Most of the times, the client asks for upgrade or the companies purpose for Joomla upgrade if the site is hacked very often and/or is found to be infected with malicious code.
The most common mistake the developers make is to take the backup of current website and process the upgrade steps at the same. This process does upgrade the necessary extensions or core files, however, the malicious code files saved in the Joomla core folder(s) remain as it is and hence the site is again hacked.
Possible Solutions:-
- First, scan for malicious code in the current backup
- Process upgrade on the same
- Install a fresh instance of the Joomla’s version to be upgraded to
- Install all the required extensions (compatible with Joomla version) one by one
- If the client wants to use the old template, then first clean the template code file for any malicious code
- Migrate the data from the old database to the new database
The below points are useful for both “upgraded” Joomla website as well as “new” Joomla website from security point of view:-
- The file permissions should be 0644 and folders should be 755. The “configuration.php” file permission should be 0444.
- The default “admin” user should be deleted and a new “super” admin user should be created.
- Avoid using “admin” as the username for “super administrator”.
- 4. Modify the administrator URL.
- The site FORMS should have captcha / access token for non-registered users.
- Move “configuration.php” file outside the web root folder.
- In the UPLOAD field, limit the executable file types. Server side validations should also be placed in .addition to Javascript validations.
- Place .Htaccess in an image or media folders so that any user is not able to upload the executable in these folders.
- Disable PHP “system” and “global” commands (through php.ini.)
- Removed unused/compressed code from the files/folders. Also, remove any unused extensions or testing data.
- SEF URL’s should be enabled.
- Take care of SQL injections.
- Verify that index.html file should be in folders or use indexing to avoid direct access.
- Use two step authentication. It is one of the Joomla 3.2 improvements which can and will improve security.
- Set up regular backup and recovery process.
- Update to the latest stable version of Joomla and any installed third-party extensions.
- Notify your host and work with them to clean up the site.