How to secure Joomla and prevent being hacked?

Question

I know securing any website is a very tough and broad topic to be discussed upon but i want to relate this question to my specific website which i've been working on. It was coded in php by some other programmer around 2007 and i am responsible for it's management. My problem is it's being hacked time and again. Please help me

Joomla version 1.5.18(With Virtuemart)

Answer 1

In the long term, you should probably migrate to the latest version of Joomla e.g. Joomla 3.x.

A short term fix would probably involve most or all of the following:

1. Clean up the current website. An efficient and effective way to do this is to use the tool from Phil Taylor at http://myjoomla.com. Your first audit is free.
2. Change Joomla administrative user accounts, cPanel and database passwords to new and strong passwords.
3. Update the website to Joomla 1.5.26.
4. Apply security hotfixes for Joomla EOL versions where applicable.
5. Update all third party extensions to the latest versions and keep them up to date.
6. Check for and remove any vulnerable extensions: http://vel.joomla.org
7. Subscribe to the Joomla Vulnerable Extensions list so new vulnerabilities can be quickly attended to.
8. Remove any unused third party extensions.
9. Disable or remove unused user accounts.
10. Where possible, minimise the number of third party extensions.
11. Where possible, use the most popular and best supported extensions.
12. Use a good quality web host that are serious about server security.
13. Don't rely solely on your web hosting provider for a backup.
14. Perform regular backups of the website and copy them off-site.
15. Consider security enhancements as per the answers already provided here although the above is usually sufficient to keep a Joomla website secure.

Run through the same procedure for any other websites that share the same web hosting space.

You might also review security on your own computer and any other administrator computers as it's possible hackers may have intercepted an FTP password (or similar) from the FTP client on your computer etc.

Answer 2

I would recommend to use OWASP Joomla! Vulnerability Scanner. You will be able to identify known security vulnerabilities and exploitable plug-ins. See how to use at : http://m4extensions.com/tutorials/6-how-to-secure-my-joomla-website-from-hack

Answer 3

From this guide:

8 Ways to secure Joomla and prevent being hacked!

1. Change the default database prefix (jos_)
2. Use a SEF component
3. Use the correct CHMOD for each folder and file.
4. Password protect your administrative area.
5. Keep your website up-to-date.
6. Use a .htaccess file to secure your Joomla.
7. Passwords - Use a unique and strong password.
8. Install the jSecure Authentication plugin.

Answer 4

Well for starters, you're using Joomla 1.5 which is old and less secure. Upgrade your site to Joomla 2.5 or 3.1 and then read the following, which is a question I answered a while back regarding what could be done to help prevent a Joomla attack:

Joomla! 2.5.4 Hacked: Having trouble with diagnosis