Joomla! Security Best Practices: 10 Ways to Keep Joomla! Secure

More popularity your Joomla website gains, more security concern you’ll be. Hackers or bad guys are always searching one way or others to hack your website and use it for their purpose. Mostly for DDoS attack using your host/network.

Joomla! is a CMS that is very powerful and secure, but oftentimes we made it vulnerable by ourselves.

Besides the popularity, more and more individuals and businesses of all sizes start to rely on this open-source CMS and get their products and services online.

The following tips will help you increase your Joomla website security.

Use the Latest Version of Joomla & Extensions

Website owners don’t upgrade or maybe forget to upgrade to the latest version most of the time, which creates a significant risk.

Almost in every release, Joomla has fixed some security issues. So if you don’t upgrade to the latest version means you are keeping some vulnerability on your website.

Use Strong Password for Secure Administrator Login

In most cases, people leave the default administrator account as the user name to “admin” and a silly password which is easily guessable and creates the biggest risk.

If you are keeping the default “admin” and a guessable password, you subconsciously helping the hacker in their job.

Take Regular Joomla Backup

Backup is your friend and a lifesaver. When things go wrong, backup is probably one of the quickest ways to restore your online business operations.

Use the secret key to login into Joomla Admin

Hide your administrator backend from potential hackers and allows those that have a secret URL to access the administration area.

Don’t Install Too Many Extensions

Joomla is such a powerful platform because it’s so easy to extend its functionality in a few clicks. But with great power, comes great responsibility! Most Joomla hacks happen because of third party extensions that fail to follow best practices. Test new extensions in a staging or local environment first to assess their value and stability. You can test your Joomla site on your local machine using the Joomlatools Vagrant box.

Make sure to uninstall extensions that you don’t need any longer. More code on your website only increases the number of potential vulnerabilities.

Alternatively, you can build your application using the Joomlatools Platform. This is a modern Joomla stack with a slimmed-down Joomla codebase and improved directory structure. Only public assets are exposed by the webserver while the core PHP files and extensions are moved outside of your document root.

Restrict File and Directory Permissions

An all too common problem is incorrect file permissions. You should only grant write access to those directories and files that actually require it, such as upload and cache directories. Everything else should be locked down once your extensions and templates have been installed.

In a typical Joomla setup, permissions would look like this:

Directories set to 0755: only the owner of the file can write to it, the rest can read and execute them.
Files set to 0644: only the owner can write, the rest can read.
PHP set to 0444: nobody can write to the file.

And finally, never ever use 777 permissions. It allows your files to be viewed and modified by anyone! This is especially important if you are on shared hosting. Any other user will have full access to your files.

Use a Web Application Firewall

A web application firewall (WAF) acts as a filter and monitor for HTTP applications. You can either install one on your own server yourself, such as ModSecurity or use a cloud-based solution. Using a web application firewall will give you the following features:

Spambot protection
Brute-force attack protection
Backdoor protection
DDoS protection
SQL injection protection
and more.

Use Web Application Firewall

Web Application Firewall (WAF) is essential for any website to protect from top OWASP 10 security, known vulnerabilities & malware.

If you are hosting your Joomla website on VPS, then you may use ModSecurity which is free. However, if you are on shared hosting or don’t have time, then you may consider a cloud-based web application firewall. Using WAF will help you with the following.

Bot protection
Login protection
Backdoor protection
DDoS protection
SQL injection
XSS attack
Joomla specific vulnerabilities
Brute force attack
Layer 7 DDoS protection
and much more…

Use SSL Certification

Use an SSL certificate on your site and force Joomla into SSL mode.

Before enabling SSL mode to be sure that you have configured SSL certificate for your site’s domain, or you will not be able to enable this feature.

When you use an SSL certificate on your website, it will encrypt the user’s username and password before sent to your server over the internet.

Monitor Your Website

How do you know your site is still up and running? You need to monitor your website continuously to make sure it has not been hacked. If a problem occurs, you will get an email or SMS.

For more cybersecurity information contact us at

Leave a Comment

Your email address will not be published. Required fields are marked *

two + 14 =