1. Home
  2. Joomla Tutorials
  3. How to Secure Joomla and Protect It Against Hackers

How to Secure Joomla and Protect It Against Hackers

No one wakes up in the morning hoping their websites were hacked. Even the smallest of blogs can be the target of bots, malware and phishing content. Keeping your Joomla installation protected is vital, especially within today’s digital playground.

Whether it’s to steal your data or to create a fake page to steal someone’s login information for PayPal, hackers constantly look for easy targets online. However, some of the easiest practices can make your website less appealing to those who just want a quick score.

In this Joomla security tutorial, I’m going to demonstrate some of the best ways to keep your site protected. While I cannot guarantee that your site will never be targeted, these methods will vastly decrease your chances of being hacked.

Keep Everything Updated

Many people don’t realize just how many problems are created by not keeping installations updated. Whether it’s the core file system of Joomla or a template, keeping these elements current can solve a lot of issues.

Joomla developers are quite regular when it comes to plugging up holes found in the system. When an exploit is detected, the community springs into action to add or fix coding that corrects the problem. When you see that Joomla has a new update available, it’s in your best interest to install it.

Templates and modules also need to be monitored for upgrades. Many developers of these systems are just as vigilant about protecting users as the Joomla devs. If there is an issue with a product, most of them will push an update.

When there are updates for Joomla or any of its components, the system will inform you. A message will appear in the Control Panel stating what updates are available. Under the Maintenance heading on the left, Joomla will let you know if updates are available.

Joomla Updates

You can also check for updates manually if you want to make doubly sure that your website is running the most current version.

Create Regular Backups of the Site

Having backups on hand keeps you from losing the entire site if it’s hacked. With a simple restore function, you can revert all of your pages with a few clicks of the mouse. As long as you have current copies, you stand to lose very little if anything.

Backups can be done in several different ways when it comes to Joomla:

  • Install the Akeeba module.
  • Create copies through Softaculous.
  • Download files directly with FTP.
  • Create backups manually using cPanel.

Akeeba
The Akeeba module comes with a component that allows users to create backups quickly. It can also be set to create automatic copies based on specific times of the day. It’s a simple system to use, but does require several parts to install.

Softaculous
Many cPanel systems come with the Softaculous Apps Installer. If you were to use it to install Joomla, it will also allow you to create backups from within its system. From this app, you can also instantly restore the site from an earlier saved version of Joomla.

File Transfer Protocol Programs
File Transfer Protocol software, or FTP like FileZilla, connects you to the root directory of the website. From this folder, you can download all of your files directly to your computer system. This process may take a while to complete depending on the size of your site. Note that this does not download the database.

Manual Backups in cPanel
From cPanel, you can create manual backups by compressing the website into a ZIP file you can download. Then, you want to export the database from phpMyAdmin. While this process is relatively simple, it can be time consuming when compared to things like Softaculous and Akeeba.

Enforce Login Security

Login security is one area that many beginner web developers forget. In many instances, hackers and bots gain access to the admin area of Joomla through brute force attacks. This is when the username and passwords are attempted in rapid succession until the credentials are essentially guessed correctly.

One problem that is apparent is the creation of the “admin” account. Joomla will create an administrative user named “admin” by default. Unfortunately, hackers know this. In other words, this account has already given the criminal element half of what they need to gain entry.

Don’t use the default admin account. Create something unique and delete this username as soon as possible.

Joomla Admin Login

You also want to enforce hard-to-guess passwords. Too many people are still being victimized because of poor credential strength. A quick way to make sure all users have more difficult passwords is to change the settings in Joomla.

Go to the User options from Global Configuration and set password options. Some good adjustments include increasing the minimum length, minimum number of symbols and minimum upper case letters.

Joomla User Options

Optimize User Options

Setting password options isn’t the only thing you can do to optimize users in Joomla. In fact, there are a variety of ways you can use the system to make your site safer in the future.

From Users within Global Configuration, click the “User Options” tab along the top.

Joomla Users Options

In this window, you have access to several settings that can make the site safer for everyone. Let’s go over a couple of the more important ones.

