- When installing make sure you don't use the default jos_ table prefix for your joomla database, rename this via phpMyAdmin if necessary .
- Never use the default Super Admin username of "admin" always change this to something else less predictable.
- Never use the user ID: 42, either change the user ID via phpMyAdmin, or demote this user to registered and then select "block this user" via Joomla user manager.
- Redirect the admin url to something other than /administrator/, you can do this via a .htaccess redirect, although their are plenty of great extensions out there that will aid in securing the url of your admin panel from potential hack attempts. Jsecure Authentication is one I highly recommend, this component with allow you to choose the new admin panel address
- i.e. /administrator/?whateveryouwant!
- Check and change your chmod settings to:
- directories should be 755
- files should be 644
- configuration.php file should be 444
- use an ftp client like filezilla or your hosting panel file manager to change the settings
- I prefer to install and use akeeba admin tools (lots of other great security features including WAF)
- Avoid using ftp in Global Configuration via Joomla admin panel.
- Set show Joomla version to "No" in Global Configuration via Joomla admin panel.
- Ensure that all sensitive files are outside the web root.
I will add to this list as I think of others, most of them are second nature to me. Please feel free to make comments or add suggestions to this list!
