Securing a Joomla! installation with NinjaFirewall (Pro+).

NinjaFirewall (Pro+ edition) Access Control is a powerful set of directives that can be used to efficiently protect a website. In this article, we will see how to quickly secure a Joomla! installation.

1. Password-protect the /administrator/ folder

Adding HTTP authentication in order to prevent any access to a file located in the /administrator/ folder, is the very first step you should take to secure Joomla! :

2. URL Access Control : Allowed URLs

Now that the whole /administrator/ directory is password-protected, it is relatively safe to whitelist it and all its PHP files, so that the administrator will never be blocked by NinjaFirewall when working from the Joomla! administration console.

Go to “Firewall > Access Control > URL Access Control > Allow access to the following URL” and add /administrator/ to the list of allowed URLs :

3. URL Access Control : Blocked URLs

Go to “Firewall > Access Control > URL Access Control > Block access to the following URL” and add the following directories to the list of blocked URLs :

/cache//cli//components//images//includes//language//libraries//logs//media//modules//plugins//templates/ and /tmp/.

Any attempt to access a PHP script in one of those folders will be immediately blocked by the firewall.

If you had a PHP script in one of those directories that needed to be directly accessed (e.g., http://domain.tld/plugins/foo/bar.php), you would need to add it to your “Allowed URLs” whitelist, otherwise it would be blocked. This does not apply to a default Joomla! installation.