Knowledgebase

In order to improve the overall security of your Joomla application, you would need to start from the language itself, which powers this software. In this case, this is PHP. Although PHP is known to be very stable, there are certain parameters which you can adjust to add additional security to your website.

All settings described here can be entered into a custom php.ini file residing in the very same directory where your Joomla website is hosted. For more information on how to create a custom php.ini please check out our php.ini article here:

https://www.siteground.com/kb/How_to_change_the_value_of_a_PHP_setting/

The first and most important setting you should change is the register_globals value. Add the following line to the php.ini file:

register_globals = off

If this is left on, someone attempting to break your site could use it to inject your scripts with all sorts of variables. If this setting is set to ON, an attacker can send a variable which is otherwise unreachable. By default, register_globals is turned off on all SiteGround servers, except if you are using PHP 5.1 where it is enabled by default. Do NOT enable (i.e set register_globals = On) this feature.

allow_url_fopen = off

This function treats remote files as if they were local files on the server. What it does is to allow PHP to open any URL as if it was a file on your account. Although this is a very handy function, it will allow an attacker to include a file hosted on a remote server into your website and possibly execute it. In most cases, this is exactly how web shells and backdoors are installed into customers hosting accounts. You should not enable it, unless a very important extension/plugin requires it.

expose_php = off (default value = on)

One of the first steps an attacker takes is to try and get as much information as possible about the platform and the software his/her target is using. By disabling expose_php you will greatly reduce the information that an attacker will be able to discover.