Obviously, you don't want everybody to be able to access the Joomla! files and folders on the web server. You can protect files and folders by setting access permissions using the CHMOD (Change Mode) command. Basically, CHMOD settings tell the web server who has access to a file or folder, who is allowed to read it, write it, or to execute a file (run it as a program).
Once your Joomla! site is set up and everything works OK, you can use CHMOD to change permissions. You don't use Joomla! to change CHMOD settings; these are set with FTP software (for more information on FTP programs, see Chapter 2 on installing Joomla!).
This is how it works:
1. In your FTP program, right-click on the name of the file or directory you want to protect.
2. In the right-click menu select Properties.
3. You'll be presented with a pop-up screen. Here, you can check permissions and change them by selecting the appropriate options as shown in the following screenshot:
As you can see, it's possible to set permissions for the file owner (that's you), for group members (that's likely to be only you too), and for the public (everyone else). This last one is the tricky part; you should be very careful and restrict public permissions as much as possible.
When changing the permission settings, the file permissions number (the value in the Manual: box in the previous screenshot) will change accordingly. Every combination of settings has its particular number. In the above example, the permissions are set to 644 (the leading 0 is ignored).
4. Click on OK to execute the CHMOD command and set file permissions.
What files should you protect and what CHMOD settings should you choose? Here are a few pointers:
1. By default, permissions for files are set to 644. That's a safe value:
When your need to change the file contents, temporarily change permissions to 775:
Once you're done, go back to 644. Configuration files (such as
configuration.phpin the Joomla! root directory) are especially vulnerable as they contain username and password details. Make sure that the CHMOD value ofconfiguration.phpis set to 644.
2. For directories a safe setting is 750 (which doesn't allow any public access):
However, some extensions may need access to certain directories; the 750 setting might result in error messages. In this case, set permissions to 755:
Never leave permissions for a file or directory set to 777; this allows everybody to write data to it:
Note
You can also block direct access to critical directories using a
.htaccessfile. This is a special file containing instructions for the web server—among other things, it tells the web server who's allowed access to the directory contents. You can add a.htaccessfile to any folder on the server using specific instructions. This is another way to instruct the web server to restrict access. See the Joomla! security documentation on www.joomla.org for instructions.