I would like to share with you some tips and tricks, how to protect your Joomla site from hacker attacks and vulnerabilities. There were several security patches for our favorite content management system last month. If you have not upgraded to the latest version in time, your site would be target of hackers, and they might take the control on it.

If you follow my advices in this article, it would not happen again, and your site will be protected.

Keep your content management system and third-party extensions up to date

It is really important to upgrade your third-party extensions and the core of Joomla in time. The system provides a tool that checks for updates every time when you join the administration of your website. Please, use it when the red color lights up in your browser.

However, there are extensions that do not use Joomla Update. You can learn about that from its information on J!ED ( Joomla! extensions directory ) or from its documentation.

If you have installed such extensions on your website, I suggest you to create a list with them and periodically to look for new version.

Extension does not use updater

Uninstall templates and extensions that you do not use

Sometimes, you install components, plugins, modules or templates just to test them. It happens to forget for plugins and modules when you have installed.

If you are sure, you will not use them anymore, you have to uninstall some of them. Keep clear your system from extensions that you will not use because their code will be part of your website. If there are vulnerabilities in one of them, the hackers would use it to attack your site.

Use strong credentials

Do not use common usernames like "admin" and "administrator".

Your password should be longer than 12 symbols. It has to include special characters ( *!@#)$ ), numbers and capital letters.

If you would like, you can replace letters with special characters and numbers. That will help you remember your password easily.

For example: StrongPassword becomes $tr0ngP@s$w0rd.

Protect the username of the administrator account

If you post articles in your blog or you have a forum on your website, you can compromise your username. The system will display the username as an author of your posts. You can do the following things to prevent that.

  • change the option used for managing author’s name. You should select to be shown the real name of the author. For example, Kunane provides an option that you have to use to set, the system to display real names instead usernames.
  • create and use another account to post articles and forum topics. Do not use an account with administrator permissions for this job.
  • change the username of the administrator and its password regularly. You should do it in every six months.

Disable showing username on Kunena

Often backup your website

Most hosting provider creates daily backups of your websites. That is good because you will be able to restore it if you need.

However, some of them do not provide this feature, and you will have to create backups of your database and files regularly. You should use PhpMyAdmin to export your database and File Manager to create an archive with your files.

You will find those tools on the control panel of your hosting.

PhpMyAdmin and File Manager

Create Google alerts to receive notifications

Google Alerts is a wonderful tool that you can use to receive latest news about vulnerabilities and security patches, directly to your email address. Just create alerts for “joomla vulnerabilities” or “joomla security patch” and you will receive an email from Google once he reaches an article about those topics.

Google Alerts


Choose proven hosting provider for your websites

The hosting provider is one of the most important part for security of your website. If it is crafted with care, you will be sure about the reliability of your system.  What the hosting service should offer?

  • Firewall - the servers have to be protected by firewall and system administrators should be available in time to configure it. If there is a potential thread any CMS to be compromised, the system administrators should set up the firewalls to protect the websites of their users.
  • Latest version of PHP - the hosting provider should be able to provide latest versions of PHP.
  • Scanning for viruses and hackalert - there are tools that scan the files on the server and notify their owners if they are infected with viruses.
  • Daily backups - it is really important to have a daily backup from where you will be able to restore your system.
  • Alerts - many hosting providers send notification messages if there is a new version of the CMS that you use. That will help you upgrade your website in time.

I strongly recommend SiteGround as hosting provider because they treat seriously the security of their services. The people in SiteGround work closely with the developers of the most popular CMS systems. They are ready to react in time to protect your websites when those CMS systems have vulnerabilities.

Restrict the access to your administrator panel

There are three simple things you can do to prevent unauthorized access to your administration.

You should protect your folder "/administrator" with a password.

When you do that, the hosting provider will create a file ".htaccess" in that folder. You should edit that file adding the following directives.

Deny from ALL
Allow from x.x.x.x

You need to replace x.x.x.x with your actual IP address.

That will protect the folder by IP and it will be only possible to access your administration from your PC.

If you would like to access your administration from multiple IP addresses, you should replicate the directive Allow from x.x.x.x and change the addresses.

You can do that using FTP client, the file manager in your hosting control panel or third-party extensions like ProFiles.

Protect directyr with password

Enable search engine friendly (SEF) features

You should go to your Global Configuration and enable the search engine friendly functionality.

After that, you have to rename htaccess.txt to .htaccess. You will find this fail in the main folder of your website.

This will re-write and mask the URL of your website. That will prevent hackers to use exploits.

Enable Joomla SEF

Use proper file permissions and user groups

Next important part of having a secure website is to set right file and folder permissions. You should set folder permissions to 755, file permissions to 644 and the permissions of the configuration file (/configuration.php) to 444. You must never set permissions to 777 for any of them.

You can do that using FTP client, the file manager in your hosting control panel or third-party extensions like ProFiles.

Joomla file permissions

Disable user registration

If it is not necessary people to register on your website, you have to disable user registration. For example, if you use your website as a blog or corporate website where only you have to be possible to create content, you do not need user registration.

Go to the options of the user manager and set "No" for the option "Allow User Registration."

Disable Joomla user registration

Disable FTP layer

It is strongly recommended to be disabled the FTP functionality if you do not have plans to use it.

Go to Global Configuration, tab "Server" and select "No" for option "Enable FTP."

Disable FTP

Use third-party extensions to make your website more secure

Many developers have published security components and plugins on the Internet and Joomla extensions directory. You can download and use them for free. My favorite ones are:

  • kSecure - it is a plugin that does not allow to access administration if you do not include secret token in your URL address.
  • Brute Force Stop - this is an extension that protects your website from brute force attacks.
  • KeyCAPTCHA - this plugin can protect many of your extensions from robots, fake registrations, posts and advertisement posted by bots.
  • Login Notify - this plugin will send you an email when someone login on your website.
  • Two Factor Authentication - protect the authentication process by one of both native Joomla plugins - Google Authenticator or YubiKey. You have to install an application on your mobile phone that will generate a secret key. You have to use this key during the process of sign in on your website.

Joomla Two-Factor Atuthentication

Use SSL certificate

The SSL certificate is a must nowadays, and you should install one on your website, especially when your site is based on interactions with members.

If your website allows registration and login process for customers. If it is social community, forum or online store, and you have to collect privacy data, the SSL certificate is the best way to protect the whole process of sending and receiving data between browser and server.

Furthermore, you will be able to take advantage from HTTP/2 and modern browsers. It will make data transfer between the server and your customers faster and secure.

When you are done with the installation of the SSL certificate on your hosting, you have to go to the Global Configuration, tab "Server" and select "Entire site" for option "Force SSL."

Force SSL on Joomla site

These were some of the techniques that I use to protect my websites. I hope, they to be helpful for you. If I found other ones, I will be happy to share them with you on my blog.

Subscribe for my newsletter to receive similar articles.

Please, share this article with your friends and let more people to take advantage of it. That will help them to protect their site better.

Thank you!

Share this post

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to TwitterSubmit to LinkedIn

Free Subscription

You can get the latest publication via RSS, Twitter or Facebook. And I can also deliver last news to you for free via Email:

RSS subscription Find us on Facebook Google+ page Follow me