Every hacker in this world knows, that by default all Joomla database tables have the "jos_" prefix. Is that well known, than even automated defacing scripts are using this, and there are a lot of "tools" which are capable to automatically probing your site having this presumption built into them.

The ability to use a site-wide prefix for all Joomla (and Mambo) tables, and to control this prefix from the main configuration file was one of key "ingredients" one of Mambo/Joomla's "Founding Fathers", Brian Teeman added to the core of the CMS back in 2003. This was one of items making it different, and more versatile - but opened a potential security gap due to lazy users who where not made a habit from changing it - as intended by the original coder. The original intent was to allow multiple instances of Mambo to be installed on same server/database, but over time got new uses as a simple security tool to defend you against common exploits.

Most of hackers are using automated tools to discover vulnerable sites, so small things like this tip can help you to avoid to be successfully hacked. If you follow millw0rm or any of the other security sites you will have noticed that many of the exploits rely on your database tables being called jos_XXXXXX.

By simply using your own prefix you would have been protected from these exploits. So, whenever you install a new Joomla instance, be sure to replace the default "jos_" prefix with something else. Be creative!

What if you already have installed the Joomla using that prefix? You have at least 2 choices to correct the problem on the fly. The simple solution, meant for average Joomla webmaster is to grab a copy of Admin Tools, and use that to change the default prefix (and to do lots of other, security and sit stability related actions). For geeks there is another solution too: go to your database (probably using phpMyAdmin), depending on your knowledge level, rename the database tables (or even better, make copies of ALL of them) to have the desired new prefix, then change in the configuration.php the line regarding to that, so locate and change change

var $dbprefix = 'jos_';

to something like

var $dbprefix = 'new_';


Of course none of this is a replacement for good server security (permissions etc) and good quality, and regularly maintained extensions but its a start.

Category: Secure Joomla