If there is even going to be a free and independent Internet in the future, we as website owners and builders need to radically change the way we think about website security. Gone are the days when hackers were just a few young kids getting their kicks by defacing and destroying a few websites. Today, hacking has become a big multi-billion dollar business. Hackers now use highly complex programs to take over thousands of websites in a single attack. The hackers then either demand a “ransom” of thousands of dollars to restore your website (which you can never really trust again even if you do pay up and get it back). Or the hackers use the computing power and data of these hacked websites to attack and bring down even more websites.
The purpose of this article is to explain why we need to change and provide a series of steps to make the needed changes.
What is Real Website Security?
Imagine you have spent several years building a successful business website with hundreds of thousands and even millions of visitors. Your entire business and family income depends on this website working correctly. Now imagine that site being taken down by hackers. The only thing displayed on the front end of your website and the back end of your website is the white screen of death and perhaps a “500 error.” No way to log into the Joomla administrator panel. No way for you or your customers to view any page that you have created.
Even worse, you go to your VPS account to try to fix this mess with your File Manager and Database manager only to discover that your VPS hosting account has been hacked and all of the back ups you have made for your websites have been deleted. There may still be ways to repair your website – which we will discuss towards the end of this article. But an ounce of prevention is worth a pound of cure. We will therefore review what website security really means.
This course, book and website, Create a Secure Website explains how to create a secure Joomla website that you can use for any purpose. Our following courses explain how to add to this foundational website to create an independent news website (Create Your Own News Website), how to create your own online network (Create Your Own Community Network), how to create your own online business (Create Your Own Online Store) and how to create your own online course (Create Your Own Online Course). What all of these courses have in common is that they are increasing your power to communicate with others and organize with others. However, those that currently control our economic and political systems do not want us to communicate with each other.
Why New Interactive Websites are a Threat to the Status Quo
New online stores are a threat to the corporate monopoly of Amazon. Courses that teacher folks how to build their own Linux computers are a threat to the corporate monopoly of Microsoft. Independent news websites are a threat to the corporate controlled media. Bottom up community based social networks are a threat to the top down control of corrupt corporate funded political leaders.
It is therefore natural that monopolies such as Microsoft, Facebook, Google and Amazon along with Wall Street bankers and even our own government have worked to create a system to keep the Internet in check and take down any websites that present a threat to the establishment. This is the real purpose of the US Patriot Act.
Even if you do not plan to build a controversial website, your website will certainly will be caught in the cross fire in the billionaires war on the people. I have about 50 Joomla websites on various courses I teach. I have hacker monitoring tools attached to each of them. I therefore am able to say with confidence that each of them are attacked on a daily basis. So if you build either a Wordpress or Joomla website, you will certainly be attacked. It is not a question of if, but more a question of when. The answer is that the attacks will likely start happening in the first 24 hours after you go online. Thus, it is essential to know what steps to take in the first few hours after starting your website.
In 2013, Edward Snowden revealed that the NSA has teams of tens of thousands of website hackers (about 30,000 working directly for the NSA and another 70,000 working for corporations and contractors). Some of the documents he revealed confirm that the NSA spends more than two dollars hiring outside corporate hackers for every dollar they spend in house (for example Edward Snowden worked for an NSA contractor called Booz Allen). This brings the hacker total to 100,000. Tens of thousands of young kids in the US military are also being trained as hackers by the NSA in what it calls its Cyber Warfare training program. This brings the total number of hackers being trained by our own government to more than 200,000. While our corporate media likes to blame Russia or China for Cyber Warfare, the truth is that the hacker training budget of the US government is ten times larger than the Cyber Warfare budget of the rest of the world combined. When your website is attacked, the odds are ten to one that it was attacked by someone trained by the NSA.
