How Safe is JOOMLA front end??

Hi Guys,

Off late I have been working on a few joomla websites for family and friends. Usually I do all the backend work and if my clients need to edit anything they login via the front end. Just wondering how safe is joomla front end from hacking, sniffing etc. I do know it is all in HTTP so this is what makes me worried.
If someone could explain to me, if there is a way to setup a secure way for joomla front end login or could make me believe that the front end login is secure already it would be great.

PS: I am only a BEGINNER level joomla programmer so please do explain in detail.
LVL 11
manav08Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nfariaCommented:
There is a whole bunch of Security advisory on Joomla Documentation here
http://docs.joomla.org/Category:Security_Checklist

But if you are very concerned with data going in plan text over HTTP you can consider running Joomla Administration over HTTPS.
http://forum.joomla.org/viewtopic.php?f=432&t=264967

Usually the main security gap are your users giving away their passwords or having malicious bots installed. So if you don´t control your back-end users its a hard task to keep it 100% safe.

If you trust your servers (hosting) and your sites don´t hold any confidential info you should be fine having a good set of backups to make a quick restore if ever needed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rashgangCommented:
Hi manav08,


there are lot of security extension available

Please check this link

http://extensions.joomla.org/extensions/access-a-security/site-security

0
JoomstrupCommented:
Hi,

When you look at youtube videos on how to hack joomla, you will see almost all of them rely on the standard joomla install that will have jos_ a the database prefix and user ID62 is superadmin.

Those would be the two first things change if you want tighten security.

The database prefix can be set to anything during manually install of joomla, or you can change it running a sql query or use the tool:
http://sn.im/vvied   [extensions_joomla_org] Just be aware some extensions might not run of the database prefix has been changed. I haven't come across any yet, and I'd consider it to be bad programming practice to "hardcode" teh database prefix.

You can set up other superamin accounts and then delete the ID62 account, however just setting up a new user would create ID63 which any "smart" hacker would try.
There is also a tool made for this specific issue. from the same developer
http://sn.im/vviiw   [extensions_joomla_org]

This developer also has a script that will check your site for permissions
http://sn.im/vvikk   [extensions_joomla_org]

There are several security/firewall extensions for Joomla, I'd recommend taking a look at RSfirewall,

this component has a excellent userinterface, it will scan your site for premissions AND change them for you if needed. You'll extra access security for the admin site. You can put your site in lockdown mode to prevent any unapproved installs, and it will monitor your site and you set set alerts if your site is being tampered with. It can be well worth spent money.

I would also recommend to add some code to your template to change or remove the
<meta name="generator" content="Joomla! 1.5 - Open Source Content Management" />
tag.
Some SEO component will change that for you or you can do that by adding the code

<?php $this->setGenerator(null); ?>

to your template in the header section. you can add it right after the
<jdoc:include type"head" />
This will potentially help as many hackers are googling for the meta generator tag

These are just some suggestions from a list of things to do. Check the links suggested in the comments above they are all great.
0
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

manav08Author Commented:
Thanks for your comments guys. I will do a bit of research on this tonight and get back to you.
0
lenamtlCommented:
Because to many security issues I have switched to ExpressionEngine which is secure and solid code.
http://expressionengine.com/
0
M. Rashel AhmedCommented:
since joomla has security issues, you need to keep it uptodate all the time. as long as you are uptodate, it's ok. i like joomla.  here is the correct procedure to upgrade your site: http://docs.joomla.org/Upgrade_Instructions .

**remember!! if you don't do it properly, you will break your site.**

0
manav08Author Commented:
Hi Guys,

Thanks for the input.
I never actually got to try these solutions, as I got busy with other things. Web Development is just my hobby so one day I will definitely look into these solutions. Awarding points for your effort.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.