Obviously the first stage in securing your web site is to ensure that you are using a strong password. Ideally this should be a mixture of both upper and lower case characters and include a few numbers for good measure, not forgetting not to make it a real word.
Those naughty hackers aren’t stupid and are well aware that people may use the number 3 to replace the letter e in a password. It’s also extremely important that you don’t use the same password on multiple sites, you only need one of those sites to be hacked for all your sites to be vulnerable. See this blog entry for a typo3 horror story.
Unfortunately people are lazy and often re-use passwords or chose ones that appear strong to them but are in fact pretty weak and vulnerable to brute force attacks, and this is where the problem currently lies in Joomla.
Every Joomla site creates a super-administrator user by default with exactly the same name – “admin”. As you can see from the screenshot there is no option to rename this super-administrator account during the installation.
So what does this mean? For a hacker it’s a dream scenario as without doing anything you have given them 50% of the credentials they need to break into your site and do as they wish with all your precious work.
In the long term the solution is for Joomla itself to be updated to allow you to chose the default super-administrator username as well as the password. There are however several steps you can undertake right now.
As soon as you have installed Joomla and logged in for the first time go to the user-manager and create a brand new super-administrator with a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user.
(You have to do it this way as Joomla does not allow you to delete a super-administrator.)
If you’re wondering why I didn’t suggest just changing the username of the “admin” user rather than creating a new one that’s because the “admin” user always has the same userid of “62″ which potentially is another piece of useful information for a hacker or script-kiddie.
If you are at all worried about your Sites Security, or would like us to provide you with a security consultancy service then please get in touch!
Here are a few more steps you can take in case you are in need of something extra. Password protecting the administrator directory can help but ip based authentication or network acl s are more convenient.
http://www.technogenics.fr/secure-joomla-administrator.html