<p>Joomla is the second most popular cms on the planet and naturally subjected to all kinds of hacking attacks. Hackers always try to find vulnerabilities and security holes of your website. One single safety issue can cost you a huge loss and cost much money. So it is very much important to take all sorts of security measures.</p><p>We learned this lesson in <a href="https://www.themexpert.com/blog/themexpert-hacked-and-survived" title="" class="" target="_blank" rel="noopener noreferrer">hard way</a> and we've created a details <a href="https://www.themexpert.com/blog/how-to-fix-a-hacked-joomla-website" title="" class="" target="_blank" rel="noopener noreferrer">guide on how to fix your hacked joomla site</a>.</p>
In this post, I will show you 16 different strategies to secure your Joomla site. It is necessary to mention that these security measures might not give you 100% protection against hackers. Because a fully 100% secured site does not exist, but these measures will protect you from the majority of attacks.
We reached out to Joomla experts and asked them about 'importance of website security' and how this will guide help you secure your website.
<blockquote class="eb-quote style-default"> <p><span data-redactor-tag="span" data-verified="redactor" data-redactor-style="font-size: 20px"><span data-redactor-tag="span" data-verified="redactor" data-redactor-style="font-family: "><strong data-redactor-tag="strong" data-verified="redactor"><em data-redactor-tag="em" data-verified="redactor">When you are building a website or web application, security should be foremost on your mind. Joomla gives you a great head start but can you get you where you need to be with the right awareness and actions ! This guide from ThemeXpert gets you a fantastic start on where you need to be!</em></strong></span></span><br></p> <cite>Parth Lawate<br>CEO, TechJoomla</cite>
🔋 Keep Joomla Version, Extension & Plugin Up-To-Date
One of the essential part to secure your Joomla site is to update it to the latest version. A backdated version of Joomla or any other extensions and plugins is a doorway for hackers to log into your system. Every version update comes with some bug fixes and enhancement in security.
For updating the software, you have to go to updates option from the administration area. If you use any Joomla extension, we recommend you to keep them updated.
💪 Use Strong Password
A very common security hole is weak login details. It is very easy to crack id and passwords from weak login details and is known as "Brute Forcing." Don't leave the admin account as "admin" and easy passwords. If a hacker manages to login to your site as admin, every security can be compromised, and you might fall into great trouble.
It is wise to use an email address as administrative account id. For password length is a serious issue and the minimum length of a password should be at least 8 characters long. A long length password gives much more security than a short password.
If you want, you can use a combination of numerical, upper case letter, lower case letters and special characters to make your password more strong. Strong id and password make your site less vulnerable to brute force attacks.
⏱ Take Regular Backup
When anything goes wrong, backup always saves your back. You should make backup archives of your files and databases regularly, so in time of need, you can recover from backup files.
You should try hosting your site with a reputed company which provides backup. Alternatively, you can use backup extensions, such as Akeeba Backup, Easy Joomla Backup. These extensions will provide you automatic scheduled backup with many features.
🛡 Protect your Administrative Page
The protection of your Joomla site can be greatly improved by restricting access to your administrator area. The two most popular ways to achieve are to replace the URL of login page or to password protect the admin panel. It is very much easy to change the login page URL with extensions like Admin tools, RSFirewall.
You can password protect your administrator page by locking it. It can be done from cpanel main page. From there you add password protection to your admin page. After setting up a password, you have to provide the password each time you want to access your admin page.
Additionally, you can restrict users by using their IP to access the admin page. From .htaccess file change x.x.x.x with your IP address, and then save it. Then users with allowed IP addresses can access Administrator page.
`Deny from ALL`
`Allow from x.x.x.x`
🗝 Use Security Extensions
If you are worried about your site protection and want to harden the security than you can use security extension. Security extensions allow you to block hacker attacks and close security holes of your Joomla site. You can find many security extensions, but before installing you should choose carefully by checking features, reviews, price, and support.
We have listed 9 security extensions. You can also try for free extensions, but it is recommended to use pro extensions. When you use security extensions, it is recommended to configure correctly, unless your site may behave unusually.
📟 Secure Login with two-factor Authentication Code
Your site becomes more secure by using two-factor authentication code. If anyone somehow manages to know your password, he will still require the authentication code to log in. Without two-factor authentication code login is not possible. The two-factor authentication code is also called OTP (One-time password).
🚫 Do not Download Premium Items for Free
Though I completely understand what it is like to be a business person with limited funds, it is just not a good idea to download premium extensions, plugins or any items for free from local pages.
You might often find this downloads corrupted or infected with malware. If your downloaded file is infected then, a hacker can access your site's backend directly. Then instead of saving money, you will be spending money for recovering your site.
So it is not wise to use any premium extension or plugins for free.
☔ Disable FTP Layer
Ftp layer is a major security hole in Joomla. In most cases FTP layer is not needed in Joomla and it comes disabled by default. If you enable ftp layer for any reason, we recommend it to disable right after use. You can enable or disable FTP layer from Global Configuration under server tab.
🔬 Use Proper File and Directory Permissions
Managing permission is very important in a Joomla website. Never give full access or permission
777. The wrong CHMOD may grant access to hackers. For folders use
755, for files use
644 and for configuration.php file use
🛀 Choose Host Carefully
Good hosting not only costs money but also gives you some extra security and feature. That is not provided by cheap hosting sites. Sometimes due to server configuration of the host, the security of your site might be compromised.
So it is very much necessary to choose hosting site carefully.
🔖 Install and User SSL Certification
SSL certification provides an extra layer of protection to your website. Whenever a user sign into a site, his username, and password is sent directly to the server without any encryption or decryption. By using SSL certificate, user's id and password are encrypted before sending over the internet.
So, if anyone catches any packets of login details, it will be of no use without decryption.
💉 Rewrite the htaccess File
By default, Joomla has a file that helps your site from exploiting against a set of common exploits. By default, this directive in the
.htaccess file is not enabled. You have to locate and make sure you rename "htaccess.txt" to ".htaccess."
Force to Use Secure Password 🔫
For increasing login security, it is recommended to make sure every user uses a strong password. However, some of us do not like long, strong passwords. So at the time of registration, you can force users to use passwords with minimum length of 8 characters.
You can also give hint to user, to use combination of different types of characters like uppercase, lowercase, numeric and special characters.
🌏 Enable Search Engine Friendly
Joomla URL tells much about the page being visited and what components are being used. Using this information, a hacker can attack your site. By enabling Search Engine Friendly, you can mask your Joomla URLs from the visitor. SEF component makes it harder to find security vulnerabilities for hackers.
SEF deactivated URL :
SEF activated URL:
🚿 Delete Unnecessary Extensions
As an administrator, you might try new extensions for trying new functionalities. However, it is not recommended to try new extensions without knowing. As extension provide facilities, it can also be the reason of vulnerabilities.
By using these vulnerabilities, your site can be easily SQL injected by a hacker. Removing unnecessary extensions is important. The fewer extensions you have installed, the faster your site will load.
⏳Update PHP Versions
Obsolete version of any program can make your website vulnerable. It is important to check if you are running a secure version of PHP. You can check your version of your PHP from "System Information" in System menu. Official support for PHP version till 5.6.0 is ended officially.
So if you find your PHP version is less than 5.6.0, we recommend you that you submit a support ticket to your host provider and request for a secure PHP version. The latest version of PHP comes with previous security fixes, so it is always advised to use most recent version of PHP.
By following this step, you drop your chances of being hacked. It can take a bit of your time to work through these steps, but if you review Joomla security forums, you can find many stories of people wasted days struggling with hacked websites.
Let us know your thoughts. You can always give feedback by commenting below.