Protecting Your CMS-Based Site

January 4, 2016

It was recently announced that there was a major security risk in previous versions of Joomla!, and a new version was released. While it is easy to upgrade to the latest version if you are running version 3 or later, it does require a little more work if you are running a previous version, such as 2.5 or 1.5.

To upgrade your Joomla! version 3 installation:

  1. Back up the current version of your site
  2. Log into Joomla!
  3. Go to Components
  4. Go to Joomla! Update
  5. Click on the ‘Install the Update’ button
  6. Once it’s complete, refresh your browser to see the changes

To upgrade your Joomla! version 2.5 or 1.5 installation:

  1. Back up the current version of your site
  2. Find the update file your need for your installation
  3. Download and extract the file
  4. Open up the folder that is created until you see session.php
  5. Log into your website using FTP or the File Manager in your Hosting Control Panel
  6. Browse to the /libraries/joomla/session folder in your site
  7. Replace session.php with the version you have just downloaded
  8. Once it’s complete, refresh your browser to see the changes

While this only affects Joomla! users, this is a problem we regularly see with all CMS packages – including WordPress, Drupal, and others. An exploit is found, website owners don’t update their software, and when their site is hacked, it’s a race against time before that server becomes another bot in the mindless horde.

There are steps you can take to prevent this from happening. They might seem obvious, but many people forget, and end up with major problems down the line.

Update your software

This is one of the most obvious ones. When WordPress, Joomla!, or any other piece of software tells you there is a new version available, update it. If your software doesn’t inform you there’s a new version out, make an effort to regularly check the software’s website, and see if new versions are released.

Software companies don’t release new versions to make minor cosmetic changes – if they’ve released an update, it’s fixing something that’s wrong, and the more things patched, the safer your system is.

Update your plug-ins

While you might remember to update the main software, you need to make sure you update your plug-ins as well.

WordPress is great for telling you what needs to be updated, from the main software to your smallest plug-ins to even the translations, but you still need to actively click that “Update” button. And if you have a bespoke plug-in, check with the developer regularly to make certain that you’re using the latest version and that any potential security holes have been patched.

If it costs money, don’t go hunting for a free version

You find an excellent theme or plug-in, but you don’t want to pay for it. You might think that you can just search for a free version, download, and install it, but many so-called “free” versions will have malicious code embedded right into the theme or plug-in. Install it, and it doesn’t matter how careful you are with your site’s security – you’re already taken.

If the designer or developer has created a free version, they will always have it with the paid version. Only trust the software developer or the theme designer – any other websites offering you a download are suspect.

Always back up your site

Again, an obvious thing to say, but so important. If your site is hacked, a clean backup makes it infinitely easier to check where things went wrong and fix them, rather than trying to restore your site while fixing it at the same time.

If your site is infected and causing problems on our servers, we may disable your site. Obviously, we don’t want to do that, and we want to work with you to prevent problems, but follow this advice, and, hopefully, you’ll never have a problem.