A Joomla ! website's security is one of the most important issue for a webmaster. Indeed, it is not enough just to work hard on a project, sometimes on local server, to run various tests, to set everything up, then to put it online and congratulate yourself.
As a matter of fact, the security of a Joomla! site (or of any other website) is more or less a daily work that needs to be taken very seriously.
A properly secure website ensures the durability of your projects, it reassures your users and, most significantly, that will spare you the trouble of having to work many hours if your site's been hacked. Spending some time on your site's security every now and then is much preferable to sleepless nights in case of security issues.
Basic security precautions for Joomla !
You all probably already know, but I'll tell you anyway, that to keep your Joomla! website secure at most, you have to :
- Keep your website updated. You should always use the latest stable version (LTS or STS) of Joomla! available. The Joomla! development team is working hard to offer you corrective patches. For your part, you just have to apply those corrective patches, which is usually done with only a few clicks. It's simple, you should make the most of it.
- Keep all installed extensions updated. The (good) developers work hard to offer you corrective patches. For your part, you just have to apply those corrective patches, which is usually done with only a few clicks. It's simple, you should make the most of it.
NOTE : As always, and before updating (Joomla ! or third-party extensions), back your website up. You can back it up in just a few clicks thanks to a great extension : Akeeba Backup.
As you can see, the security (regarding updates) and the backup of your website is all about clicks... So you have no excuse if your site and its extensions are not updated or if you don't have a recent backup to restore from if there's a problem.
But that's not all...
Thanks to different extensions, it's possible to add extra layers of protection to better secure your site (and therefore your work, your users, your hours of sleep...). These extensions allow you, for example, to hide the login page of your site's backend (a hacker will have trouble finding the key to a door he/she doesn't see), to hide some Joomla ! files (from which it is possible to know which version of Joomla ! you're using) and to add other security items.
Today, we are going to focus on the extension called aeSecure.
First of all, let's highlight the fact that, in addition to better secure your website, aeSecure will also improve its performance, such as speeding up your pages load time for example, which is appreciable.
How does aeSecure work ?
AeSecure intercepts all the access to your website even before the URL reaches your php pages. Therefore, Joomla ! will not even see a dangerous URL for it's been blocked by aeSecure.
Once blocked, a "denied access" context screen appears. "Context" because the information it contains indicates the reason for blocking and, as the site manager, you can decide whether you want to be notified by email. If you do, you will be informed of all attempts in an email gathering a lot of information such as a Google map showing you where the illegal access comes from (based on the visitor's IP address).
To download aeSecure, go to the site aeSecure.com, then click the download tab. On this page you can find many different offers with various functionalities and also some (very responsive) support.
In this tutorial, we will see how to use the free version of aeSecure and we'll have a look at its different features.
Installing aeSecure on your website is simple. Please note that aeSecure is not a Joomla ! extension, so you don't install it via the extension manager, it can be installed on all the websites using Apache server. AeSecure can therefore be used for Drupal or Wordpress websites for example.
Once the download's complete, you get a "aesecure.php" file. Take this file and put it in the root of your site (via a FTP client for a site on live server).
When this is done, go to the address : www.yoursite.com/aesecure.php.
You see the following page :
1 – Say hi to Nono, he is the one who will secure your website...
2 – Take time to read the important information, than check the two boxes.
3 – Important ! In order to secure the access to the configuration screen, aeSecure has created a key. You should write it down as you will not be able to access this configuration screen without it. Write it down twice. For those who forgot their key, you can read this page.
Note : You can add this URL address to your bookmark list for a quicker access later.
4 – Click the complete installation button.
You will be taken to this page :
1 – A menu allowing you to navigate the different parts of aeSecure.
2 – A menu enabling you to go to the author's website, to navigate through aeSecure's different sections (same as 1), different tools such as your .htaccess or php.ini files, your logs and finally links to documentation and to the author's forum.
3 – A button to make sure you are using the latest version of aeSecure.
4 – The different sections of aeSecure.
If you navigate the different parts (using the menu or scrolling the page down), you can see that each element has a little flag showing its level of importance :
Must : The parameters that must be configured as a priority. They will increase both your site's security and optimization. The option 1 and 2 are mandatory ; the protection can only be activated when these two options are implemented.
Good : Not essential but interesting parameters to better secure your website.
Need ? : The protection that you may not need or that you may need occasionally, like for example, disabling access to your site for all users but you (maintenance mode).
Extrem : Very advanced and limiting parameters, they might cause malfunctions or errors.
Before you activate them, take time to analyze and to test your website.
For each parameters, we can see several tabs :
1 – Introduction : introduces the parameter.
2 – More info: gives you additional information about the parameter.
3 – Test : allows to test the parameter.
