The template is one of the most important aspects of your Joomla website.
It is used on every pageload and affects the look, feel, layout, pageload time and nearly every other aspect of the website experience.
Not surprisingly then, the template is also a prime target for intruders who look to gain access to your webserver or deface your site with spam or graffiti.
To help prevent this, use the following tips to improve your Joomla security policies specifically for your website template.
1. Fix file permissions on your web server
Like any computer system, the files on your web server all have permissions that control who can access them.
For web servers, these permissions are broken down into three categories:
- Read privileges — who can read a file
- Write privileges — who can edit a file
- Execute privileges — who can execute system commands
The safest permissions for the files on your web server — including the files in your template — is for the public to have read-only access. Changes to these files should only be possible by the owner (i.e. the apache root user) of the file.
While a system administrator can easily modify permissions, we recommend that you use the excellent Admin Tools extension to properly set file permissions right from the Joomla backend.
Full details can be found in our blog post on Admin Tools.
2. Lock down the main template file
Since this file is heavily targeted by intruders, it can be helpful to strictly control the permissions such that even the owner (again, the Apache root user, for example) of the file can not make changes.
In fact, if you use the template editor in the Joomla backend, the index.php file is made read-only for everyone once the file is saved.
Again, we think using Admin Tools to do this makes the most sense.
You’ll need to make a change in the configuration of Admin Tools such that the index.php files has the permissions set to 0444. Once the change is made, simply use the Fix Permissions tool as described on our blog.
Full details on customizing the permissions set by Admin Tools can be found on the developer’s website.
3. Prevent file listing (HTACCESS)
Letting visitors know what files you have in your Joomla template folder is never a good idea.
You can check if your template currently displays these files by typing the name of your template folder into your browser (eg. domain.com/templates/) and seeing if you get a Forbidden warning.
If you see a list of your installed template folders, your site is not as safe as it could be.
To solve the problem, you’ll need to use FTP to edit the HTACCESS file in the root of your website so that is contains the following line:
This blog post has more details on using HTACCESS to control file listing.
4. Restrict template edit permissions
Joomla has a powerful template editor that allows users to modify all the components of the template, including the main index.php file.
Thus, anyone who gets backend access to your site can hack your template with ease.
In addition to having unique usernames and strong passwords, you can limit the impact of these types of intrusions by limiting which user groups are allowed to edit templates.
For example, we recommend that users in the Manager usergroup not be able to edit the template.
To configure this in the Joomla backend, select Templates from the Extensions menu.
In the Options at the top-right, locate the Permissions tab and disable the following items for Managers and other groups with backend access who do not need to edit the template:
- Edit State
- Configure ACL & Options
- Configure Options Only
5. Review users regularly for Super User access
Between your website developers, temporary contractors, and the staff/clients who regularly access the backend of a Joomla site, it’s easy to collect unnecessary Super Users.
Regularly monitor the Super Users and Administrators in the backend User Manager to ensure that every user is needed.
Is you are unsure of someone’s status, check the Last Visit Date in the User Manager to see when the user last logged in.
6. Keep template up to date
Like most popular content management systems, there are thousands of templates available for Joomla. And it’s very likely that most Joomla websites use one one of these templates either directly or as a modified version.
However, the vast majority of Joomla templates do not use the Joomla update system to help alert you when template updates are released.
Thus, we recommend that template users subscribe to any notification system provided by the template vendor.
An alternative and more comprehensive solution is to monitor the relevant changelog page on the vendor’s website for each of the templates installed on your Joomla website(s).
RocketTheme also maintains an RSS feed of updates for their templates if an RSS reader is still part of your daily routine.
7. Only use templates from trusted vendors (never from Warez sites).
Like most popular software, Joomla templates can often be found on Warez sites.
Often, these templates are modified to contain malware and other dangerous scripts.
If you are serious about security, it is critical to always download templates from the vendor’s official website.
Joomla security must include your template
The template is the one required extension for every Joomla website, and keeping it secure is critical to the security of your Joomla site.
By applying the techniques above, you can reduce the risk of intrusion and attacks targeting the Joomla template.
If you have additional techniques for protecting your template, please post them below.