There is a 26 minute video called Cyber Defense - Military Training for Cyber Warfare, Full Length Documentary published on April 30, 2013 at this link: https://www.youtube.com/watch?v=rcDizlmjNQY
The video shows the NSA “Red Cell” training other branches of the military how to hack websites. Here is an image from that video:
Don’t get me wrong. I am sure our websites could occasionally be attacked by Russians and the Chinese. But when the NSA trains tens of thousands of young Americans in the US military how to attack websites and then these young men cannot find jobs after they get out, we should expect at least some of them to form teams and use the skills they learned from the NSA to attack the easiest local targets – us. After all, a good hacker can make more than a million dollars a year just using Windows Ransomware attacks!
One way you can determine who is attacking you is by installing free Joomla tools that tell you the IP address of the server each attack is coming from. You can then look up the City and State where the server is located. Lately, the largest number of attacks on my websites have been coming from thousands of servers in Ukraine. But here is the problem. Each server is an actual computer that costs thousands of dollars. Who in Ukraine has the millions of dollars needed to buy all of these computers? Why would anyone in Ukraine want to attack massive numbers of websites in the US? It is not merely the cost of the servers, but also the cost of buildings to house the servers, staff to maintain the servers and electricity to run the servers. Then there is the cost to pay programmers to write the malicious code. Who has this kind of money to pay for hundreds of attacks on my little websites?
The one cyber warfare group with an unlimited amount of money to spend on servers is the US military cyber warfare group – also known as the NSA. They either have an entire server farm in central Ukraine (which maybe they do). Or more likely, the servers are in the US and the NSA is bouncing signals off of satellites to fool people into thinking they are being attacked by thousands of Ukrainians. Either way, we as website owners are being attacked by the largest best trained cyber warfare teams in the world.
A 2014 RAND Report found that 80 percent of all cyber attacks are committed by “highly organized crime rings” - not individuals. Cyber crime rings are not manned by youngsters; they employ highly experienced developers with deep knowledge that allows them to bring constant innovation into malware and attack tactics.
http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
On February 16 2015, one of the world’s leading security firms, Kaspersky released a 44 page report on what it called the “Death Star of the Malware Galaxy” Here is a direct link to the PDF:
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
The report described a group it called the Equation group which was infecting computers and websites all over the planet. The report noted that the techniques being used were linked to techniques and malware programs previously developed and used by the NSA including the Flame and Stuxnet viruses which the US used to attack Iranian computers: “All the malware we have collected so far is designed to work on Microsoft’s Windows operating system… The Equation group uses a vast infrastructure that includes more than 300 domains and more than 100 servers.”
One of the documents exposed by Snowden was a 2007 NSA job posting document in which the NSA actively solicited hackers to go to work for the NSA. The trainees will be taught how to “develop an attackers mindset.” The link to this document is gone. But here is a screen shot of the NSA Hacker training job posting:
We as single website owners have no chance - working only on our own - to fight off these well trained, highly paid teams of thousands of hackers. We therefore need to stop thinking of our goal as merely protecting our individual websites and instead start acting to protect ALL of our websites. Instead of seeing ourselves as individuals, we need to build a community that has long term SECURITY FOR ALL as a higher goal than short term corporate profit. It is significant that the term “Joomla” means “All Together.” We need a community not just to create our websites but also to protect them.
We are in an information war today – but the weapons are much more complex and therefore harder to see. I will use the Linux Debian community and the Joomla community to illustrate how safety comes from working together and building a community.
Linux Debian versus Microsoft Windows
In my website, Learn Linux and Libre Office, I explain that any computer running the Windows operating system is not secure and can never be made secure. To make sure that the computer can “call home” whenever Microsoft wants, they place the web browser inside of the core of the operating system. This is a deliberate open back door into every Windows computer. The NSA knows it – and so do many hackers. All of this is done in the name of corporate control to maintain hundreds of billions of dollars in Microsoft profits.