4 – Protect ! : allows you to install the parameter.
Note : Some parameters don't have the Test tab.
Note : Before you activate each parameter, make sure you know what you're doing. Get information from your installation and from your host, as, for example, some hosts don't support php.ini files.
A screen centralizing all features
One of aeSecure's most significant advantage is that all the functionalities are gathered on the very same page. Therefore, you don't have to open a section to configure a parameter, to save and then to open another part, etc.
With the Pro offer, you can gather all your websites that are secured with aeSecure on one central page. Therefore, you'll have access to the installed versions numbers ; you will be able to see if everything is updated or not and you'll be able to perform many other actions such as installing a more recent version on the remote site ; practically without having to leave the administration interface.
Ease of use
All the parameters have an on/off button. So you can enable/disable them with one click.
You can easily enable or disable only the functionalities (one or more) that you need. This is very useful, especially because the security needs may vary from one site to another.
Clear and detailed information
There are several tabs for each parameter including the tabs Introduction and More info, thus giving users (regardless of their level) access to a lot of information about the action they're about to undertake.
An interface which uses Bootstrap
Using Bootstrap, which is also used in Joomla 3x, ensures a comfortable use whatever the platform or device used (office computers, laptops, tablets, smartphones).
Security and Optimization
Even though this article mainly deals with security, it's important to highlight the fact that aeSecure is also an optimization software. In just a few clicks, it is possible to implement .htaccess rules to cache static files, to enable server compression and to enable Google mod_pagespeed. And only with 3 on/off buttons.
Help for hacked sites
Your site's been hacked? Install aeSecure and you will find (in the Tools menu) many different tools to search for recently edited files, malicious codes like Trojan horses for example.
Management of folders/files permissions
With the premium version of aeSecure, you will be able to manage your website's files and folders and you'll get information about what the best chmod is for a specific file, what chmod not to exceed for this other file, etc.
Your website in a zip file
You can easily export your entire website (or only a specific file) to a zip file so that, for example, you can scan these files on local.
The Different parts
Basic security / Required
In this part, you'll be able to significantly improve your website's security. Here are some examples :
- Addition of a .htaccess file which consists of various rules to improve your site's security and optimization. This file will replace the one you're using, so don't forget to back up your .htaccess file before enabling this parameter, especially if it contains information such as information to redirect.
- Folders protection by adding different .htaccess files to limit the access to some key files (such as the /tmp directory).
- Hiding Apache errors to avoid giving information to potential hackers.
- Checking that no folders/files are set to chmod777, to prevent anyone from editing/running files.
In this section, you'll be able to add additional rules to increase the security of your site or of some parts of it. Here are a few examples :
- Limit the access to a file according to the IP address, which allows you to limit the access to the file /administrator (for Joomla ! users) to only computers using predefined IP addresses.
- Password protection so you can secure the access to the page yoursite.com/administrator with an additional password.
- Restrict your site's access to avoid robots, such as the ones sucking sites up.
- Restrict the site from being indexed by preventing search engines from offering links to potential .zip files.
- Block the access to hidden files (starting with ".") such as the .backup files for example.
- Specification of your website files and folders permissions (chmod).
In this section, you'll be able to focus on the security of your Joomla ! websites. Here are some examples :
- Hiding the version of Joomla ! in order not to give your version number, especially if your website isn't updated...
- Blocking Joomla ! native user registrations, so that no one can register with a URL. First, make sure that the users don't need to register to your site.
- Protecting your admin files, once again, this aims to hide major information from potential hackers.
- Limiting the access to some components.
SEO (Search Engine Optimization)
In this part, you will be able to slightly enhance your web ranking :
- URL rewriting, so they are more readable and memorable for both search engines and your visitors.
- Using www or non-www version, to avoid duplicate content, which search engines don't appreciate.
This section will allow you to boost your website's performance, such as speeding up your pages load time for example. Some may say that it's good for web ranking, but mainly, it's much appreciated by your visitors :
- Server Compression.
- Static files lifetime.
- Prevent hotlinking.
- Clearing the temporary folder /tmp, which needs to be done every now and then.
As is the case for updates and backups, securing and optimizing your website with aeSecure can be done in just a few clicks. The installation and configuration only take a few minutes and allow you to add extra security layers to make your website much more secure.
As you would do for any other extension, if you're using aeSecure and if you're satisfied, don't forget to award it with a financial contribution to the author or to buy the premium version to thank him and support him for his project !
Note : Currently aeSecure is available in French, in English, in Portuguese, and partially in Spanish. The developer (Christophe Avonture) may offer a Premium+ lifetime subscription to anybody who is willing to translate it into a language that is not yet supported. If you are interested, you can contact him via his website.