NinjaFirewall (Pro+ edition) Access Control is a powerful set of directives that can be used to efficiently protect a website. In this article, we will see how to quickly secure a Joomla! installation.
1. Password-protect the /administrator/ folder
Adding HTTP authentication in order to prevent any access to a file located in the /administrator/ folder, is the very first step you should take to secure Joomla! :
- joomla.org: How do you password protect directories using htaccess?
- cPanel users: Password Protect Directories
- apache.org: Password protect a directory using basic authentication
2. URL Access Control : Allowed URLs
Now that the whole /administrator/ directory is password-protected, it is relatively safe to whitelist it and all its PHP files, so that the administrator will never be blocked by NinjaFirewall when working from the Joomla! administration console.
Go to “Firewall > Access Control > URL Access Control > Allow access to the following URL” and add /administrator/ to the list of allowed URLs :
3. URL Access Control : Blocked URLs
Go to “Firewall > Access Control > URL Access Control > Block access to the following URL” and add the following directories to the list of blocked URLs :
/cache/, /cli/, /components/, /images/, /includes/, /language/, /libraries/, /logs/, /media/, /modules/, /plugins/, /templates/ and /tmp/.
Any attempt to access a PHP script in one of those folders will be immediately blocked by the firewall.
If you had a PHP script in one of those directories that needed to be directly accessed (e.g., http://domain.tld/plugins/foo/bar.php), you would need to add it to your “Allowed URLs” whitelist, otherwise it would be blocked. This does not apply to a default Joomla! installation.