By contrast, Linux Debian is not a for profit corporation but a community of computer users who want safe dependable computers. Because there is no need to maintain control, there is no need to place the web browser inside of the operating system. The bottom line is that when you build a website, you should do it with a Linux computer. Using Windows will leave your website open to attack. Even using an Apple computer will leave your website open to attack because they are also a corporate partner of the NSA Prism program as confirmed by the following slide leaked by Edward Snowden.
These nine corporate Prism Partners are paid billions of dollars to assist the NSA (along with hundreds of other corporations). Note that Linux is not on this list. The NSA did try to recruit the leaders of Linux. But the bottom up community driven structure of Linux protected it and protects all of us who use Linux computers.
Sadly, billions of people still use Windows and Apple computers. They do this because it is more convenient than taking the time to learn how to build and use a Linux computer. They are placing short term convenience above long term freedom and mutual security. The good news is that using Linux is now much easier than it was in the past – in many ways much easier than using Windows or Apple. As more people discover this, we will someday reach a tipping point where everyone will insist on using Linux – not just for building websites – but for everything they need to do on their computer.
Joomla versus Wordpress
There are about 30 million active Joomla websites and three times that many active Wordpress websites. As with Microsoft computers, people use Wordpress because it is “easier.” This is despite the fact that Joomla has many benefits over Wordpress. The biggest benefit of Joomla over Wordpress is that it is much more secure. In 2021, Wordpress and Windows both had many more major security problems than Joomla and Debian.
Top Down Corporate Structure versus Bottom Up Communities
The biggest security advantage of Joomla over Wordpress is that Joomla is a bottom up community while Wordpress is really a billion dollar top down for profit corporation called Automattic which is run and controlled by a small group of people. Automattic has been given more than $300 million by various investors. This puts Wordpress in the same league has Microsoft, Google, Facebook and Amazon who also received hundreds of millions in financing. https://en.wikipedia.org/wiki/Automattic
By contrast, Joomla is a true bottom up community that is lead by a non-profit elected group called Open Source Matters. Their key values are freedom, equality, trust, community, collaboration and usability. While the Joomla community has millions of members and thousands of developers, the Open Source Matters leadership team has an annual budget of less than $500,000. This team is elected by community members and consists of community members. https://www.opensourcematters.org/organisation.html
Linux Debian is also an open source community. https://www.debian.org/
The Linux Debian and Joomla communities have proven that they are more likely to catch and correct coding errors than top down profit driven corporations.
But as bad as the website security problem is now, things are about to get much worse. Here’s why: In 2013, Snowden documents revealed that the NSA spends at least $60 billion per year.
On December 1 2016, Federal Rule 41 was revised without a vote of Congress to make it much easier for the FBI to hack into computers and take down websites in the US. In the past, the FBI had to go to a local federal judge before taking down a website. Under the new Rule 41, the FBI does not have to go to a local judge. They can go to any one of 500 federal judges to hack into any computer and/or take down any website in the US. As the digital rights group Electronic Frontier Foundation (EFF) warned: “These changes to Rule 41 will result in a dramatic increase in government hacking… A single judge will be able to grant a warrant to hack a million or more computers.” The term “computers” does not merely refer to private or personal computers but also to servers that host websites. A single server can host more than 1000 websites. So hacking one million computers can mean hacking one billion websites.
In short, we were already being subjected to hacking on a massive scale by the NSA and their friends. Now the NSA/FBI have been given a blank check to expand these attacks.
This is why we need to take every possible precaution to protect our websites. These security measures must go well beyond merely moving our website to Canadian servers (as we described in a previous article). They even go well beyond using Linux computers to post to our websites. The NSA motto is “Collect Everything.” If we are going to have a secure website, our motto must be to “Protect Everything.” Here is an overview of steps we should taker to protect our websites. All of the steps are important. Skipping any one of them will leave your website more open to attack.
