Joomla is the second most popular cms on the planet and naturally subjected to all kinds of hacking attacks. Hackers always try to find vulnerabilities and security holes in your website. One single safety issue can cost you a huge loss and cost much money. So it is very much important to take all sorts of security measures and make a secure Joomla site of yours. 

We learned this lesson a hard way and we've created a detailed guide on how to fix your hacked Joomla site.

In this post, I will show you 16 different strategies and teach you - how to secure the Joomla website by yourself. It is necessary to mention that these security measures might not give you 100% protection against hackers. Because a fully 100% secure Joomla site does not exist, but these measures will protect you from the majority of attacks.

We reached out to Joomla experts and asked them about the 'importance of website security' and how this will guide help you to secure your Joomla site.

When you are building a website or web application, security should be foremost on your mind. Joomla gives you a great head start but can you get you where you need to be with the right awareness and actions ! This guide from ThemeXpert gets you a fantastic start on where you need to be!

Parth Lawate
CEO, TechJoomla

​Keep your Joomla version, extensions and plugin updated

One of the essential part to have a secure Joomla site is to update it to the latest version. A backdated version of Joomla or any other extensions and plugins is a doorway for hackers to log into your system. Every version update comes with some bug fixes and enhancement in security.

For updating the software, you have to go to updates option from the administration area. If you use any Joomla extension, we recommend you to keep them updated.

Use strong password

A very common security hole is weak login details. It is very easy to crack IDs and passwords from weak login details and is known as "Brute Forcing." Don't leave the admin account as "admin" and easy passwords. If a hacker manages to log in to your site as admin, every security can be compromised, and you might fall into great trouble.

It is wise to use an email address as administrative account id. For password length is a serious issue and the minimum length of a password should be at least 8 characters long. A long length password gives much more security than a short password.

If you want, you can use a combination of numerical, upper case letter, lower case letters and special characters to make your password more strong. Strong id and password make your site less vulnerable to brute force attacks.

Take regular backup

When anything goes wrong, backup always saves your back. You should make backup archives of your files and databases regularly, so in time of need, you can recover from backup files.

You should try hosting your site with a reputed company which provides backup.

Alternatively, you can use backup extensions, such as Akeeba Backup, Easy Joomla Backup. These extensions will provide you automatic scheduled backup with many features.

​Protect your Joomla administrator url

The protection of your Joomla site can be greatly improved by restricting access to your administrator area. The two most popular ways to achieve are to replace the URL of login page or to password protect the admin panel. It is very much easy to change the login page URL with extensions like Admin tools, RSFirewall.

You can password protect your administrator page by locking it. It can be done from cpanel main page. From there you add password protection to your admin page. After setting up a password, you have to provide the password each time you want to access your admin page.

Additionally, you can restrict users by using their IP to access the admin page. From .htaccess file change x.x.x.x with your IP address, and then save it. Then users with allowed IP addresses can access Administrator page.

`Deny from ALL`

Allow from x.x.x.x

In case your internet service is providing you a dynamic IP; then it might not be suitable for you. You have to modify the .htaccess file each time your IP changes.

Use Joomla security extensions

If you are worried about your site protection and want to harden the security than you can use security extension. Security extensions allow you to block hacker attacks and close security holes of your Joomla site. You can find many security extensions, but before installing you should choose carefully by checking features, reviews, price, and support.

We have listed 9 security extensions. You can also try for free extensions, but it is recommended to use pro extensions. When you use security extensions, it is recommended to configure them correctly, unless your site may behave unusually.

Secure Joomla login with 2 factor authentication

Your Joomla website security more strong by using two-factor authentication code. If anyone somehow manages to know your password, he will still require the authentication code to log in. Without two-factor authentication code login is not possible. The two-factor authentication code is also called OTP (One-time password). 

Do not download Joomla templates and extensions from warez site

Though I completely understand what it is like to be a business person with limited funds, it is just not a good idea to download premium extensions, plugins or any items for free from local pages.

You might often find this downloads corrupted or infected with malware. If your downloaded file is infected then, a hacker can access your site's backend directly. Then instead of saving money, you will be spending money for recovering your site.

So it is not wise to use any premium extension or plugins for free.

Disable FTP 

​Ftp layer is a major security hole in Joomla. In most cases FTP layer is not needed in Joomla and it comes disabled by default. If you enable ftp layer for any reason, we recommend it to disable right after use. You can enable or disable FTP layer from Global Configuration under server tab. 

Proper file and directory protection

Managing permission is very important in a Joomla website. Never give full access or permission 777. The wrong CHMOD may grant access to hackers. For folders use 755, for files use 644 and for configuration.php file use 444.  

Select your web host carefully

Good hosting not only costs money but also gives you some extra security and feature. That is not provided by cheap hosting sites. Sometimes due to server configuration of the host, the security of your site might be compromised.

So it is very much necessary to choose hosting site carefully. We've prepared a joomla hosting guide to make the process easier for you.


SSL certification provides an extra layer of protection to your website. Whenever a user sign into a site, his username, and password is sent directly to the server without any encryption or decryption. By using SSL certificate, user's id and password are encrypted before sending over the internet.  

So, if anyone catches any packets of login details, it will be of no use without decryption.

​Rewrite htaccess file to .htaccess

By default, Joomla has a file that helps your site from exploiting against a set of common exploits. By default, this directive in the .htaccess file is not enabled. You have to locate and make sure you rename "htaccess.txt" to ".htaccess."  

Force to use secure password

For increasing login security, it is recommended to make sure every user uses a strong password. However, some of us do not like long, strong passwords. So at the time of registration, you can force users to use passwords with minimum length of 8 characters. 

You can also give hint to user, to use combination of different types of characters like uppercase, lowercase, numeric and special characters.  

Enable SEO friendly URL


Joomla URL tells much about the page being visited and what components are being used. Using this information, a hacker can attack your site. By enabling Search Engine Friendly, you can mask your Joomla URLs from the visitor. 

SEF component makes it harder to find security vulnerabilities for hackers.

SEF deactivated URL :

SEF activated URL:

​Deleted unused/unnecessary Joomla extensions

Obsolete version of any program can make your Joomla website security vulnerable. It is important to check if you are running a secure version of PHP. You can check your version of your PHP from "System Information" in System menu. Official support for PHP version till 5.6.0 is ended officially.

So if you find your PHP version is less than 5.6.0, we recommend you that you submit a support ticket to your host provider and request for a secure PHP version. The latest version of PHP comes with previous Joomla website security fixes, so it is always advised to use most recent version of PHP. 

Update Every Login Issue 

To keep updated on your Joomla website, you need to know every issue of Joomla login. You can't protect your site from hackers until you don't know everything about Joomla login. You should have a clear idea about Security, GDPR, reCaptcha, Design & More.  


By following this step, you drop your chances of being hacked. It can take a bit of your time to work through these steps, but if you review Joomla security forums, you can find many stories of people wasted days struggling with hacked websites.

Let us know your thoughts. You can always give feedback by commenting below. Always update your PHP vers