Joomla hardening - configuration adaptations
Joomla coreThis is quite an easy one: make sure you always use the latest Joomla version. Joomla 3.x upgrades can be done quite easily by looking in your configuration screen and following the guidelines about what you need to update both for the core and for the extensions.
Joomla files in root directory after installationA couple of files which are part of the Java distribution stay in the root directory of your Joomla site. Although they don't hurt your site, it's best to remove them as they don't add any value to it either. So you can remove the following files:
PLEASE MAKE SURE you don't remove these files as they are the heart of your Joomla site:
Other files may be present in your root directory, it's up to you to know if you have to keep them or if you can delete them.
Joomla configuration file
As this is the core configuration file of your site, it is of utmost importance to protect this file as much as possible. There seems to be some discussion about the usefullness of this trick, but nevertheless I add it to my overview to make it complete. As it is otherwise almost impossible to protect your files in an incrackable way, there is a real efficient trick to protect your configuration.php file: move the original file outside your public site part, rename it to joomla.conf and then replace the original file by a file which contains a rerouting to the joomla.conf file.
E.g. copy the configuration.php file to ../www.private/conf/joomla.conf, and create the new configuration.php file containing only the following code:
require( dirname( __FILE__ ) . '/../www.private/conf/joomla.conf' );
Please not that this trick is only useful if your configuration is ready and frozen, because every time you change your configuration using the administrator interface, the configuration.php file is overwritten and so your original redirect is gone.
Remove the generator tag from all of your website pages
Joomla automatically adds the metatag
<meta name="generator" content="Joomla Open Source Content Management" />
to each of your pages. This is of course a very simple way to check what system a site is running on. Now, to remove this tedious tag from all of your pages, you can just add 1 simple line of code to the index.php file from the template you use for your website. Right at the start from that file (but after the first line that normally is something like <?php defined('_JEXEC') or die;), add this command:
Rename your Joomla Super User
By renaming the default "admin" user to another name, you already double the first efforts a hacker can do on your site: (s)he has to guess the password but now (s)he also has to guess the username as well. So this is real no-brainer as it is very easy to do and it increases the security level of your site dramatically.
Joomla log files
You should move the log files to a directory where they cannot be viewed easily by everyone who would like to as these log files can contain a lot of very useful information for possible attackers of your site. All the server responses and especially error messages are stored in the log files, which is a real pletora of information for everybody trying to figure out how your site is configured. If they cannot access the contents of the logfiles, it will be far more difficult to find out the configuration of your site, hence the effort to hack your site will grow exponentially and maybe a hacker doesn't find it feasible anymore to go on trying to get your site hacked for his or her purposes.
Unused templates and extensions
For unused templates and extensions in Joomla - and also in all possible other systems - there is one simple rule to apply: REMOVE THEM. It will help you in both hardening your system as you will close possible backdoors, as well as in speed of your site as these templates and extensions will not be loaded anymore when somebody accesses your site.
A couple of extensions and templates are loaded when they are present on your site, even if they are not used or even activated. To avoid having problems with this, simply remove them as they don't have any function to stay on your server.