your site log in pages, get a free encryption tool by clicking on Help, Joomla Extensions in the top menu. This will take us to the Joomla Extensions page.
https://extensions.joomla.org

Type encrypt configuration in the Search box. Then press Enter.

04

Then click on the Encrypt Configuration box.

05

Here is the direct link.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/encrypt-configuration


Click Download to go to the Download page. Then download the latest version which is currently Joomla 3. Transfer this extension from your Downloads folder to your website Extensions folder. Then in the Joomla Admin panel, click on Extensions, Manage, Install.

06
Click Choose Fiile. Then navigate to your website extensions folder and click on Encrypt configuration (com_encrypt) to select it. Then click Upload and Install. This free tool comes already configured. So we do not need to change any settings.

#4 Download and Install Brute Force Stop
From the Joomla Admin panel, click on Help Joomla Extensions again. This time enter Brute Force Stop in the Search Box. Then click on the Brute Force Stop box.

07
Here is the direct link to this free extension.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/brute-force-stop


Click on Download. This will download this free tool to your Downloads folder. Transfer it to your website extensions folder. Then install it by going to Extensions, Manage, Install. Click on Choose File. Then select bfstop. Then click Upload and Install.

Brute Force means attacking a website by systematically bombarding the login page with username and password combinations over and over again until a successful login occurs. It's very simple and extremely common. Even if you have a really good password, there is still the issue of all the extra traffic and bandwidth these attacks consume.

The Brute Force Stop (bfstop) tool monitors each failed login attempt, and logs it to the database. If the number of failed login attempts exceeds an amount given in the configuration, the tool will prevent any further access to Joomla! from this IP address - meaning the assumed attacker can not try to login anymore; he will be blocked from accessing your whole Joomla! installation, he only sees a (configurable) message that he has exceeded the number of allowed login attempts, and is therefore banned. The ban can be configured to be either permanent or to last a specified time. In addition, BF Stop will notify you by email whenever there is a Brute Force attack on your website and provide you with the IP address of the hackers so you can research who is attacking you and where the attacks are coming from.

To configure Brute Force Stop, go to Extensions, Plugins and scroll down to System - Brute Force Stop" in the list. You might have to scroll down in the list or go to one of the next pages to reach that entry. Most of the options can be left at their default value. The only thing that you must do to enable the plugin is to set it's status to Enabled. We will lower the threshold from 10 attempts to 5 attempts and shorten the duration from 1 day to 30 minutes.

08

Then click on the Notification tab. Type in your secure Proton Mail email address and/or select yourself in the Select a User box.


09
Click on the Advanced tab and raise Permanent After from 3 to 5. Then click Save and Close. To see a log of these failed attempts, click Components, Brute Force Stop:

10

Click Settings to send yourself a Test Notification to make sure this system is working.


#5 Download and Install Marco SQL Injection Monitor
Another common type of attack is hackers trying to inject code into your database. To stop this kind of attack and email you when it occurs, we will install another free Joomla tool called Marco SQL Injection. To download this free tool, click on Help, Joomla Extensions. Then enter Marco SQL Injection in the search box. Then click on the box to open it. Here is a direct link to this free tool.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/marco-s-sql-injection

11
Click Download. Then scroll down the page and click on the latest version to download it. Transfer this tool from your Downloads folder to your website extensions folder. Then install it by going to Extensions, Manage, Install and selecting this tool. Then click Upload and Install. To configure this tool, go to Extensions, Plugins and scroll down to Systems Marcos SQL Injection. Click on it to open it. Click Enable. Leave it set for Front End Only (or you may get locked out of your own site backend)! Change Send Alert Email from No to Yes and enter your secure email address in the next box. Also change Enable Temporary IP block from No to Yes. Then click Save and Close.

#6 Download and Install Spam Protect Factory
Blocking individual IP addresses used to work but not any more. Now hackers have access to hundreds of IP addresses. The solution is to block entire countries. We will next add a free tool to block the entire country of Ukraine. Click Help, Joomla Extensions. Then enter Spam Protect Factory in the search box. Then click on the box to open it.

12
Here is the direct link: https://extensions.joomla.org/extensions/extension/access-a-security/site-security/spam-protect-factory

Then click Download. Register. Then Log in. Click on Products. Scroll down to Spam Protect Factory. Then click Free Download. Transfer this tool to your website extensions folder. Then install it with Extensions, Manage, Install. This tool is configured as a component rather than a plug in. So to set the configuration, go to Components, Spam Protect Factory. Then click on the Dashboard.

13

Click on the link in the blue box to enable the plugin. Then return to the dashboard and click on Options in the upper right corner. Then click on the Filters tab. Change IP Filter to Yes and Country Filter to Yes. Each country has a two digit extension that you can determine by going to the following link:
http://www.webopedia.com/quick_ref/topleveldomains/countrycodeA-E.asp


The extension for Ukraine is UA.

14

Use country extensions not full country names. So for Ukraine type in UA.

