Joomla is the second most popular cms on the planet and naturally subjected to all kinds of hacking attacks. Hackers always try to find vulnerabilities and security holes in your website. One single safety issue can cost you a huge loss and cost much money. So it is very much important to take all sorts of security measures and make a secure Joomla site of yours.
We learned this lesson a hard way and we've created a detailed guide on how to fix your hacked Joomla site.
In this post, I will show you 16 different strategies and teach you - how to secure the Joomla website by yourself. It is necessary to mention that these security measures might not give you 100% protection against hackers. Because a fully 100% secure Joomla site does not exist, but these measures will protect you from the majority of attacks.
We reached out to Joomla experts and asked them about the 'importance of website security' and how this will guide help you to secure your Joomla site.
When you are building a website or web application, security should be foremost on your mind. Joomla gives you a great head start but can you get you where you need to be with the right awareness and actions ! This guide from ThemeXpert gets you a fantastic start on where you need to be!Parth Lawate
Keep your Joomla version, extensions and plugin updated
One of the essential part to have a secure Joomla site is to update it to the latest version. A backdated version of Joomla or any other extensions and plugins is a doorway for hackers to log into your system. Every version update comes with some bug fixes and enhancement in security.
For updating the software, you have to go to updates option from the administration area. If you use any Joomla extension, we recommend you to keep them updated.
Use strong password
A very common security hole is weak login details. It is very easy to crack IDs and passwords from weak login details and is known as "Brute Forcing." Don't leave the admin account as "admin" and easy passwords. If a hacker manages to log in to your site as admin, every security can be compromised, and you might fall into great trouble.
It is wise to use an email address as administrative account id. For password length is a serious issue and the minimum length of a password should be at least 8 characters long. A long length password gives much more security than a short password.
If you want, you can use a combination of numerical, upper case letter, lower case letters and special characters to make your password more strong. Strong id and password make your site less vulnerable to brute force attacks.
Take regular backup
Protect your Joomla administrator url
The protection of your Joomla site can be greatly improved by restricting access to your administrator area. The two most popular ways to achieve are to replace the URL of login page or to password protect the admin panel. It is very much easy to change the login page URL with extensions like Admin tools, RSFirewall.
You can password protect your administrator page by locking it. It can be done from cpanel main page. From there you add password protection to your admin page. After setting up a password, you have to provide the password each time you want to access your admin page.
Additionally, you can restrict users by using their IP to access the admin page. From .htaccess file change x.x.x.x with your IP address, and then save it. Then users with allowed IP addresses can access Administrator page.
`Deny from ALL`
`Allow from x.x.x.x`
Use Joomla security extensions
If you are worried about your site protection and want to harden the security than you can use security extension. Security extensions allow you to block hacker attacks and close security holes of your Joomla site. You can find many security extensions, but before installing you should choose carefully by checking features, reviews, price, and support.
We have listed 9 security extensions. You can also try for free extensions, but it is recommended to use pro extensions. When you use security extensions, it is recommended to configure them correctly, unless your site may behave unusually.
Secure Joomla login with 2 factor authentication
Your Joomla website security more strong by using two-factor authentication code. If anyone somehow manages to know your password, he will still require the authentication code to log in. Without two-factor authentication code login is not possible. The two-factor authentication code is also called OTP (One-time password).
Do not download Joomla templates and extensions from warez site
You might often find this downloads corrupted or infected with malware. If your downloaded file is infected then, a hacker can access your site's backend directly. Then instead of saving money, you will be spending money for recovering your site.
So it is not wise to use any premium extension or plugins for free.
Ftp layer is a major security hole in Joomla. In most cases FTP layer is not needed in Joomla and it comes disabled by default. If you enable ftp layer for any reason, we recommend it to disable right after use. You can enable or disable FTP layer from Global Configuration under server tab.
Proper file and directory protection
Select your web host carefully
So it is very much necessary to choose hosting site carefully. We've prepared a joomla hosting guide to make the process easier for you.
SSL certification provides an extra layer of protection to your website. Whenever a user sign into a site, his username, and password is sent directly to the server without any encryption or decryption. By using SSL certificate, user's id and password are encrypted before sending over the internet.
So, if anyone catches any packets of login details, it will be of no use without decryption.
Rewrite htaccess file to .htaccess
By default, Joomla has a file that helps your site from exploiting against a set of common exploits. By default, this directive in the
.htaccess file is not enabled. You have to locate and make sure you rename "htaccess.txt" to ".htaccess."
Force to use secure password
For increasing login security, it is recommended to make sure every user uses a strong password. However, some of us do not like long, strong passwords. So at the time of registration, you can force users to use passwords with minimum length of 8 characters.
You can also give hint to user, to use combination of different types of characters like uppercase, lowercase, numeric and special characters.
Enable SEO friendly URL
SEF component makes it harder to find security vulnerabilities for hackers.
SEF deactivated URL :
SEF activated URL:
Deleted unused/unnecessary Joomla extensions
As an administrator, you might try new extensions for trying new functionalities. However, it is not recommended to try new extensions without knowing. As extension provide facilities, it can also be the reason of vulnerabilities for your Joomla security.
By using these vulnerabilities, your site can be easily SQL injected by a hacker. Removing unnecessary extensions is important. The fewer extensions you have installed, the faster your site will load.
Always update your PHP version
Obsolete version of any program can make your Joomla website security vulnerable. It is important to check if you are running a secure version of PHP. You can check your version of your PHP from "System Information" in System menu. Official support for PHP version till 5.6.0 is ended officially.
So if you find your PHP version is less than 5.6.0, we recommend you that you submit a support ticket to your host provider and request for a secure PHP version. The latest version of PHP comes with previous Joomla website security fixes, so it is always advised to use most recent version of PHP.
Update Every Login Issue
To keep updated on your Joomla website, you need to know every issue of Joomla login. You can't protect your site from hackers until you don't know everything about Joomla login. You should have a clear idea about Security, GDPR, reCaptcha, Design & More.
By following this step, you drop your chances of being hacked. It can take a bit of your time to work through these steps, but if you review Joomla security forums, you can find many stories of people wasted days struggling with hacked websites.
Let us know your thoughts. You can always give feedback by commenting below.