Well, Dale is right on principle. If you need to start with a very secure site you need to go deep. But I'd argue that there is a softer start than going through the wizard. The wizard is geared towards security at the expense of a few false positives. The default settings, however, are geared towards minimising false positives, provided that you do not have extensions doing weird things. Therefore I have an alternative approach which would be a much "softer" introduction to securing your site without too many upfront headaches.
What I would advise is installing Admin Tools but do not go through the wizard. Leave the original options -- they do provide a modicum of baseline security.
Then go to Web Application Firewall, Configure WAF, Auto-ban and make the following changes:
- IP blocking of repeat offenders: Yes
- Email this address after an automatic IP ban: your own email address
- Block after: 5 attacks in 1 minute
- Block for this long: 5 minutes
- Add persistent offenders to the IP Disallow List: No
- Show this message to blocked IPs: something polite to display when the IP address is temporarily blocked, e.g. "Our site has temporarily limited access to it from your IP address, [IP]. Please come back in 10 minutes. We apologise for the inconvenience."
Click the Customisation tab. Make the following changes:
- Custom message: Something polite here, e.g. "Our site detected that you are doing something potentially dangerous. Your request has been blocked."
These settings are rather conservative and will not block you out of your site as fast. When you or anyone else does get blocked you will receive an email with a Rescue URL so you can restore access without having to rename the main.php file.
If you get the Custom Message while browsing your site normally you can review what happened by going to Web Application Firewall, Blocked Request Log. You will see a Target URL and a Reason. You can look up the Reason in the List of blocking reasons documentation page to understand which feature they come from. If you are puzzled as to what is going on, no problem, just file a support request and one of us will help you figure it out.
After getting this basic security up and running you can move on to the .htaccess Maker. Things are rather simple, albeit a tad laborious, here. Disable all features and use Save and Create .htaccess to create a minimal .htaccess which only has the features Joomla itself offers in its htaccess.txt (and a bit less, to be precise). Then enable one option at a time, save & create .htaccess again, check if your site still works. Rinse and repeat. That's what I'd do, too -- with the exception of five or so settings I can tell in advance if they will work at all on a server I've built or tested a site on.
It does take time but you get to better understand how your site works and where there are opportunities to improve its security. You can't reasonably implement sensible security improvements if your site and / or your security software are black boxes to you. Fixing the black box issue takes time but it does pay dividends.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!