Here is an overview of some security steps we have already covered:
#1 Use a Secure Linux Computer to Build Your Website
#2 Use a Secure ProtonMail Email Address to Set Up your VPS Hosting Account
#3 Use a Secure Canadian Linux Hosting Account such as Canhost
#4 Use Strong Passwords for your Email Account, your VPS Host account and your Joomla Login page.
#5 Learn how to create proper A and CAA records to get an SSL certificate for your server and your domain names.
#6 Get an SSL certificate for your VPS and domain name before installing Joomla
#7 Use your secure Proton Mail Email Address or a custom email address when you install Joomla
#8 Activate the HT Access File in Hestia
#9 Hide the Front End Log In Form
#10 Change Joomla Global Configurations
#11 Download and Install six free Joomla security tools.
Let’s take a closer look at each of these steps:
#1 Use a Secure Linux Computer to Build Your Website
Let’s be very clear. It is not possible to build a secure website with a Windows or Apple computer. Both are NSA Prism partners and both allow the NSA access to all of your data. The same back doors used by the NSA can also be used by any knowledgeable hacker to access your Windows or Apple computer any time your computer is hooked up to the Internet. The only way to have a secure website is to use a secure Linux computer to create and load your website documents, For more information on how to set up a Linux computer and use Libre Writer, see our website: https://learnlinuxandlibreoffice.org/
#3 Use a Secure Proton Mail Email Address to Set Up your VPS Hosting Account
Major email providers like Google and Yahoo are also NSA Prism Partners. As sensitive security information will be sent to your email address, we should get a secure Proton Mail email address and use this secure email address to set up a secure VPS hosting account. Here is the link to get your free account. https://protonmail.com/
#4 Use a Secure Canadian Linux Hosting Account such as Canhost As we explained in a previous chapter, it is no longer safe to put either your domain name or your website on any server located in the US. It is also not save to put your website on any Windows server regardless of where that server is located.
#5 Use Strong Passwords for your Email Account, your VPS Host account and your Joomla Login page.
First, avoid using default user names like "admin" or "administrator". Those are first in the list of words a potential attacker will try. Next, use a strong password. Many attackers try to brute-force your login details. This means that they use a list of commonly used passwords to guess yours. As for the password itself, do not use common words like pass123 or admin123. Do not use your name in your password. Do not use a password generator because these can also be compromised. Instead use a strong password that is at least 9 characters long and include a combination of upper case and lower case letters, numbers and special characters such as # and $. The following is an example of a very strong password with 3 capital letters, 3 lower case letters, 3 numbers and 4 special characters: $Ea!275(Fv)Zx. Do not use this same password for any other account. This means that your website administrator password should be different from your hosting account password and different from your email service password. Each password should be unique. Keep a record of all of these passwords in a file on your hopefully secure computer.
#6 Get an SSL certificate for your VPS and domain name before installing Joomla
Canhost makes it easy to create DNS A and CAA records and Hestia makes it even easier to get free SSL certificates.
What is SSL and Why Do We Need It?
SSL (Secure Sockets Layer) is the standard encryption technology which establishes a secure connection between a web browser and the server. This ensures that all the data which passed during the connection remains private and encrypted. SSL is used by millions of websites to protect the sensitive information entered by visitors. Most people can spot a secure SSL site from a non-secure site by the presence of a green bar or lock in the URL box and the beginning prefix that includes an S after the initial HTTP.
Installing an SSL encryption on your website is a good start and prevents the interception of submitted information by hackers. SSL hides your vital information and your readers vital information from hackers. Failing to use SSL not only might cause your customers to be harmed, but it also increases the chances of your website being hacked using the customer’s log in credentials followed by a program that elevates their privileges. Using SSL not only increases the security of your website, and increases the trust of your readers, it also increases Search Engine Page Ranking..
What is Let’s Encrypt?
Let’s Encrypt is a Free Automated Open Source SSL certificate created to benefit the public. It allows you to get browser-trust certificates for your domains at no cost that renew automatically every 90 days. There are no difficult configurations, no validation emails and you can install multiple certificates on your hosting accounts, for each domain and subdomain you choose with Let's Encrypt Free SSL. All browsers support Let’s Encrypt Free SSL.
