Urdu English
English English Deutsch Deutsch Español Español Français Français Italiano Italiano Nederlands Nederlands Português Português Русский Русский Ελληνικά Ελληνικά

Welcome to Jumi! >> Security Checklist

Here comes some general and Jumi specific recommendations concerning site security.They are not exhaustive ones! It is practically impossible to make a site bulletproof against attacks from most qualified men and women.

But do not give it up! Read this article and then visit Joomla! security forum at the least.

My first rule is

Better security is better.

Protect your php files from being accessed

If somebody knows the pathname to your php file he/she can run it from outside. And possibly use it for his/her own purpose.

You can avoid it by several measures:

  • restrict direct access to your files
  • hide path to your files
  • protect directory where your files are from listing and accessing
In the following you will learn how to do that.
Restrict direct access to your php files.

At the very top of your php files write a line that does not allow anybody to run the files outside Joomla! environment.

For Joomla! 1.0.x

defined("_VALID_MOS") OR die("Restricted access");

For Joomla! 1.5.x

defined('_JEXEC') OR die("Restricted access");

Or for both Joomla! platforms:

defined("_VALID_MOS") OR defined('_JEXEC') OR die("Restricted access");
Hide path to your files by using Jumi absolute path.

If you are using Jumi plugin there is a possibility that path to your files will be revealed.

Jumi plugin code syntax written into Joomla! articles is visible in RSS feeds and pdf documents.

So users can see

(jumi [images/myscripts/myfile.php]}

It is not Jumi plugin/mambot bug but a Joomla! feature. Joomla! does not have content plugins for RSS and pdf. There is a solution: to hack Joomla! core and to make the trigger ourselves. Read kksou Hide Jumi for RSS feeds and How to have the plugins processed when generating PDF documents of content items

You can also disable articles from being feeded and you can also disable pdf variant of articles. But who can keep it in one's mind all the time?

Define Jumi Default Absolute Path in a Jumi extension parameters whenever possible. The users can see the name only and not the position within the directory structure:

(jumi [myfile.php]}

It is advisable to move directory of your scripts outside your www root. There is no chance to access the files by http calling then. Not all hosting services enable it.

Protect directory where your php files are from direct listing and accessing.

Place empty index.html in the directory. When somebody visits the directory via http he/she does not see a list of your files but empty page only.

The second measure is to apply apache capability, I mean mod_rewrite: It enables redirect http access to files in the directory into another file or place. There are more approaches how to do that. One of many possible solution is in inserting the following lines int your .htaccess file

RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [NC]
RewriteCond %{REQUEST_URI} myscripts [NC]
RewriteRule .* - [F]

It will resrict access to ALL www.mysite.com URLs containing myscript world. But as I said you can create your own htaccess rules. More on htaccess topic at corz.org here and here or Google "restrict access by htaccess".


I advice you to combine ALL the measures mentioned above

While my the very first security rule was that

Better security is better.

The very last one states:

There exists just one best security precaution: to terminate the website.