It is important for me my sites to be protected. My data need security and protection from malicious acts. I am sure you need the same.

This article describes several important things that will help you to make your Joomla! site more secure. I described several steps you can take even the initial installation of the system. I enumerated a few tips and tricks that will make your fortress impenetrable.

During installation

Change the default prefix of the database tables. Nobody needs to know the prefix of the tables. That will prevent your site from MySQL injections.


Installing Joomla step four Advance settings


Installing Joomla step four


Аfter fresh installation

After initial installation of Joomla, you should take several steps to prevent abuse in a still unprotected site. What should you do?


Globa settings and mod_rewrite

Go to "Global configuration" and make "Site Offline" because no one should visit the site until you finish the configuration.


Global Settings


You should also turn on the search engine friendly functionality and rewrite URL scheme. It will block many attacks, exploits and hacks.


SEO Settings

Do not forget to rename htaccess.txt to .htaccess. :)


Disable user registration

Some sites do not enable their users to register. If yours is similar, prohibit the registration for new users. You can do it in "Global Configuration". Go on the tab "System" where the "User settings" are placed, and set "Allow User Registration" to "No".


Disable user registration


Change the username and user ID

You should change the ID and username of the super administrator. Every time when you install the system for the first time the ID of the administrator is 62. The username is "admin", and many people know it. To change it:


  1. Go to "User manager";

    User Manager Menu Item

  2. Add new user;
  3. Set the group type for the new user as "Super Administrator";
  4. Delete the old user;


Old user

User Manager

New User

User Manager


Set the secret token

The time has come to make administration difficult to access.

Install the extensions kSecure.

It is a Joomla! plug-in you will use it to add a token in the URL address.  Your address becomes something like$101

That will protect your admin area from raiding because only you will know the password for access.


Access from your IP address only

Make your administration available only from your IP address. For this purpose add ".htaccess" file in the directory "/administrator". Then put those directives in the file and change "IP Address" with your one.

Now only you can enter the area of administration, and you can do it only from the computer you are currently using.

You can pick up your IP address by visiting this page.

Apache HTTP Authentication

You are able to add new authentication functionality powered by Apache web server. Put following directives in the ".htaccess" file that you created earlier.


AuthType Basic

AuthName "Forbidden access!!!"

AuthUserFile /Secure Path/.htpasswd

require valid-user


Now create a file where you will store usernames and passwords for access. The name of the file should be ".htpasswd". Save it in a safe place outside the public directory ( outside public_html ).

Set the right path to .htpasswd for the directive "AuthUserFile".

Record your message for the directive "AuthName", which will scare the invaders.


Move configuration file

It is the time when you should move the configuration.php. Download FTP client and connect to your host. Find a secure place for the file, outside public_html directory. It is necessary because you must protect the configuration file from public access. And it is the best way to do it.

Now put the new pathway to configuration.php in those files:


  • /administrator/includes/defines.php
  • /includes/defines.php


Set the new path of this constant and save the file.

define( 'JPATH_CONFIGURATION',     "/New Path" );


File permissions

File permissions are very important for the security of your web site. Never leave the permissions of 0777. Thus allowing anyone to read, write or erase your files and directories.

Whenever you install an extension check the permits of new files. Connect via FTP client to the hosting, where your site and check their current status.

The directory permissions must be 0755.

The file permits must be 0644.

File permissions

If there is something wrong then right-click the file/folder and select "File Permissions ...". Set the right value and click "OK".


Be careful with extensions

Be careful when install new extensions. Install only recommended and tested components from many people.

Do not leave unpublished extensions. The files are still there, which makes them dangerous. Remove extensions by uninstalling if you do not want to use them anymore.


Be always informed

Use Google Alerts for immediate notification of security flaws. You can specify keywords and a period to receive an information. Google will send you a list of publications when mentioning the specified phrases.

Sample list:

  • joomla vulnerability;
  • joomla exploit;
  • VirtueMart vulnerability;
  • jComment exploit;

I recommend you to subscribe for oCERT newsletter. You should also subscribe for the newsletters of extensions that you have installed. Thus you'll be the first to learn about patched security holes. I will be able to react quickly and be one step ahead of raiders.

Regularly review the Joomla Security News. You can also do it from the control panel.

Joomla security news


Regularly check for vulnerability on these sites. They have really comprehensive information and solutions for the newly exploits.


Security Reason

Security Focus

National Vulnerability Database




Have you ever seen this system alert?

Backup Not Found:

A)bort, R)etry, C)ry?

Be sure you have a recent backup of your site and your database. Enjoy restful sleep as you make a backup of your data every day or every week. And you will never see the above alert.

There comes a time when you running your site. I hope this article will be useful and will help you to protect your data better.

I will be glad if you share your experience with me and readers of my blog. Share your advices by leaving a comment.

Share this post

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to TwitterSubmit to LinkedIn

Free Subscription

You can get the latest publication via RSS, Twitter or Facebook. And I can also deliver last news to you for free via Email:

RSS subscription Find us on Facebook Google+ page Follow me