#7 Use your secure Proton Mail Email Address or a custom email address when you install Joomla
The most secure option is to use Hestia to set up your custom domain related email address before you install Joomla and then use that during the install steps.
#8 Activate the HT Access File in Hestia
The HT Access file can help to protect your website against a set of common exploits. But we need to enable it to get this protection. We enable it by renaming it with the Hestia File Manager before installing Joomla. Select Rename. Delete the ,txt and put a dot before htaccess. Then click Rename File. Now click on the .htaccess file to select it. Then right click and click Edit to open this file. Then click Edit again. At about line 83, you will see
# RewriteBase /
Delete the hash tag so the line looks like this:
RewriteBase /
#9 Hide the Front End Log In Form
By default, the front end of our website displays the Log In form. We will soon have problems with spammers and hackers if we continue to display the log in form on our Home page. To hide this log in box, log into your Joomla Dashboard. Then click Content, Site Modules. Then select the Log In Form and click Unpublish. Then click on the front end of the site again to verify that the log in module is now hidden.
#10 Change Joomla Global Configurations
Our next task is to change the Global Configurations settings. In the Admin Panel, click on System, Global Configurations in the Top Menu. There are several changes we need to make here. First, change URL Rewriting from No to Yes. This will allow us to use Friendly URLs – but only do this if you have already enabled the HT Access file. You can also add any key words you want here. Next click on the System tab and increase the session lifetime from 15 minutes to 99 minutes. Then click on the Server tab. Change Force HTTPS from None to Entire Site. Then click Save and Close.
#11 Download and Install six free Joomla security tools
We covered this process in article 3.2. These tools should all be installed right after you create your Joomla website.
Manage Your Website Security Over Time
There are several important steps to take to protect our website from hackers on an ongoing basis that we have not previously covered. These steps include the following:
1. Use XNConvert to Batch Clean all of your images
2. Keep your Joomla version up to date.
3. Keep your Joomla extensions up to date.
4. Review Joomla Error logs periodically.
5. Review hacking attempt logs periodically.
6. Use Hestia to Set up a backup and recovery process.
7. Keep learning about Joomla Website Security.
8. Join or create a Joomla User Group in your community.
We will briefly review each of these steps.
1. Use XNConvert to Batch Clean all of your images
It is important to compress every one of your images in your Libre Writer documents. This is done by right clicking on each image, selecting Compress then selecting OK. This should result in reducing the file size of the image to something less than 100KB. Failing to compress even a single image will greatly reduce the loading speed of your website. It is equally important to “clean” all of your images before posting them to the back end of your Joomla website as a common hacking trick is to hide malicious code in the properties section of images – which are then uploaded by you to your site if they are not cleaned. There is a free program called XNConvert which can batch clean hundreds of images in a matter of seconds. Here is the download link:
https://www.xnview.com/en/xnconvert/
Download the 64 bit DEB file. Then right click on the file to install it. Then open the program. The input tab allows you to choose any image files or folders. The Actions tab allows you to choose aBatch Conversion Actions including Image Clean Metadata.
Simply open XNConvert. Then select the folder that has all of your website images. Then create an output folder for the clean images. Then Add the Action “Clean Metadata.” Then click Convert.
2. Keep your Joomla version up to date
Joomla versions change every few months. Sometimes these versions change to introduce new versions. But often they change in response to the discovery of a new hacker attack method. You will hopefully receive an email from Joomla alerting you to the security threat and advising you to update your Joomla version as quickly as possible. It is easy to update your website. Just log into your administrator panel and wait a few seconds. A notice will appear providing a link to the Joomla Update page. Click on Update Now. Then click Install Update.
