logo wide 2000x350
In our final section on website security, we will review several important steps to take to protect our website from hackers on an ongoing basis. These steps include the following:

1. Keep your Joomla version up to date.

2. Keep your Joomla extensions up to date.

3. Review Joomla Error logs periodically.

4. Review hacking attempt logs periodically.

5. Scan your website(s) periodically with simple free scanning tools.

6. Set up a backup and recovery process.

7. Limit the email accounts associated with your website.

8. Keep learning about Joomla Website Security.

9. Join or create a Joomla User Group in your community.


We will briefly review each of these steps.

1. Keep your Joomla version up to date
Joomla versions change every few months. Sometimes these versions change to introduce new versions. But often they change in response to the discovery of a new hacker attack method. You will hopefully receive an email from Joomla alerting you to the security threat and advising you to update your Joomla version as quickly as possible. It is easy to update your website. Just log into your administrator panel and wait a few seconds. A notice will appear providing a link to the Joomla Update page.

01
Click on Update Now. Then click Install Update. If there is any problem with the update, you can do a search on the problem and how to fix it. Often, update problems can be solved simply by clearing your browser cache and your Joomla caches. These issues are typically addressed on the Joomla Community Forums. To reach the official Joomla forum, from your Joomla Admin panel, click on Help, Official Support Forum. Here is the direct link:
https://forum.joomla.org/


Why doesn’t Joomla update automatically?
The reason Joomla does not recommend automatic updates is because there is the possibility of the update creating one of several major problems for your website or website extensions. Each of these problems can be fixed. But each may require you taking certain manual steps. In addition, cron jobs in cPanel (which would be needed for automatic updates) are very complex. If you make a mistake in the script, you can wind up losing all of the data on your Joomla database. This is why Joomla recommends that updates be done manually under the direction of a real person.

2. Keep your Joomla extensions up to date
Joomla also offers a system for updating extensions. When you log into your Joomla backend, you may see the following notice.

02

Click on View Updates and then Install Updates. Then clear the caches and view the front end of your website to make sure everything still works after performing all of your updates. For this system to work well, you should plan on visiting the backend of your website at least once a week. The remaining tasks should be done about one per month.

3. Review Joomla Error logs periodically
Modern websites are extremely complex. With more than 4000 files and folders and more than two dozen extensions, it is common for errors and conflicts to occur. These errors are typically not displayed on the front end of our website. But they are recorded in error logs and include the exact lines in the code where the error is occurring. Error logs are also useful for determining the date, time and location of many common hacker attacks.

To reach your Joomla error logs, you could log into your Cpanel account and open the File Manager. But a quicker way is to install a File Manager to your Joomla backend so you can reach it without logging into cPanel. We will add a free tool called Profiles. Click on Help, Joomla Extensions. Then enter Profiles in the search box.

03
Here is a direct link to this extension:
https://extensions.joomla.org/extensions/extension/core-enhancements/file-management/profiles

Click Download. Then click Download again. Transfer this folder to your website extensions folder and install it with Extensions, Manage, Install. Then open it by going to Components, Profiles. Click on the File Manager tab. Then scroll down past the Joomla folders to the Joomla files. One of them will be called error_log. Click on it to select it. Then click Download to download it to your computer. Open it and read it. Here is an example of an error log.

[17-Dec-2016 12:10:42 America/Vancouver] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; plgSystembfstop has a deprecated constructor in /home/createnews/public_html/plugins/system/bfstop/bfstop.php on line 18


This is not a critical error and will hopefully be fixed in a future version of BF Stop. Once you have read all of the errors and determine that there are no hacks here, then delete the error log file from your downloads folder and delete the file from your Joomla file manager. The next time there is an error, the log file will reappear.

We should also look at the Joomla Administrator Error log while we are here. Click on the Administrator folder. Then click on the error_log file to select it. Then click Download to download it. Then read it. Then delete it and delete the file in the backend with your File Manager.

4. Review hacking attempt logs periodically
Hacking attempts will be sent to your secure email address on nearly a daily basis. You will be surprised at how often hackers are trying to get into your website. These emails should be viewed periodically. Here is one example caught by Marco Interceptor:

Local File Inclusion $_GET['files'] => ../../../../wp-config.php
* Local File Inclusion $_REQUEST['files'] => ../../../../wp-config.php
** PAGE / SERVER INFO
*REMOTE_ADDR : 62.210.111.127
*REQUEST_METHOD : GET
*QUERY_STRING : files=../../../../wp-config.php
** SUPERGLOBALS DUMP (sanitized)
*$_GET DUMP:


This was someone thinking my website was a Wordpress website and wanting to get the configuration file to begin an attack. Here is an email from BF Stop:


Blocked IP Address 5.254.97.99 because there were too many unsuccessful login attempts in a short time on http://. These are all the attempts from that address that were recorded:
Username                  IP-Address      Date and time        Origin
-------------------------------------------------------------------------------------------------
admin                     5.254.97.99     2016-12-06 18:28:44  Backend
admin                     5.254.97.99     2016-12-06 18:28:50  Backend
admin                     5.254.97.99     2016-12-06 18:28:54  Backend
admin                     5.254.97.99     2016-12-06 18:28:57  Backend
admin                     5.254.97.99     2016-12-06 18:29:00  Backend



This is a hacker trying a brute force attack assuming my administrator user name is admin. We could add the IP address to our blacklist. But these happen so often from so many IP addresses that it would be easier to block entire countries. To determine which country this IP address is associated with, go to the following site.
http://whatismyipaddress.com/ip-lookup

Then copy and paste the IP address from your email into the Lookup box.

