"Its good! Very Good! :D"
CYbErX -
Testimonials by Great Joomla!

FAQ plugin

(112 - user rating)

Demo for Core Design FAQ plugin for Joomla!


Security FAQ

"They who would give up an essential liberty for temporary security, deserve neither liberty or security." -- Benjamin Franklin

Verifying permissions

Added by: Daniel Rataj (Monday, 28 February 2011 13:06)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:51)

Recommended settings

  • Depending on the security configuration of your Web server the recommended default permissions is:
    • 755 for directories
    • 644 for files

Note: On file permissions, in general never use 777 if you don't know what you are doing.

  • Don't use extensions that require 777 permissions!

more info (+)

Learning the numbers

Each digit corresponds to a group of three letters each digit also corresponds to one set of permissions as follows:

  • First digit = owner,
  • second digit = group,
  • third digit = others (everyone else),

Note: On some servers you may not see the numbers as shown above, what you see is rwxrwxrwx (777) or something similar.

Meaning of the numbers

  • 777 means EVERYONE can read, write and execute ANY file.
    • This something you NEVER want to be allowed on your server/website.
  • 755 is rwx (owner), rw- (group) and rw- (others) or in other words everyone may read and write but only the owner(you) may execute (run) a file.
  • 644 is rw-, r--, r-- or EVERYONE can read the file but only the owner may write to the file.

NOTE: these permission can be applied to directories as well which is why you might see this drwxrwxrwx, the "d" is for directory.


Top 10 Stupidest Administrator Tricks

Added by: Daniel Rataj (Monday, 28 February 2011 13:04)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:51)

10. Use the cheapest hosting provider you can find.

Preferably use a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers.
FYI: You can use a tool such as Robtex (if you are using a shared Hosting Provider) to see who you are sharing space with and if you should be proactive to request a move to another shared space. For example: http://www.robtex.com/dns/joomla.org.html, or for REALLY cool information: Google.com: http://www.robtex.com/dns/google.com.html. This shows domain, shared, whois, blacklist, analysis, contact...

more info (+)

9. Don't waste time with regular backups.

Maybe the hosting provider will help you out.

8. Don't waste time adjusting PHP and Joomla! settings for increased security.

Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

7. Use the same username and password for everything.

Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere.

6. Install your brand new beautiful Joomla!-powered site, and celebrate a job well done.

Don't worry about it again. After all, if you don't make any more changes, what can go wrong?

5. Do all upgrades on the live site right away.

Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused.

4. Trust third-party extensions.

Install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!

Hey, nothing has gone wrong so far, and if it ain't broke don't fix it! Same plan for the third-party extensions. Too much work; life's a beach.

2. When your site gets cracked, panic your way into the Joomla! Forums.

Start a new post with a very familiar title: "My Site's Been Hacked! (sic)" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions you installed.

1. Once your site's been cracked, fix the defaced index.php file and assume all else is well.

Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming action. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.

About this list

This list originally appeared late one night on the Joomla Forums after one developer ended a particularly long round of crack recovery. The post struck many a nerve among Joomlaists far and wide, and has been translated into several languages. Some nerves were near the funny bone, others painfully far from it. Your experience may vary.

Security - Before you go live

Added by: Daniel Rataj (Monday, 28 February 2011 12:59)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:52)

This security list has been compiled from several sources, some of these sources are linked at the bottom of this article, as such you may find duplicate suggestions. DON'T skip anything because of this!

This list for the main part does not provide instructions it is only a list for you to check off each item as you perform the tasks.

  • I Know this list will generate MANY questions, so please post to the Joomla.org Security forum

more info (+)

During Install

  1. Change database tables prefix from "jos_" to anything else.
  • When changing this do not use any "reserved" prefixes such as bak_
    • You may use numbers and letters and YES you may use more than 3 characters, so b37qm2_ is a valid name.
    • Don't forget the underscore "_" as this makes it MUCH easier to read your table entries.

Joomla Backend

  1. It does not matter if your host does backups. Do it yourself too, and store them anywhere else other than the server.
  2. Backup up often! You would be amazed at how many sites NEVER perform regular backups.
  3. Did I mention to BACKUP your site?

Note: The extension Akeeba is highly recommended for backups.


  1. Ask your server if they offer PHPsuExec, php_suexec or suPHP
  2. Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous
  3. Register_Globals = 0 (off) Many servers deafult this to ON.
  4. allow_url_fopen = 0 (off)
  5. expose_php = 0 (off)
  6. safe_mode = 0 (off)
  7. Use open_basedir , it limits which files/folders can be opened.

What's new in Joomla 1.6

The principal changes introduced in Joomla 1.6 are:

  • New Access Control System - Allows site administrators control over who can view and manage content.
  • Unlimited Depth Organizational Model - Gives site administrators and content creators user-defined category levels that allow for the creation of a category tree with as many or as few levels for organizing articles and other content as needed.
  • One-Click Extension Updates - Allows users to keep sites secure and controlled by simplifying the process of updating extensions.
  • Semantic XHTML Layouts - Provides a better baseline for content presentation.


The following is a more complete list of changes.


Added by: Daniel Rataj (Monday, 28 February 2011 13:28)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:28)

Banners list

  • Missing copy toolbar button
  • New archive toolbar button
  • New columns to show meta keywords, purchase type and language
  • New filtering by client and language

Edit Banner

  • New type toggle for Image or Custom (dynamically changes the available form fields)
  • New alt text field for image
  • New language field

New Options
  • Ability to set the created date
  • Ability to set start and finish publishing times
  • Ability to set the purchase type
  • Ability to track impressions
  • Ability to track clicks
  • Use own prefix ?
  • Tags renamed to meta
  • Contacts
  • Messaging
  • Newsfeeds
  • Search
  • Weblinks
  • Redirect
more info (+)

Articles Manager

Added by: Daniel Rataj (Monday, 28 February 2011 13:19)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:20)

Articles Manager

  • Frontpage is now referred to as Featured
  • Article manager uses submenu to quickly skip between articles , categories and featured
  • Sections ad categories are now merged.

Articles List

  • "Missing move and copy; filter by author"
  • New column to show language
  • Filtering by language available

Article Edit

  • Created by user now selected by modal popup
  • New ability to set the page title from the article
  • Define create, delete, edit and publishing permissions

Archived Articles

  • In 1.5, Archived Articles had to first be changed to Published or Unpublished before update.
  • In 1.6, an Article with an Archived Status *can* be changed without changing the State first.
more info (+)


Added by: Daniel Rataj (Wednesday, 30 November -0001 00:57)
Last Modified: Daniel Rataj (Monday, 28 February 2011 13:21)

Category List

  • Nested view
  • Filtering on language

Edit Category

  • New note field
  • Section replaced with ability to assign a parent category
  • Ability to assign content language

New Options (not previously available in 1.5)

  • Assign alternate layout
  • Define create, delete, edit and publishing permissions
  • Meta description
  • Meta keywords
  • Alternative page title
  • Meta author
  • Meta robots
more info (+)

Comments (0)

Please login first. Then you can share your comment.

No comments yet. Be first who comment this article!
Powered by Great Joomla!

Article Supporters: 14 (total)

9 + 6 =
Joomla templates by a4joomla