Protect your Joomla! CMS from Malware
Malware is any software that is intended to damage or disable a computer or computer system, web server or website.
If your website is infected by malware, then it is likely that your computer has also been infected.
Assume the worst and fix both.
What are the first signs of compromise by malware?
A classic indicator is when you can no longer log into your website as administrator.
Reason: malware infection resulting in password change without your consent.
However, malware will often leave administrator credentials unchanged to avoid you reaching for the bleach!
Another indicator might be that a new Super User account has been added or a new template or some other website content.
How well do you know your website?
If you treat it almost like a pet which you would groom on a regular basis then you will spot when things don't look right.
How to reduce the risk of compromise
- Keep your Joomla! CMS and 3rd party extensions up to date.
- Use only the latest release of Joomla! CMS and 3rd party extensions.
- Change Joomla! CMS and hosting control panel passwords frequently.
- Use complex passwords to reduce the risk of brute force attack.
- Never visit your hosting control panel except by secure connection (https).
- Avoid using FTP unless absolutely necessary.
- Never let your browser or FTP client remember your user credentials.
- Install, configure and maintain a Web Application Firewall.
- Follow the Joomla! Project's advice regarding your website's Global Configuration.
Back up your website frequently
Backing up your website will not prevent malware infection.
It will however make recovering from an infection easier and less problematic.
Periodically scan your website for malware?
By all means subscribe to a malware scanning service.
These do not however come cheap.
It is preferable to keep the hackers out by locking the stable door before the horse bolts.
And, depending upon circumstances, might be cheaper to get a new horse rather than try and mend the old one!
So if you are going to scan you would do well to start with a scan of your website's Security Headers.
Scan your website for missing Security Headers
You will want to add these to your website to improve security.
This can be achieved by customising your website's HTACCESS file.
Not for the faint-hearted but tools exist that will perform this task for you. Read on.
Install, configure & maintain a Web Application Firewall
We recommend that you actively use the Web Application Firewall (or WAF) to:
- customise your website's HTACCESS file to improve website security.
- monitor for and temporarily or permanently block IP addresses which trigger persistent security exceptions.
We recommend Akeeba Admin Tools.
Keep your computer's OS up to date
OS = Operating System.
We recommend using Linux.
But if you use Windows, Apple or another propriertary operating system, pay close attention to:
- User Account Control (UAC) - Turn it ON and set it to ALWAYS notify you when system changes requiring administrator level permission are about to be made.
- Ensure that Automatic Updates are set to notify you OR automatically download and install updates.
Some tips when using your computer
NEVER trust email:
- NEVER click on links from sources you neither know or trust.
- NEVER assume a known source is the person you think it is!
- ALWAYS use caution when clicking on email links, especially shortened URLs. Hover before you click. Use a link expander, for example: http://wheredoesthislinkgo.com/.
- NEVER open attached files without scanning for viruses and malware.
ALWAYS turn ON Browser Security Features.
ALWAYS use the latest available release of any applications (example, web browsers, FTP client, Adobe readrer etc).
REGULARLY SCAN your computer for malware. We recommend malwarebytes to users of the Windows operating system.
COACH & MONITOR your colleagues (employees, organisation members etc) to ensure they follow security protocols.