ecurity of Joomla Website by Htaccess
Htaccess is a configuration file from web servers that run Apache as their server software. It is a very powerful configuration file which can control the server. Htaccess is a hidden file which should be already present in the root directory of your server. If it’s not, then you can create it, but make sure that the right name of the file is “.htaccess” (yes, it starts with a dot). Since we can do so many things with the help of .htaccess, in this section I will discuss the security aspect of an .htaccess file for Joomla.
You can protect the administrative area using different techniques. For example, you can restrict it based on the IP address (in this case you’d need to create an .htaccess file on the administrator directory):
Remember, if your ISP is using the dynamic IP technique, then it is not a good idea to use this technique since your IP address might change at any given time. To prevent use of the directory listing (because an attacker may read important files off the server and a directory listening always help a hacker learn about the security practices of a website), you can write the code below into the .htaccess file which is present in your root:
Another best practice is to disable the server signature because it gives an idea about the web server software and the version of the software. To do this, add this line in the .htaccess file to disable the server signature:
Another important step is to secure the .htaccess file itself so that nobody can read it on the browser. To do this, you need to add these lines on the .htaccess file:
Configuration.php is a very important file because it contains information about the database of the website and other relevant information. So you need to secure the configuration.php file by utilizing the .htaccess file:
Since there are various security risks associated with the configuration.php file, it is not enough to simply make the adjustments above. For maximum security, you need to move configuration.php outside the public_html. But how to do this? If you simply move the configuration.php file then your website might crash.
How to Move the Configuration.php Outside the public_html Joomla
Below is a tutorial that has been tested on Joomla 1.5 to move the configuration.php file outside the public_html.
In the first step, you need to create a directory home (outside the public_html). Suppose the directory name is irfan:
Download and make a backup of configuration.php.
Delete the current configuration.php from the Joomla folder (from public_html). Remember, when you delete it your website might crash and the error will read:
Go on the folder that has been created in the first step.
Upload the configuration.php in that file.
Go the Joomla file (includes/defines.php) and replace the line:
define(‘JPATH_CONFIGURATION’,JPATH_ROOT); with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../rootfoldername’);. If
Joomla is in subdirectory, then replace it with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../../’.DS.’rootfoldername’); (it is a case sensitive so be sure to use proper caps).
Remember, the rootfoldername is the name of the folder that we have created in the first step (which is irfan in this case study).
Repeat the same step for: administrator/includes/defines.php.
Now the website is ready and secure.
Conclusion
Since the Internet is not a very safe place, you need to take a personal interest in the security of your website. So if you’re using the Joomla platform, be sure to implement the best security practices available, if you want to remain secure.
Htaccess is a configuration file from web servers that run Apache as their server software. It is a very powerful configuration file which can control the server. Htaccess is a hidden file which should be already present in the root directory of your server. If it’s not, then you can create it, but make sure that the right name of the file is “.htaccess” (yes, it starts with a dot). Since we can do so many things with the help of .htaccess, in this section I will discuss the security aspect of an .htaccess file for Joomla.
You can protect the administrative area using different techniques. For example, you can restrict it based on the IP address (in this case you’d need to create an .htaccess file on the administrator directory):
order deny,allow
allow from 116.71.18.189
deny from all
Remember, if your ISP is using the dynamic IP technique, then it is not a good idea to use this technique since your IP address might change at any given time. To prevent use of the directory listing (because an attacker may read important files off the server and a directory listening always help a hacker learn about the security practices of a website), you can write the code below into the .htaccess file which is present in your root:
IndexIgnore *
Options -Indexes
Another best practice is to disable the server signature because it gives an idea about the web server software and the version of the software. To do this, add this line in the .htaccess file to disable the server signature:
ServerSignature Off
Another important step is to secure the .htaccess file itself so that nobody can read it on the browser. To do this, you need to add these lines on the .htaccess file:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Configuration.php is a very important file because it contains information about the database of the website and other relevant information. So you need to secure the configuration.php file by utilizing the .htaccess file:
<FilesMatch "configuration.php">
Order allow,deny
Deny from all
</FilesMatch>
Since there are various security risks associated with the configuration.php file, it is not enough to simply make the adjustments above. For maximum security, you need to move configuration.php outside the public_html. But how to do this? If you simply move the configuration.php file then your website might crash.
How to Move the Configuration.php Outside the public_html Joomla
Below is a tutorial that has been tested on Joomla 1.5 to move the configuration.php file outside the public_html.
In the first step, you need to create a directory home (outside the public_html). Suppose the directory name is irfan:
Download and make a backup of configuration.php.
Delete the current configuration.php from the Joomla folder (from public_html). Remember, when you delete it your website might crash and the error will read:
Go on the folder that has been created in the first step.
Upload the configuration.php in that file.
Go the Joomla file (includes/defines.php) and replace the line:
define(‘JPATH_CONFIGURATION’,JPATH_ROOT); with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../rootfoldername’);. If
Joomla is in subdirectory, then replace it with: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../../’.DS.’rootfoldername’); (it is a case sensitive so be sure to use proper caps).
Remember, the rootfoldername is the name of the folder that we have created in the first step (which is irfan in this case study).
Repeat the same step for: administrator/includes/defines.php.
Now the website is ready and secure.
Conclusion
Since the Internet is not a very safe place, you need to take a personal interest in the security of your website. So if you’re using the Joomla platform, be sure to implement the best security practices available, if you want to remain secure.
