src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
This is a key security issue, but unfortunately many of the Joomla siteowners need guidance on this.
First, let's see what you should know:
Joomla is a tipical LAMP (Linux/Apache/MySQL/PHP) application, even if runs on many other platforms too. The entire access rights "philosophy" is relying on the native environment's settings.
There are 3 tipical user levels in this environment, the Owner - wich is the user who created the file, the Group - the usergroup he belongs and World - aka the rest of the world, and 3 tipical access modes, Read, Write and Execute.
The combination of these is the so called access matrix, and the resulting rights are represented usually by a 3 digit scheme, ranging from 000 - meaning nobody can do nothing with a given file/folder, to 777, wich means that the file/folder can be used by anyone in any of possible modes. Alternatively the access rights are represented with rwx triplets (simbolizing the Read/Write/eXecute rights), preceeded with an extra symbol, so the alternative representation of the two cases above is:
000 ----------
respectively
777 -rwxrwxrwx
Before we go deeper in detail, an important fact to know:
The site is displayed for your visitors by the Apache engine, wich have a specific user with his user-rights. This user is named in the most cases "nobody".
You, as the client have your own identity on the hosting environment, let's name this user "cpanel-user". For the easier management of your assets, generally the cpaneluser and the nobody user are members of the same group, meaning they are sharing couple, but not all the rights on given files/folders. You must be aware of this fact, when you want to tweak the rights on files, depending on the tools you use, the result can be dramatically different.
So obviously you have 2 different approaches basically: dealing with your files/folders as the cpaneluser, or as the Apache user (yeah, as "nobody").
A. Tools used as "cpaneluser"
Obviously, the tools provided in the hosting packages by your hoster. Typically the cPanel's file manager and your FTP account.
You can log in through FTP in many interesting ways, we recommend FileZilla as a great Open Source product, but you can use a plethora of alternatives, from Total Commander to CuteFTP, these all are in fact just skins over the raw FTP protocols, one of the oldest networking tools around. Using these can be rewarding, and can have security benefits if they are used properly, but in same time can ruin your efforts to secure your site if you don't know, what you do.
B. The "nobody's" toolset
These are generally Joomla installable tools, as JoomlaeXplorer, and the ability to set the default rights from the main site configuration.php, or another add-ons which are used through HTTP protocol, as for example some of available WYSIWYG editors.
An important note: if you set for example as "cpaneluser" the access right for a given file to 644 or -rw-r--r-- the file will be readable by anyone and writeable by you - aka the "cpaneluser", but will not be writeable by anyone else, even the "nobody" user. In contrast, if the same rights are set as the "nobody" user, for example from within the JoomlaeXplorer, the file will be writeable by anyone managing through HTTP protocol to take over your site... and exactly that's what the hackers are doing.
So if you want to lock down your site, do it as "cpaneluser"! Otherwise you just aquire a false sense of security, nothing more...
Add this page to your favorite Social Bookmarking websites
