How to Prevent Spam on Your Joomla Website

Eliminating web spam and reducing the capacity of attackers to hurt web operations has been the concern of webmasters and server managers all over just as dealing with Cybercrime remains a major challenge to website owners and web hosting firms. Spam damages the reputation of a network and comes with a penalty. For the website owner, spamming could lead to a suspension or a complete deletion of your website by your web host. Keeping your website secured is therefore extremely important to avoid the troubles and to stay safe with your web hosting company and be in Google's good books.

Further reading:

How to Solve Email Bounce Back Issues

7 Security Tips for a WordPress Website

In this article, we will examine the case of the Joomla website, a very widely used Content Management System(CMS), and take you through a step-by-step process of addressing spamming on a Joomla website.


Brief Overview of Joomla

Joomla is simply an open source web development tool available freely on most Linux servers. On Todhost, Joomla can be installed for free in the software section of the website control panel. It is CMS and so it can be used to accomplish very simple tasks as well as very complex tasks. With Joomla, you can develop a website within minutes.


Joomla and Spamming

One of the drawbacks of most Content Management Systems including Joomla is the possibility of an exploitation. This is common with outdated Joomla versions, plugins, modules and components, all known as extensions. Joomla uses plugins, components and modules to achieve functionality and attraction to a website. The extensions are developed by an active community of developers and made available freely or for a fee.

Because Joomla runs periodic upgrades on its core files, some of the extensions are usually not compatible with the newer versions and so will also require upgrade. This incompatibility creates a loophole which can be exploited by skilled spammers to send messages from a porous Joomla website. Most of the time, this is done, using the Joomla contact us form or the user registration form.

But there are ways to address this issue and we will take you through very simple steps that you can use to control Joomla exploitation and spamming on your website.

1. Install a Hacker Protection Plugin

Install a Hacker Protection Plugin: The Siteground JHackguard plugin has been most effective in this regard. It is available for free and can be downloaded from the Joomla community website and directly from the Siteground website - completely free.

2. Enable Captcha-Recaptcha on your Joomla Website.

From the Global Configuration page, you can enable captcha-recaptcha. This feature is available with all recent Joomla versions. Next, you will need to access the plugin section of your Joomla website and click on "Captcha-Re-Captcha" to enable it. Enter the private and secret keys as required. You should have obtained the keys from Google. If you do not have the keys, there is a link in your Joomla website in the plugin section which leads you to the page where you can create the captcha keys with Google.

You can now safe your work. Now you can be sure that your website will no longer be available for spammers. Keep in mind that the safest way to stay online is to run the recent Joomla software versions and to be sure all your extensions are up to date.

2.1 CAPTCHA is No Longer Sufficient

Forums, registration forms and other forms can usually be protected from spammers using CAPTCHA codes or other security extensions. Sophisticated spammers are now circumventing CAPTCHA codes on websites using techniques such as:

    1. low paid human workers manually entering the codes
    2. clever spam bots that use OCR to decipher the codes
    3. high traffic websites owned by the spammers that re-display the a target website CAPTCHA code on their own website, have it solved by a visitor and then use the solution on the website they wish to spam

One way to strengthen Joomla security is to use the Akeeba Admin Tools. The Professional version as the recommended and preferred solution. An Admin Tools Professional subscription at €20 is excellent value for money and has many other useful features apart from the IP Address blocking.

2.2 Enable Protection in Akeeba Admin Tools

Register an account and apply for a key at (it's free). At Components -> Admin Tools -> Web Application Firewall -> Configure WAF -> Project Honeypot integration, set:
        Enable HTTP:BL filtering: Yes
        Project Honeypot HTTP:BL Key: [enter your own key here]
Known hackers and spammers will now be blocked from accessing your Joomla website.

3. Use Free Spam Protection

You can find free and commercial IP address blocking extensions in the Site Protection and Spam Protection categories in the Joomla Extensions Directory. Some promising free extensions are:

    HTTPBL - Project Honeypot Blocklists Plugin which checks against
    SpambotCheck which checks against several databases, such as,,, and

Spam is an ongoing issue that costs businesses and individuals billions of dollars in lost time and resources. Spam includes Unsolicited Commercial Email (UCE) and other unwanted bulk email.

How to Prevent Spam

There is no way to totally prevent spam, but here are some precautions that can be taken to reduce the likelihood of spammers getting your email address:

    Be careful who you give your email address to. This includes websites and anyone you might email.
    Make sure your computer and computers on your network are virus and malware free.
    Make sure your website is free of malware and security vulnerabilities. If you are using a third party script or code on your site, this usually means running the latest secure version.
    Use secure passwords for your email and hosting account to prevent hackers from guessing and logging in.
    If your friends are sending you emails sent to a large recipient list, request that they use BCC instead of TO or CC, so that other recipients cannot see your email address; or request they stop including you if you do not want to receive the emails.
    Do not list your email address on your website or anywhere the public can access it.

How to Filter Out the Spam

Unfortunately, once spammers figure out your email address, it is hard to prevent them from sending you spam; however, there are many options for filtering your email to reduce the spam that reaches your inbox.

We have several in-house filtering tools to offer that can assist in filtering the spam from your web hosting inbox.

    Custom User Level Filters
    Spam Assassin

Many third party email clients, such as Outlook, also have additional spam filtering built into their programs. Using one or a combination of these options can assist with cleaning out the spam that you receive.

