Joomla Security - The Complete Guide

Joomla is a free open-source content management system (CMS), built on a MVC framework. It is currently the 2nd most widely used CMS with over 40million downloads. While that doesn’t sound like a lot, that is is still millions of businesses and blogs that have chosen to power their websites with Joomla.  As with any major platform, additional security concerns always present themselves. Your risk of attack is greater and vulnerabilities are constantly being discovered and  exploited by attackers. This week, we provide a complete guide below on what you can do to harden your Joomla security and help prevent yourself from getting hacked or becoming a victim of the next brute-force attack.

You will also want to read:

A Review of 4 Popular Joomla SEO Extensions

How to secure your website from attacks using the .htaccess file

How to Prevent Spam on Your Joomla Website

How to Prevent the most common Application Attacks against websites

Joomla Vulnerabilities

Let's begin with an understanding of the risks you face when it comes to using Joomla to power your website. Well, according to CVE Details, an online security vulnerability data source, there have been 321 Joomla vulnerabilities reported to date (since 2005).

That's a huge figure but when comared with other CMSs and given the market share of Joomla, this figure is less for Joomla than for other content management systems (at least in the past seven years). So just from the data it appears that Joomla is a more secure CMS.

Also read: Keep Your Website Safe From Hackers with these Easy Steps

What types of vulnerabilities are linked to Joomla

According to CVE Details,  39% of Joomla vulnerabilities are from remote code execution. SQL injection accounts for 29%, HTTP response splitting account for 9%, XSS account for 11% and 6% are from Gain information.

You can stay up to date with security incidents and vulnerabilities by subscribing to Joomla’s official security announcements RSS Feed. You can also see a full list of Joomla vulnerabilities on CVE details.

Joomla Security

Joomla is a secure CMS, Notwithstanding, its popularity means it is always going to be at risk of being attacked or hacked. You can never prevent security breaches all the time, the best thing you can do is implement the best security practices to protect yourself. The recommendations below should help you to harden your Joomla security.

  •     Keep Joomla and Extensions Up to Date
  •     Smart Usernames and Passwords
  •     Joomla Security Extensions
  •     Block Bad Bots
  •     Secure Connections
  •     File Permissions
  •     Protect Administrator Login
  •     Enable Search Engine Friendly URLs
  •     SSL Certificate
  •     Harden HTTP Security Headers

1. Keep Joomla Core and Extensions Up to Date

It is important that you will endeavour to always keep your version of Joomla up to date as well as all of your extensions. Developers patch these for a reason and if you fall too far behind you will open yourself up to a lot of vulnerabilities, as hackers generally target older versions. Vulnerabilities like the SQL-injection vulnerability that was discovered in October 2015 which affected millions of Joomla installations is a big issue with older Joomla versions. You can always download the latest version of Joomla from the  joomla official website

If there is an update for Joomla available it will show up in the administrator dashboard. You can also use a free extension like Akeeba CMS Update to auto update your Joomla installation and back it up at the same time.

  1. To check or run updates, navigate to “Components” → “Joomla! Update.”
  2. If there is an update available click on “Install the Update.” Joomla will then begin updating your installation which will take a few minutes.

    Note: Joomla will log you out after the install has completed.

It is also recommended to only use trusted Joomla extensions and templates. Get your extensions and templates from the Joomla extensions directory or from well-known develpers. This will cause less problems for you in the future.

Do not forget to always backup your Joomla website! Keep regular backups as this allows you to quickly rollback and restore your CMS in case of an attack that causes a problem. We also recommend running backups before you update your Joomla version and extensions just to be safe in case something fatal occurs. You can easily test your updates locally using software like XAMPP or MAMP before pushing the changes to your production site.

The Akeeba Bacup extension is a very popular free backup extension (with about 1,000 reviews). This extension features:

  1.     One click backup.
  2.     Site transfer wizard. Transfer your site between servers fast and easily.
  3.     AJAX powered backup
  4.     The fastest native PHP backup engine.
  5.     Exclude specific files, folders
  6.     Exclude specific database tables or their contents
  7.     Unattended backup mode (CRON job scheduling)
  8.     Restore with Akeeba Kickstart (free of charge script)

 Akeeba Backup archives can be restored on any host. Useful for transferring your site between subdomains/hosts or even to/from your local testing server (XAMPP, WAMPServer, MAMP, Zend Server, etc).

2. Use Smart Usernames and Passwords

Using the right usernames and passwords will help protect you from brute force attackks. This is fundamental for your Joomla website securit and should be taken seriously. Avoid the use of the default “admin” as your username and choose a more complex password. This is probably one of the best ways to harden your Joomla security, and ironically it is one of the easiest. Many people though use something they can easily remember such as “1234567” and end up regretting later when they are hacked. Remember there are always bots crawling the internet and as your site grows they will always be trying to spoof your login. See this guide on how to choose a strong password.

    Approximately 76 percent of attacks on corporate networks involved weak passwords.

Unlike WordPress where you can only change your administrator’s username in the database, Joomla lets you update your administrator’s username from the dashboard. Follow these quick steps to do that.

  1.     Click into “Users” → “Manage”, select your administrator’s (Super User) account and click on “Edit.”

    joomla change admin username

  1.     Then simply change the value in the “Login Name” field and click “Save.”

We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer.

3. Use Joomla Security Extensions

There are a lots of very effective security extensions that will help rotect your website. Use these good Joomla security extensions to lock down your site and help protect installation from attacks. These plugins allow you to rate limit or block security threats, block malicious networks, scan for vulnerabilities, enforce strong passwords, see which files have changed, implement a firewall to block common security threats, and much more. Here are some popular Joomla security extensions:

    ACL Manager: Easily discover & fix issues with your Joomla assets (permissions) table / ACL.
    AdminExile: Brute force detection, blacklist and whitelist IPs.
    QuickLogout: Get rid of logout confirmation prompt to ensure people log out.
    Securitycheck Pro: A global protection suite designed to protect your website without affecting your server’s speed.
    jomDefender: CSRF prevention, remove Joomla PHP header, Admin password prompt.

There are three additional security extensions which deserve attention. The first is Akeeba Admin Tools. This developer makes great Joomla extensions. The basic version of the extension will:

  1.     Notify you about and install new Joomla! releases
  2.     Fix your files and directory permissions
  3.     Secure your administrator directory with a password
  4.     Change your database prefix
  5.     Set a secure Super Administrator ID
  6.     Migrate links pointing to your old domain on-the-fly

The professional version includes additional features such as:

  1.     Restrict administrator with a secret URL parameter
  2.     Web Application Firewall to block common exploits (SQL injection, XSS, DFI, RFI, malicious user agent, CSRF/spam-bot protection, uploads scanner)
  3.     IP Whitelisting for the administrator section
  4.     IP Blacklisting
  5.     Geographic block (deny access to specific countries/continents)
  6.     Automatic IP blocking of repeat offenders

If you are going to invest in a Joomla security plugin, that is one you want to consider.

You can also scan your Joomla site with Sucuri’s Website Malware and Security Scanner and Unmask Parasites.  If the test doesn’t show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.

The second Joomla security extension we recommend taking a look at is jSecure.  It offers two-factor authentication to further prevent someone from getting access to your site. KeyCDN also now has two-factor authentication so you can secure Joomla on your web host as well as on your CDN account.

The third Joomla security extension we highly recommend is ECC+ – EasyCalcCheck Plus. This extension protects Joomla! core forms and 3rd party extensions through the integration of anti-spam services and adds an arithmetic problem, a question, a hidden field and a time lock. It is developed by Viktor Vogel, a Joomla! specialist. It also features the following:

  1.     Integrated external antispam services: Google ReCaptcha, Akismet, Honeypot Project, StopForumSpam, Mollom, Bot-Trap, Botscout
  2.     Protects the backend via a token.
  3.     SQL Injection and Local file Inclusion protection.

4. Block Bad Bots

Bad bots, scrapers, and crawlers are always hitting your Joomla sites and stealing your bandwidth. You can see a comprehensive list of bots at botreports. Many of the security extensions mentioned above can work great to block bad bots, but sometimes you need to do this at the server level. If you want to block multiple User-Agent strings at once, you could add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase "agent1" bots
BrowserMatchNoCase "Wget" bots
BrowserMatchNoCase "Catall Spider" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots

And here is an example on Nginx.

if ($http_user_agent ~ (agent1|Wget|Catall Spider) ) {
    return 403;

5. Secure Connections

No matter where you are you should always ensure the connections you are using are secure when connecting to your Joomla website. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.

Some FTP clients store passwords in plain text or encoded on your computer. Even some encoded passwords can be converted back to the original. We recommend not saving FTP passwords in the client, or setting up what some webmasters now call a master password.

It is also important to make sure your firewall rules are setup properly on your home router. And remember whenever you work from a public place like an internet cafe or Starbucks these are not trusted networks.

Your web host where your website resides should also be running secured hosting. This means Joomla should always be running on up to date and supported versions of PHP, MySQL, account isolation, web application firewalls, etc. Be careful with cheap shared hosts as you can run into issues if they are overcrowding servers.

6. File Permissions

To protect your Joomla website you want to make sure and use the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your Joomla install as extensions and the Joomla installation need to be able to write to certain directories.

Joomla has good documentation on security permissions.

  •     How do UNIX file permissions work?
  •     How do Windows file permissions work?
  •     How do phpSuExec file permissions work?

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. Joomla recommends the following configuration on default installs:

  •     PHP files: 644
  •     Config files: 644
  •     Other folders: 755

However, you can get even more restrictive than the above recommendations to really lock down your installation.

7. Protect Administrator Login

It is ossible to further harden your Joomla security by password protecting your admin login area. You can easily do this with the free Admin Tools extension we mentioned above.

  •     Click into “Components” → “Admin Tools”, and click on “Password-protect Administrator.”

    This feature will password-protect your administrator area using .htaccess files. Your server must support this type of password protection.

You can also do this manually in your .htaccess file.

8. Enable Search Engine Friendly URLs

Strangely, many do not know that the search engine friendly functionality in Joomla can also help with its security. It is always recommended to enable search engine friendly URLS and hide the file names such as index.php from appearing in your URL structure. This helps mask information and prevent hackers from finding vulnerabilities.

  • Click into “System” → “Global Configuration”, and enable both “Search Engine Friendly URLs” and “Use URL Rewriting.”

Note: Apache users only! – Rename htaccess.txt to .htaccess before activating URL rewriting..
IIS 7 users only! – Rename web.config.txt to web.config and install IIS URL Rewrite Module before activating.

9. SSL Certificate

HTTPS has almost become a compulsory requirement for every website. For eCommerce sites, the reason you need an SSL certificate is because they are processing sensitive data. For other sites the biggest reason for this is your Joomla login page. If you aren’t running over a HTTPS connection your username and password are sent in clear text over the internet. Many people will argue that blogs and informational sites don’t need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from all sorts of different networks, so running over a secured connection can only help harden your Joomla security.

With the SEO advantages of HTTPs and performance benefits of HTTP/2 there is no reason not to be running on HTTPS and using an SSL certificate.

We also recommend checking out Joomla’s security guide as it has a lot of useful information. It is also important to note that  Joomla started using random database prefixes for more security..

10. Harden HTTP Security Headers

HTTP security headers provide yet another layer of security for your Joomla site by helping to mitigate attacks and security vulnerabilities. They usually only require a small configuration change on your web server. These headers tell your browser how to behave when handling your site’s content. Below are six common HTTP security headers we recommend implementing and or updating.

  •     Content-Security Policy
  •     X-XSS-Protection
  •     Strict-Transport-Security
  •     X-Frame-Options
  •     Public-Key-Pins
  •     X-Content-Type


Securing your Joomla installation is extremely important and you will need to ensure that all or most of these recommendations are implemented on your installation. You can see that there are many ways you can harden your Joomla security and you can also see that there are some great extensions to rely on to do so. From keeping Joomla and extensions up to date, being smart with usernames and passwords, using security extensions, secure connections, file permissions, two-factor authentication, using an SSL certificate and more, you can be sure of running safe with your Joomla website.

Do you think we missed any good Joomla security tips? Do let us know below in the comments!

Do well to share this post if you found it useful.

Comments (0)

Leave a comment

Powered by Simple Blog