If there is any problem with the update, you can do a search on the problem and how to fix it. Often, update problems can be solved simply by clearing your browser cache and your Joomla caches. These issues are typically addressed on the Joomla Community Forums. To reach the official Joomla forum, from your Joomla Admin panel, click on Help, Official Support Forum. Here is the direct link: https://forum.joomla.org/
3. Keep your Joomla extensions up to date
When you log into your Joomla back end, you may see an Extensions Update notice. Click on View Updates and then Install Updates. Then clear the caches and view the front end of your website to make sure everything still works after performing all of your updates.
4. Review Joomla Error logs periodically
Modern websites are extremely complex. With more than 8000 files and folders and more than a dozen extensions, it is common for errors and conflicts to occur. These errors are typically not displayed on the front end of our website. But they are recorded in error logs and include the exact lines in the code where the error is occurring. Error logs are also useful for determining the date, time and location of many common hacker attacks. To reach your Joomla error logs, you could log into your Hestia account and open the File Manager. But a quicker way is to install a File Manager to your Joomla backe nd so you can reach it without logging into Hestia.
4. Review hacking attempt logs periodically
Hacking attempts will be sent to your secure email address on nearly a daily basis. You will be surprised at how often hackers are trying to get into your website. These emails should be viewed periodically. Here is one example caught by SQL Interceptor:
Local File Inclusion $_GET['files'] => ../../../../wp-config.php
* Local File Inclusion $_REQUEST['files'] => ../../../../wp-config.php
** PAGE / SERVER INFO
*REMOTE_ADDR : 62.210.111.127
*REQUEST_METHOD : GET
*QUERY_STRING : files=../../../../wp-config.php
** SUPERGLOBALS DUMP (sanitized)
*$_GET DUMP:
This was someone thinking my website was a Wordpress site and wanting to get the configuration file to begin an attack.
Here is an email from BF Stop:
Blocked IP Address 5.254.97.99 because there were too many unsuccessful login attempts in a short time on http://. These are all the attempts from that address that were recorded:
Username IP-Address Date and time Origin
--------------------------------------------------------------------------------------------
admin 5.254.97.99 2016-12-06 18:28:44 Backend
admin 5.254.97.99 2016-12-06 18:28:50 Backend
admin 5.254.97.99 2016-12-06 18:28:54 Backend
This is a hacker trying a brute force attack assuming my administrator user name is admin. We could add the IP address to our blacklist. But these happen so often from so many IP addresses that it would be easier to block entire countries. To determine which country this IP address is associated with, go to the following site.
http://whatismyipaddress.com/ip-lookup
Then copy and paste the IP address into the Lookup box.
This one comes from Romania but is it is really a proxy server for some other location.
6. Use Hestia to Set up a backup and recovery process
Hestia creates automatic backups of your website every day. But in case your VPS is compromised, you should also keep backup files on your Home computer. Hestia makes this easy by having a Download button to download the backup. The Hestia Backup includes both the website files and database. It is also easy to restore a Hestia backup.
8. Keep learning about Joomla Website Security
One of the best ways to keep up to date with Joomla security issues is to periodically read the Joomla Community Forum.
Scroll down to the section called Security in Joomla 4X.
There are a series of articles pinned to the top of this forum. Read all of them before posting.
9. Join or create a Joomla User Group in your community
This final point is the most important. Real website security is not a set of tools or even a process. Instead, it comes from building a community of friends interested in website security. Joomla has what it called Joomla User Groups all over the world. To find out if there is a group near you, go to
https://community.joomla.org/user-groups.html
Joomla is very popular in Europe as it works well for multi-language websites. Also Europeans seem to care more about website security than folks in the US. Scroll down to North America to see a list of Joomla User Groups in North America. Clicking on one of these local buttons will allow you to contact the leader of your local group. If there is not a group near you, consider starting one!
What’s Next?
This completes our article on real Joomla Security. In the next article, we will describe how to install and use the Helix Ultimate template to customize the appearance of your Joomla website.