If you are a webdeveloper or if you have a webdesign company that is in business for a while you will undoubtedly encounter this problem. You have an old Joomla 1.0 site which is custom made for your client and you don’t want to upgrade to joomla 1.5 or joomla 1.7. Because this would mean to make the site all over again and that is just too much work.
So you want to keep this website online even if it’s not the safest version of joomla. It might even have some vulnerable 3rd Party extensions installed which you don’t know about. The consequences of this decision can be quite frustrating. You will find that your website is hacked over and over again and you have to repair the damage each time. Sometimes hackers can even gain access to other sites on the same webserver and the damage is even bigger.
That why it’s important to keep an eye on those old joomla 1.0 websites. That’s why I made Ghanja Interceptor. This plugin is build to protect old joomla 1.0 sites from SQL injections and local file inclusions. This plugin intercepts and checks data which is sent to joomla making it more difficult for hackers to hack your joomla 1.0 website. It filters POST, GET, REQUEST data and blocks a lot of hidden attacks. It can also temporary block IP addresses from the attackers and there is an optional email notification on attack.
This plugin can prevent a lot of common exploits and can even fix leaks in lots of old and vulnerable 3rd Party extensions. This is good for the safety on your webserver and also saves you a lot of work. Installing and configuring this plugin is done in a minute and will instantly increase the security of your website.
You can download this plugin here:
What can i do more?
It’s a little more complicated but just as important to configure your webserver properly to use it with joomla 1.0.
First off all always keep those old Joomla 1.0 sites in a separate account on your webserver to make sure that if the site is hacked the hackers don’t have access to other sites on the same server.
Secondly follow the security guidelines described under here:
1. Proper Hosting Environment
A properly configured server is highly recommended for your joomla website. Host your site on a server that runs PHP in CGI mode with su_php. This means that PHP runs under your own account user instead of the global Apache user and you don’t need to set insecure global permissions like CHMOD of 777.
a. Set register_globals OFF
b. Disable allow_url_fopen
c. Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
d. Don’t use PHP safe_mode
2. Change the Default Database Prefix (jos_)
While installing, change the default database prefix to something random. This will prevent most of the SQL injection attacks as hackers try to retrieve superadmin details from jos_users table.
3. Disable FTP Layer
While installing, don’t enable the FTP layer as it opens up a potential security hole since your FTP details are stored in plain text under a Joomla! configuration file. FTP layer is not required if your hosting is secured and configured properly for Joomla.
4. Change super administrator username
After installation, change the username for the super-administrator. By default, its admin. So change it something else so that the username/password combination becomes difficult to guess or crack.
5. Strong password
Always use strong password for the administrator accounts. An example of strong password is d@^B!$<9@G. A good addition is to password protect the administrator folder. In apache web server, you can do this htaccess file or in cpanel, you can use Password Protected Directory option to setup a password. This will add another layer of username/password before someone reaches your Joomla admin details. Needless to say, have this password different from Joomla admin password.
6. Enable SEF URLs
Most hackers use the Google inurl: command to search for a vulnerable exploit. So enable SEF urls from site configuration if you are using Joomla 1.5. You can also use extensions like SH404SEF for both Joomla 1.0 and Joomla 1.5. This will prevent hackers from finding the exploits as well as benefit you in SEO perspective.
7. Upgrade to latest release of Joomla
Always upgrade to the latest release of Joomla as soon as possible. The latest Joomla 1.0 release is version 1.0.15.
8. Third party extensions
There are more than 4000 extensions available for Joomla many of which are non-commercial. But don’t take this as an opportunity to install unnecessary extensions on your website. Remember that most hacking attempts occur due to vulnerability in these extensions. So, always use extensions which are popular, has strong community backing and development process.
9. Proper file/folder permissions
The proper file/folder permissions for your joomla website are:
* PHP files: 644
* Config files: 666
* Other folders: 755
You can CHMOD the files and folders using your FTP client.
10. Setup a backup and recovery process
Always rely on a strong backup and recovery protocol for your live website. It’s not just hacking that may compromise your website but other factors like a faulty upgrade or extension install, hardware failure, hosting provider issues.
If you want to know more about how to do this you can visit: