Joomla is a popular open source CMS, powering millions of websites around the world. However, like all complex web applications, Joomla sites can be vulnerable to cyber attacks if not properly secured.
Recent research shows that Joomla is the #2 most breached CMS, with sites frequently targeted by hackers looking to steal data, deface sites, spread malware and more. The consequences of a security incident can be devastating for a business.
Fortunately, there are steps Joomla site owners can take to "harden" their websites and reduce these risks substantially. In this comprehensive guide, we will overview 10 best practices that all Joomla site owners should follow as part of an ongoing security strategy.
1. Use Strong Admin Passwords
The Joomla administrator login is the "keys to the castle" – if hackers gain access, they have full control to damage or take over your site. As such, locking this down is job #1 for security:
Change the Default Admin Username
When Joomla is first installed, the admin username is set to simply "admin" by default. This is extremely easy for hackers to guess. Immediately change this to a non-obvious username.
Generate Complex Passwords
Avoid basing your password off anything simple that could be guessed (like your name, business name, etc.) Instead, use a password manager like LastPass to generate a long, fully random password string. This makes it nearly impossible to crack.
Enable Two-Factor Authentication (2FA)
For added security, use Joomla extensions like JS Two Factor Authentication to require a code from your phone/app along with your password when logging in. This prevents unauthorized access even if your password is somehow obtained by hackers.
2. Take Regular Backups
Website data is often invaluable and impossible to replace if lost. As such, backups are critical for allowing you to quickly restore your site if disaster strikes.
For Joomla sites specifically, we recommend:
-
Use reliable hosting that includes backup functionality – Quality hosts like SiteGround offer daily auto-backups you can restore from with a few clicks in your control panel.
-
Install the Akeeba Backup extension – This gives you a handy dashboard in your Joomla administrator area to configure and download full manual backups of your entire site whenever you want.
Taking regular backups from both your host and Akeeba gives you the redundancy needed to recover from any scenario – from hardware failure to hacking incidents.
3. Use Login Protection Extensions
Obscuring and protecting your administrator login area is another key way to block intruders. Helpful extensions like AdminExile allow you to:
- Set a "secret URL" with a custom key phrase to access the login page, preventing discovery by hackers
- Ban IP addresses after a set number of failed login attempts to prevent brute force attacks
- Require CAPTCHAs to stop automated bots from submitting login forms
- Mask error messages to not reveal if a username is valid or invalid
Combined, these security measures make hacking the admin login extremely difficult.
4. Upgrade Joomla Core & Extensions
Developers frequently release patched versions of Joomla to address newly discovered vulnerabilities. Likewise, many extensions also receive security updates. It is critical to stay on top of these updates to ensure any known flaws that could be exploited by hackers get addressed.
Track Joomla security announcements – Subscribe to alerts from the Joomla Security Center so you don‘t miss notifications about important new upgrades.
Review vulnerable extension lists – Joomla maintains a frequently updated list of extensions with known security issues. Check this and upgrade/remove any you have installed.
Monitor change logs – Each time a Joomla or extension update is released, comb through the change log for mentions of security fixes. If any are found, prioritize upgrading ASAP.
5. Monitor Your Site
The only way to know for sure if your Joomla site has fallen victim to an attack is by monitoring its availability and security around the clock. For constant surveillance, we recommend:
Uptime Monitoring – Use a free tool like Uptime Robot to continuously check your homepage from locations around the globe. Receive instant alerts if your site ever goes down.
Attack Detection – Services like Sucuri or SiteLock scan your site for malware, spam bots, blacklisting status and other threats. Get emailed if any are found.
Ongoing monitoring provides tremendous peace of mind that your site remains online and hack-free at all times.
6. Enable Search Engine Friendly (SEF) URLs
Besides improving SEO, another benefit of enabling "Search Engine Friendly" URLs in your Joomla Global Configuration is enhanced security.
Rather than showing query strings with information about your site in each URL (?Itemid=101&catid=1) , SEF URLs clean these up for safety (example.com/articles/joomla-security).
This prevents exposing potential areas that could reveal vulnerabilities to hackers.
7. Delete Unused Extensions
It is common for Joomla admins to test and experiment with different extensions over time. However, each additional plugin, module and component also increases your site‘s attack surface area.
Audit the extensions you actually use on a regular basis and permanently delete any that are no longer needed. Eliminating unnecessary extensions reduces complexity, minimizes potential vulnerabilities and improves site performance.
Also, only download extensions from trusted sources like the official Joomla! Extensions Directory. Avoid 3rd party sources that may intentionally distribute malware-laden plugins or compromised code.
8. Use Security Extensions
In addition to core platform hardening, Joomla administrators should consider installing extensions explicitly designed to boost site security:
- Login Protection – Brute force attack prevention, IP blacklisting, access control lists (ACL) and more
- 2 Factor Authentication – Adds an extra credential check after your password
- SEF URL Management – For safer URL structures
- Spam Prevention – Block comment spam and user registration bots
- Encryption – Secure sensitive data transmission
- File Permission Checks – Alert you to unsafe folder/file CHMOD values
Top security extensions like these add critical layers of protection on top of inherent CMS safeguards.
9. Set Proper File Permissions
Out-of-box default CHMOD values for folders and files in Joomla often need adjustment for hardened security:
- PHP files – Set to 644
- Configuration files – Set to 644
- Folders like /images, /media – Set to 755
Proper restrictive permissions prevent the web server user account and other system users from making unwanted changes to critical files. This limits damage in the event of a breach while allowing normal CMS operation.
Note – If using FTP for file transfers, be sure it is connecting in passive mode to avoid permission consistency issues.
10. Implement a Web Application Firewall (WAF)
A Web Application Firewall (WAF) provides deep inspection of all traffic flowing to your site, blocking SQL injections, cross-site scripting, DDoS and other attacks.
Sucuri and Cloudflare both offer robust WAF protection specifically for Joomla:
Sucuri WAF – Installs via a custom plugin to filter traffic at the edge before it reaches your site. Also includes DDoS mitigation, malware detection and much more.
Cloudflare – CDN and DNS service that absorbs attacks while caching static assets for performance. Free and paid plans available.
The multi-layered defenses of a WAF provide tremendous protection against even zero-day threats seeking to penetrate site vulnerabilities. This is a must-have for security-conscious Joomla site owners.
Implementing all of the above 10 tips will significantly "harden" your Joomla site and reduce the risk of it being compromised. While no single tactic is 100% foolproof, combining multiple security enhancements provides overlapping protection to block the vast majority of real-world attacks.
Be sure to revisit this guide whenever new versions of Joomla or key extensions are released so you stay on top of all recommended upgrades, patches and configuration tweaks to keep your defenses optimized.
Stay safe!