Allow User Registration
If you don’t plan on letting visitors register on the website, set this to “No” if it isn’t already. Depending on your installation of Joomla, this may already be set by default.

Send Password
It’s common practice to not send passwords to registered users through email. This is to prevent hackers and bots from intercepting the login credentials. Set this feature to “No” always.

New User Account Activation
If you do allow registered visitors, this option will allow you to tighten security and avoid an influx of bots. This drop down window lets you pick how others register from “None,” which allows everyone automatically to “Administrator,” which requires the admin to authorize the account manually.

Captcha
If you install a Captcha module, Joomla will list it in this drop down window. From here, you can select which format you wish to use. Joomla currently does not have this as an automatic ability by default.

Click the “Save & Close” button when you are done with your selections.

Joomla User Save

It may not be a bad idea to take a look in the “Permissions” area as well just to make sure users do not have access to something they shouldn’t. Even though Joomla is pretty strict about these settings by default, you never know if a plugin you installed changes these settings by design.

Install Security Extensions

One of the highlights to Joomla is the ability to install modules that give the site extra functionality. Of these extensions, security is one of the more important to consider. There are hundreds of these plugins to choose from whether you’re willing to pay for a premium module or looking for a freebie.

Perhaps one of the best places to find quality security additions is by visiting the Joomla Extensions Directory. This is a collection of different modules from many developers. In the “Access & Security” section, you’ll find everything from Captcha plugins to blacklist firewalls and file integrity scanners.

Joomla Extensions Directory

By taking the time to examine what’s available, you may even find a few that work well together to create superior protection from all hackers. The hardest part is picking those you want to install.

Although Joomla comes with basic protection, you should consider an upgrade by picking a system that is right for you in the extensions directory.

Shield the Admin Page

Denying access to the admin area completely is a great method for protecting the site. While this won’t stop all attacks, it will make success by hackers more difficult. Remember, you don’t want to give them an easy target.

Password Protecting Directories
One method many admins use is password protecting the administrator directory itself. Not only will you need a Joomla administrative login, but you’ll also need to know the credentials for the directory. It’s a double-whammy, if you will, to stop people from accessing vital website data.

This can be done from cPanel by right-clicking, or CMD-click on Macs, the administrator directory and selecting “Password Protect.”

Directory Password Protect

Denied by .htaccess
Another method to deny access to the administrative area is by editing the .htaccess file. Using a short snippet of code, you can deny access to the directory from anyone who does not have your IP address. If you don’t have .htaccess in the administrator directory, you can always create one using File Manager or uploading it with FTP.

Add the following code to .htaccess access:

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx


The “XXX” number is your own public IP address. The only problem with this is you’ll have to change the file each time your address changes. This is because Internet Service Providers often assign these numbers randomly unless you pay for a static IP address.

Setting Proper File Permissions

Lastly, you may want to periodically check to make sure file permissions are set correctly within your website. Usually you won’t have to worry about permissions unless you create a file, folder or make modifications.

Files should be set to 6,4,4 and folders may be set to 7,5,5. This allows everyone to read content of the site without being able to make direct changes unless it is someone with privilege. You should never use 7,7,7 for any file or folder. This will give others direct access to read, write and execute the file or folder on your website.

The only time I could possible see anyone using the 7,7,7 permission style is while troubleshooting. And only then it should be reverted back to normal when you’re done.

These can be set by accessing permissions in cPanel or by using FTP programs.

File Permissions In cPanel

Creating a secure Joomla website relies on your willingness to make a few modifications. As you can see, many of them are quite simple to implement and very effective at preventing a large number of attacks. Don’t assume that your small website isn’t popular enough to be a target. Many hackers simply want to use your foundation to host their own spamming and phishing pages.

Author: Josh Dargie

My name is Josh Dargie and I’m the Operations Manager at GreenGeeks. I’ve been with the company since 2009. I have over 16 years of experience working with and for various web hosting providers specifically in development, day-to-day operations and customer service.

Updated on April 6, 2017

Was this article helpful?

Related Articles

Add A Comment