As promised, in this sequel of my previous post, we’ll see some useful steps for performance and security optimization of your Nginx-powered Joomla installation on a CentOS VPS and get it ready for its production run. Please note that these are not one-time and/or persistent settings. Performance and security optimization is a constant process.
So, the first thing I do after every Joomla installation is to hide its version, since it’s known that attackers usually scan for the Joomla version so they can track and explore its vulnerabilities.
To hide the Joomla version:
1. Log in to the Admin panel, go to System > Global Configuration, scroll all the way down and find the Show Joomla! Version option. Set it to No.
- Compress it! With the gzip option enabled, the webserver is being told to compress the content of the main website before it sends it to the browser. While this option can reduce the file size by a nice percentage (usually more than 70%), as well as the time necessary for the content to be sent to the browser, it also does assign greater deal of the effort to the webserver itself.
After the calculations are done, this exchange of duties works for the benefit of the website and it’s speed, so its usage is recommended. To do so:
2. Go to System > Global Configuration > Server tab and find the Gzip Page Compression option and set it to Yes.
- Cache it! Use this option to boost performance after the development phase is over and the website is ready to go live. Recommended (as an initial number at least) cache time is 60 minutes.
Joomla offers two caching options, conservative and progressive. Strong recommendations work in favor of the conservative caching, and here is why, in short:
– if conservative caching is enabled, then for every visitor that comes to the website, Joomla will check for a cached version in its cache directory, and if the cached version exists, Joomla will serve it to the client. If the cached version does not exist, Joomla will create one and then serve the client with it. The cached version stays there as defined by Cache Time (in minutes).
– if progressive caching is enabled, then for every visitor that comes to the website, Joomla will check for a cached version for that specific client, and if it exists it will serve it, but if not, Joomla will create cached version of the website specifically for that client in its cache directory and then will serve the client. So, if another, new client goes to visit the website (for the first time), Joomla will completely disregard that cached version of the website for the previous client, and it will create new one, for the current client, which makes this caching mode even worse (performance-wise) than the Caching Disabled option, since it offers performance boost for the returning clients only. So, unless you are absolutely sure you need this option, its usage is not recommended. However, to choose your favorite setting:
3. Go to System > Global Configuration > System tab and find the Cache option in the Cache Settings section and set it to the desired value based on the previous explanations. Set the time to 60, unless you know you need another number. Use File as Cache Handler or whatever software available.
Next, you would like to adjust the Session Lifetime. This in general depends on your own (and your users’) needs. You can set this option to a more paranoid state by inserting lower number (the value is in minutes). The default value is 15, which means that the user will be automatically logged out after 15 minutes of inactivity. The default – and recommended – Handler is database, as setting the handler to none can break most of the functions of Joomla.
So, to edit the Session values:
4. Go to System > Global Configuration > System tab and find the Session Lifetime option in the Session Settings section and set it to the desired value based on the previous explanations. If you are not sure which number will be right for you, just leave it to its default value.
- SEF it! It is strongly recommended that you enable SEF, or the Search Engine Friendly URL’s. The difference between website with and without SEF is quite obvious. If SEF is disabled, the URL’s would look like:
http://joomla.rosehosting.com/index.php?option=com_content&view=article&id=1:test-article&catid=8&Itemid=101
Otherwise:
http://joomla.rosehosting.com/index.php/8-test/1-test-article
The steps:
5. If you followed my previous article, you already have the necessary Nginx config line in place, so you just need to go to System > Global Configuration > Site tab > SEO Settings section and set Search Engine Friendly URLs to Yes. Also, make sure System – SEF plugin is enabled in Extensions > Plugin Manager.
If you haven’t followed our previous article, then you need to edit your Nginx vhost file and make sure the following line is in place:
# vim /etc/nginx/sites-enabled/mydomain.tld.conf
location / {
try_files $uri $uri/ /index.php?$args;
}
Save the file and restart Nginx:
# service nginx restart
In order to ‘decorate’ our URL’s even more, we need to enable the Use URL Rewriting option that can be found right below the Search Engine Friendly URLs option that we have just enabled. Now the URL should look like:
http://joomla.rosehosting.com/8-test/1-test-article
Another good idea is also to protect your Joomla installation from some of the most common known exploits. To do so, make sure the following lines are in place:
# vim /etc/nginx/sites-enabled/mydomain.tld.conf
location / {
try_files $uri $uri/ /index.php?$args;
if ($query_string ~ “base64_encode.*(.*)”){ return 403; }
if ($query_string ~ “sbp(=|%20|%3D)”){ return 403; }
if ($query_string ~ “sb_authorname(=|%20|%3D)”){ return 403; }
if ($query_string ~ “mosConfig_[a-zA-Z_]{1,21}(=|%3D)”){ return 403; }
if ($query_string ~* “(<|%3C).*script.*(>|%3E)”){ return 403; }
if ($query_string ~ “GLOBALS(=|[|%[0-9A-Z]{0,2})”){ return 403; }
if ($query_string ~ “_REQUEST(=|[|%[0-9A-Z]{0,2})”){ return 403; }
}
Save the file and restart Nginx:
# service nginx restart
These are some of the optimization and security protective measures you can take to secure and optimize your Joomla installation. Of course, there is no such thing as perfect safety, so feel free to play with and test your Joomla and secure it even more if this doesn’t seem enough. However, don’t forget to keep your Joomla installation and its plugins/extensions up-to-date by upgrading whenever a new version comes out, and uninstall (don’t just disable) unnecessary extension.
Also, make sure you have the correct file and directory permissions. All of the files need a 644 permission, while the directories should have 755 (unless you are 100% sure what you are doing).
Now you have optimized and secured Joomla installation on your CentOS 6 VPS ready to go in production.
Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will set this up for you immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.