How Spammers Get Email Addresses

Unfortunately there are many ways spammers can harvest or find out about your email address(es) and then send spam to you.

The following is a list of some of the ways spammers can get email addresses without you giving it to them directly:

Your computer could have a virus or malware on it that records keystrokes (i.e. everything you type) or sniffs packets (i.e. reads everything going over your internet connection). Through these methods, spammers would be able to obtain your email addresses, passwords and other confidential information.

Another computer or workstation on your network or work-group could have a virus or malware that collects email addresses and other information passing through the network.

A script on your website could have a security vulnerability that allows a hacker to access information on your hosting account, including your email addresses.

Since emails are relayed from server to server until they reach their destination, one of the servers your email passed through could have packet sniffing software installed, which would allow someone to collect email addresses and any information passing through the server. Emails are typically relayed through several companies' servers before arriving at its destination, similar to how physical postal mail would be relayed between more than one mail carrier until it reached you.

Your internet service provider (ISP) could be gathering emails and selling them.; this is unlikely at reputable Internet Service Providers (ISPs), but it has been known to occur.

You have an easy to guess email address. Some spammers simply try to guess valid email addresses (by prefixing common names and common addresses to your domain name). Some spammers have a huge database of prefixes and domain names they will try, including not-so-common names.

A hacker could have guessed or obtained hosting control panel login information and retrieved your email addresses that way.


Other Methods of Harvesting Email Addresses

It is all too common that people unknowingly volunteer their email address or leave it out absentmindedly, making your email address easy for a spammer to pick up. Methods through which spammers obtain voluntary email address include:

    You provided your email address to a website, such as when you signed up or commented on a post, and they gave your email address to spammers (intentionally or unintentionally). Their website could also have been hacked through a security exploit.
    You signed up for a mailing list and forgot you signed up.
    You signed up for a mailing list, and they gave your email address (intentionally or unintentionally) to spammers.
    You sent an email to someone, and they forwarded it to someone else who harvested your email.
    Someone sent you an email also addressed to other recipients, and they used TO or CC instead of BCC, making your email address visible to anyone who received the email (or who was forwarded the email thereafter). Any of the recipients could have made your email available to spammers.
    You used your email on a discussion list that reveals your email address to other users. Any of the other users could have harvested your email address.
    Your email address is on your business card (or posted where people can find), and someone decided to add you to their mailing list without your permission.
    And these are just some of the ways a spammer could get your email address.

Beyond the moral stand against spam, spam takes up resources that cost money, such as bandwidth, disk space and security administrators' time. The more spam passing through any network, the higher the costs. From a business standpoint, doing anything that increases spam makes no sense. Even though you only give your email address to Pay-Per-Click (PPC) advertising platforms with an assurance from them to protect your email, spammers could still use the methods listed above to get your email address, all of which are out of your control.

You need to take every step necessary to protect your email from spammers by addressing the issues of software exploitation which is a common vulnerability with most Content Management Systems(CMSs).

Anti-Spam Joomla Plugins

There are several anti-spam solutions in the Joomla depository. You need not install available plugins and extensions to be protectedand so we will deal with the top three we are convinced should be enough to protect you from spam.


OSpam-a-not works without the need of any extra setup after install. However, you can enable the recording of spam attempts and set a minimum form time in case form submissions are blocked too quickly.

OSpam-a-not uses a Time Gate. This is a hidden timestamp that records how long it took to fill in a form. If the form was submitted more quickly than humanly possible, it can block the submission.

OSpam-a-not also uses a Honey Pot. A text field is added to the form and hidden by adding a style tag at the end of the document head tag. It isn't visible to a human user, but a spambot doesn't see that and fills in the field anyway. If anything at all is found in that field when the form is submitted, the a spambot is caught in the honey pot! And the form is blocked.


SpambotCheck is a small, concise and most importantly a non-invasive plugin, that already offers you about 99.5% efficiency in spam attack protection. The plugin does not need to inspect any contents and therefore is suitable in all situations where there is not any mail text or submission text available.

This plugin stops spam at the very source. It leverages major DNS and e-mail black list providers to prevent spam sources from registration and login into your site. SpambotCheck delivers you real-time spam protection which is constantly and diligently being worked on by various international nonprofit organizations.

SpambotCheck offers simple opt-in configuration for:

  • Black list providers to use
  • Points of impact to survey (registration, registration and login)
  • Spam ID information to use (IP, e-mail address and/or username)

SpambotCheck allows you to maintain your own personalized local listings:

  • whitelist (e-mail and/or IP)
  • blacklist (e-mail)

Get an instant overview of spam attacks targeting your site:

  • Log, view and edit spam attack information
  • Receive incident notification via e-mail
  • Registered users who show suspicious behavior are labeled accordingly

Currently supported black list providers:



  • German
  • English
  • Spanish
  • French
  • Italian
  • Estnian (translation available by
  • Portuguese
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How Secure is Your Joomla Website

Joomla is the third most popular content management systems(CMS) used by webmasters and designers...

How to Fix The Joomla White Screen of Death

The White Screen of Death (WSOD) describes a situation where the Joomla website displays a blank...

My Joomla Website Displays a Blank Page, What Should I do

A blank white screen displayed on a Joomla website can be very disturbing but it is not an...

Joomla Backup and Restore Tutorial

This tutorial covers how to backup and restore a Joomla website. We will adopt the following...

Joomla Admin login Tutorial

Access to the Joomla backend is restricted to administrators and require login with a username...