04

This one comes from Romania but is it is really a proxy server for some other location. Click on Blacklist check and you will see that this site is not yet blacklisted. Each country has a two digit extension that you can determine by going to the following link:
http://www.webopedia.com/quick_ref/topleveldomains/countrycodeA-E.asp

The extension for Romania is RO. We will add this to our list of blocked countries with Spam Protect Factory.

05


5. Scan your website(s) periodically with simple free scanning tools.
There are several free simple website scanning tools that do not require that you register your site with them. The most popular free website security scanner is offered by Sucuri. You can do a quick test for Malware, Website blacklisting, Injected SPAM and Defacements just by entering your website URL in their scanner.
https://sitecheck.sucuri.net/?clickid=xsmTwgzAGyG-VNbxd83A2zfCUkkVSr0kExWZxk0


06
You can also scan your site at two other websites. However, be aware that these scans are not perfect. You site can be hacked and still get a clean bill of health at these scanning sites.
https://quttera.com/
https://app.webinspector.com/


6. Set up a backup and recovery process
As we have previously described, our preferred method of making backups is through the Cpanel Softaculous process. We can quickly make backups and download them to our computer. Just as important, we can reload the backup file and easily roll back our website to a previous date. I make a backup of each site after every major update. For some websites, this might be once a month. For others, it might be once a year. How often you back up your site thus depends on how much content you put on your site and how much it changes over time.

7. Limit the email accounts associated with your website
All email accounts are hosted through a website that is connected to a server. One of the factors that cost Hillary Clinton the election in 2016 was that she suffered not just one but two major email server security scandals. First, she had her State Department emails hosted on an extremely insecure Windows server located in her basement. Her home brew server was so insecure that it was easily broken into with all of its emails and other documents downloaded and then posted on Wikileaks.

Failing to learn from this lesson that website security must be taken seriously, her Presidential campaign was ran through insecure servers at the Democratic National Committee (DNC). More than 400 people had email accounts associated with the DNC server. One of them, John Podesta fell victim to a “phishing” attack which allowed the hackers access to the servers simply because he downloaded a hidden malware file to the server. This allowed hackers to download all of the extremely damaging emails confirming that the DNC had colluded with the Clinton campaign in a plot against Bernie Sanders. This revelation angered millions of Bernie supporters who refused to vote for Clinton costing her the election in swing states. (Wikileaks claims that it was not a hack but a leak as a DNC insider gave them the emails). Either way, allowing 400 people to have access to your website server is asking for trouble. It does not take a Russian government hacker to attack either Clinton’s private server or the DNC server. Any teenager can do learn how to do a phishing attack in less than one day.

As we explained earlier, servers and websites and anything connected to the Internet are attacked all the time. It is very likely that the DNC server was being subjected to hundreds of attacks from all kinds of people every day. The solution is not blaming the Russians. It is simply to take basic precautions.

A much better option for any organization with more than five members is to have all of these email accounts hosted by an encrypted email provider like ProtonMail. You can still have custom email addresses like This email address is being protected from spambots. You need JavaScript enabled to view it.. However, the actual emails are hosted on the ProtonMail servers and encrypted so that not even ProtonMail can read them. The cost of this service is only a few dollars a month. Given that Clinton spent about one billion dollars on her Presidential campaign, and given the widespread and well known prevalence of hacking attacks these days, it was extremely irresponsible not to take this basic safety precaution.

It is just as bad to use a Prism partner like Yahoo or Gmail for important email accounts. Yahoo had one billion accounts hacked. Gmail also has a tracking tool which reads all of your emails (and likely forwards all of them to the NSA). By contrast, ProtonMail does not read your emails. What every organization should learn from this disaster is to limit the number of email accounts on their servers and to put better firewalls between these accounts. Ultimately a fully encrypted solution on a well protected server like ProtonMail is the safest option.

8. Keep learning about Joomla Website Security
One of the best ways to keep up to date with Joomla security issues is to periodically read the Joomla Community Forum.
https://forum.joomla.org/

Scroll down to the section called Security in Joomla 3X.


07

There are a series of articles pinned to the top of this forum. Read all of them before posting.

9. Join or create a Joomla User Group in your community
This final point is the most important. Real website security is not a set of tools or even a process. Instead, it comes from building a community of friends interested in website security. Joomla has what it called Joomla User Groups all over the world. To find out if there is a group near you, go to

https://community.joomla.org/user-groups.html

08

As you can see, Joomla is very popular in Europe as it works well for multi-language websites. Also Europeans seem to care more about website security than folks in the US. Click on North America to see a more detailed map of Joomla User Groups in North America:

09

Clicking on one of these local buttons will allow you to contact the leader of your local group. If there is not a group near you, consider starting one! This completes our article on real Joomla Security. In the next article, we will describe some revolutionary new tools for customizing the appearance of your Joomla website.