Security Best Practices for Joomla Web Design Agencies
The Joomlashack Conference was a three day online event that took place in early November.
This was a free conference featuring the best speakers from around the Joomla world. Plus, somehow, Vic Drover, the CEO of Watchful, was invited too 🙂
As one of the bigger companies in Joomla, Watchful is committed to being a helpful and constructive role in the Joomla community.
We recorded Vic’s presentation and it’s now on YouTube with the other conference talks.
Vic talked about website security. Joomla users tend to know a lot about securing their sites with regular updates and good passwords. But true website security is much more complex, particularly if you’re a web design agency with responsibility for multiple sites.
Watch the video of Vic’s talk here …
The Three Levels of Security
The takeaway from Vic’s talk is that there’s a pyramid of website security. Keeping your Joomla site safe is not just about applying regular updates. True security is more complex and if you run an agency, you need to pay attention to three security levels:
- Sites & Software
- Servers & Services
- Agency Workflows & Policies
All three levels are the responsibility of you – the webdesign agency. Your client trusts you with the security at every level. They trust you with the whole stack from the usernames and passwords to the servers and maintenance. Because of this, your agency processes are the most important security feature. It’s vital to make security part of your agency culture.
Level #1. Agency Workflows & Policies
This section starts at the 7.20 mark. A modern web stack consists of many elements from the website and the server, to email service and the social media accounts. To protect your client, you need to secure many different login details, and that’s especially true if you’re working with contractors.
After you’ve chosen a password storage tool, you can focus on password strength policies. For example:
- How often should passwords be changed?
- How complex should passwords be?
It’s also important to think about how you share passwords. What happens when a client stops working with your agency? Do you remove their password from your storage?
And what about your own team members? Do you stop them from accessing your services when they leave the company?
One approach that Vic recommends (at the 13.00 mark) is to make sure everyone logs in with company credentials. Here at Watchul, all our files are stored in the company’s Google Drive account and all emails are run through the company’s GMail. By default, our files can not be easily shared outside of Watchful.
Giving everyone their own account makes it easy to close someone’s access when they leave your company. It also allows you to have an audit trail to record who did what. Joomla now has the “User Activity Logs” feature so you can track all the activity on your sites.
The best agencies have a response plan for several different scenarios. These situations might include Denial-of-Service attacks, server outages, natural disasters, or staff illness. It’s not good enough to tell your clients, “Sorry, we weren’t prepared.” These are details you should have easily available:
- Contact information for all your clients.
- Emergency contact information for all your staff members.
- A backup restoration plan.
- Single-use passwords if you’re using 2-Factor Authentication.
It’s important to keep your agency team up-to-date with regular training at conferences or online. You can also keep them on their toes with services such as PhishingBox, which will test how well people respond to a phishing attempt.
Having a good security policy doesn’t just help you keep existing clients. You can also build these policies into sales pitches to new customers. These policies will give people the confidence to choose you as a vendor.
Level #2. Servers & Services
This part of the talk starts at 19.40. If you’re building sites in Joomla, you’ll probably be dealing with the LAMP stack: Linux, Apache, MySQL and PHP. There may be some small changes such as Nginx instead of Apache, or MariaDB instead of MySQL, but almost all your stacks will be similar.
Many developers outsource this layer of the pyramid to their hosting company. However, that’s a bad idea. Hosting companies often run old and insecure server technology. Plus, server security is more complex than just your LAMP stack, because your server also requires extra features such as an SSL certificate.
You need to use tools to monitor your servers and those extra features. For example, Watchful can track server’s uptime and also help monitor your SSL certificate. You can also use external tools. For example, you can test the quality of your certificate by visiting SSLLabs.com.
Here are some of things you need to check on your servers:
Watchful’s Early Warning Audits can track many of these items and warn you if they’re not configured correctly.
And here are some recommendations for key services that are not hosted on your server:
- Email delivery: We recommend services such as SendGrid or Mandrill. In 2019, it’s just too difficult to run your own mail server without having most of your email end up in people’s “Spam” folder.
- DNS management: We use Cloudflare to manage our DNS servers. It is possible to do this with your domain registrar, but we’ve found Cloudflare to be much more flexible.
- Reverse proxy: Whenever your site is under attack, you’ll appreciate having a real-time firewall for your site Cloudflare is our choice for a firewall.
Level #3. Sites & Software
Vic introduces the final part of the pyramid at the 28.35 mark. Here he reviews several settings that are “best practices” for Joomla sites. Watchful is one of several services that can automatically scan for these best practices:
Watchful’s Early Warning Audits can automatically track all of these important best-practices:
Did you know that Joomla has really good password security options? You’ll find these by going to Users > Manage > Options and clicking the “Password Options” tab. You can improve this even further with extensions such as User Password Policy.
We also protect the admin area with a token. This means that you can’t access the Joomla admin using the /administrator/ URL. You need to add a secret token so that the URL looks more like this: /administrator/?secrettoken
Joomla has that very helpful “User Activity Logs” feature. If you’re using separate accounts for each user, you’ll be able to keep a detailed record of who changes what on your site:
Updating your Joomla sites early and often is also vitally important. Here at Watchful we’ve just released a new auto-update feature so you can move even more quickly to keep your sites updated.
Vic wraps up at 35.00 and then answers questions from users.
The Slides from Vic’s Presentation
More from the Conference
If you missed the event, don’t worry. The presentations are being posted on YouTube.
In particular, I recommend watching “Joomla 4 – A New Improved Joomla for Content Creators“. This talk is from George Wilson, one of Joomla’s lead developers. If you haven’t been keeping up with development on Joomla 4, take 30 minutes of your day and watch this video.