15


Then click Save and Close.


#7 Download and Install Eyesite File Monitoring Tool
We will next install a file monitoring tool that will alert us by email if any files for our website are added, changed or deleted and tell us exactly which files were tampered with. To download this free security tool, click on Help, Joomla Extensions. Then type Eyesite in the search box. Click on the box to open it.


16

Here is a direct link to this tool.
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/eyesite


Click Download. Then scroll down the page and download the User Guide and Component. There is a plugin which costs $8 but which we do not really need to do manual scanning.

17

Then transfer these folders from your Downloads folder to your website extensions folder. Install it with Extensions, Manage, install. Then go to Components, Eyesite.


18

Click Configure and enter your secure email address to send notices to. Then click on Status and click on Scan Now.

19

Then click Accept All. You can scan your site manually from the Joomla admin interface, or buy the plugin to scan your site automatically at regular intervals.




#8 Replace the Default Joomla Templates with the Sparky Template Framework
Joomla uses templates to control the appearance of our Joomla website the same way that Wordpress uses themes to control the appearance of Wordpress websites. We will discuss templates in greater detail in the next chapter. For now, it is important to know that the default templates for Joomla (and the default theme for Wordpress) is a security risk since hackers are very familiar with the file structure of these tools. Also the default templates are very limiting in terms of how content is displayed. Thankfully, there is a very simple and flexible free Joomla template framework called Sparky. We will review it in greater detail in the next chapter. For now, click on the following link to learn about and download Sparky:
https://www.hotjoomlatemplates.com/sparky-joomla

Transfer Sparky from your downloads folder to your website extensions folder. Then install it with Extensions, Manage, Install.

We will eventually create several different versions of Sparky. To do this, we will make a copy of Sparky. Go to Extensions, Templates, Templates. Then click on Sparky Framework Details and Files. Then click Copy Template. We will name our copy Sparky2.

20

Click Copy Template. Repeat this process to make a copy called Sparky3. Then click Close. Then click Styles in the upper left corner.

21


We now have five templates with the Protostar set as the default or active template. Click on the Sparky2 template to open it. Then click on the Layout tab. Change the template width from 960 pixels to 96%. Then click Add Row three times. Drag the gray header1 box to the first row. Drag the gray top1 box to the second row and the red Joomla Content to the third row. Drag the right edge of all three to the right to make them full width.

22

Click Save and Close. Then set Sparky2 as our default template. To see what this template looks like in the front end of our site, we will need to create a Welcome article for the Home page. Go to Content, Articles and click New. Call the article, Welcome to our Interactive Website! Type in a one sentence description and change Featured to Yes.

23


Then click Save and Close and view site.

24


To hide the author, category, published date and hits, go to Content, Articles, Options. In the next chapter, we will review how to add a header and menu as well as change the background colors of our Home page. We will eventually delete the two default Joomla templates. For now, we will keep them for educational purposes.


#9 Delete the Joomla Generator tag
Right click on our Home page. Then click View Page Source. You will see the following line:

<meta name="generator" content="Joomla! - Open Source Content Management" />

This Joomla generator tag is a security problem because we really do not want to make it so easy to let hackers know we are running a Joomla website. Thankfully, there is a free tool we can use to change this. The TJ Set Generator Tag allows you to change to default Joomla! generator meta tag to anything you like! With this plugin you do not have to modify neither template's nor Joomla!'s core files.Go to Help, Joomla Extensions and type in Set Generator Tag. Then click on the box to open it.

25

Here is a direct link to this free Joomla tool:
https://extensions.joomla.org/extensions/extension/site-management/seo-a-metadata/set-generator-tag


Click Download. Then Download. Then transfer the folder to your website extensions folder. Then install it with Extensions, Manage, Install. To configure this tool, go to Extensions, Plugins, and scroll down to the system plugins. Click on the TJ Set Generator plugin to open it. Enable the plugin and change the tag name to the name of your website.

26


Then click Save and Close and view site. Right click on the Home page to view the source code. Hopefully, this will help us avoid being caught in a mass attack against Joomle websites.


#10 Create and Download a Site Backup in Cpanel
The final step in protecting our site is taking a backup of our site and downloading the file to our home computer. This way, if our site is hacked, we can roll it back to how it was today. We will do this now. But I normally do it after completely building the website. To make a site backup with Cpanel, log out of your Joomla administrator pane. Then log into your Fullhost account. Then click on Services, Active. Then log into Cpanel. Scroll down to Softaculous Apps Installer and click on it. Then click on Joomla Overview.

27
Then click on the Backups icon to open the backups page. Use the default settings and click Backup Installation. This will back up both the data base and file folders.

28Then click on the backups link.

29

We want to download this file in case our Cpanel account is corrupted. Click on the Blue arrow. To download this folder. Then transfer the folder to a backups folder inside of our website root folder.

30


Then log out of Cpanel and log out of your Fullhost account. This completes our initial security steps. In the next section, we will review steps you should take to keep your website secure over time.