WebCitz Blog

17 Joomla Security Tips For Rock Solid Protection – A Complete Guide

17 Joomla Security Tips for Rock Solid Protection

Are you looking for some Joomla security tips? If so, this article is for you. We are going to cover 17 different ways that will help secure your Joomla site against hackers. These are tried and tested methods that have been proven to improve Joomla security over the years. As such, it is important to consider these security tips if you want to minimize your chances of a data breach.

Recommended Joomla Security Improvements

1.) Take regular backups

You should always have working backups of your website files and database. It is important to put in place a policy for automated backups. Additionally, you should routinely check that the policy is running and the backups are capable of being restored fully. For storing the backup files, we recommend keeping backups in the same hosting location as your server, as well as in a remote location. The local backup will help provide a fast recovery of a file or database, whereas the remote backup will help provide protection against a geographic or vendor-related issue.

2.) Use a custom database table prefix

It is highly recommended to change the default Joomla database table prefix from “_jos” to something custom to your installation. This will help prevent malicious activity that relies on knowing the default database table locations of your application.

To change your database table prefix, you’ll need to edit your database. cPanel hosting services have phpMyAdmin installed by default. If you hosting service offers phpMyAdmin, you can quickly make a database table prefix change following these steps:

  1. Log into phpMyAdmin
  2. Select the database you wish to modify
  3. Click on the “Structure” tab
  4. Go to bottom of page and click “Check all”
  5. Change the select box next to it and select “Replace Table Prefix”
  6. You will see a popup window, follow these steps:
    1. In From, enter your old prefix
    2. In To, enter your new prefix
    3. Click “Continue”
  7. Done!

After that has been changed, you’ll notice your website has become inaccessible. You now need to open your Joomla configuration.php file. In it, you’ll find this line:

public $dbprefix = 'jos_';

and change it to:

public $dbprefix = 'newprefix_';

Related: 25 Tips to Improve Your cPanel/WHM Security.

3.) Keep your Joomla installation updated

You should always keep Joomla and any installed extensions up-to-date. This will help you take advantage of bug fixes, feature additions, and security patches released by Joomla developers, extension authors, and the development community. Trying to secure an outdated application is almost a futile exercise – please take the time to update your software.

In Joomla, you can check if you have updates available in the admin dashboard. In newer Joomla versions, you can also go to Extensions > Extension Manager to check for updates. If there are any available updates, install them immediately. However, make sure you always have a backup before making any changes.

As a side-note, it is also recommended that you only install trusted extensions and you uninstall extensions you are no longer using. These two tips will also greatly improve your Joomla security.

4.) Hide your Joomla version

You should also consider hiding your Joomla version. By default, Joomla outputs the version being run in the source code of the website. This allows automated scripts and malicious actors additional information about your website that isn’t going to help improve your security.

To hide your Joomla version, go into your admin area and visit your Global Configuration. In the Site tab, uncheck the option for “Show Joomla! Version” and click save.

5.) Use .htaccess to deploy basic security improvements

You can deploy numerous security improvements within the .htaccess file of your hosting account. This is a simple text file that gets placed in the base directory of your Joomla installation, and allows you to configure Apache Web Server options for the entire website or specific directories.

Some security improvements include:

  • Preventing directory listing, which would otherwise display the file contents of a folder
  • Blocking direct access to sensitive file types such as PHP, XML, SQL, etc.
  • Password protecting the /administrator directory, to prevent brute force attacks on the login form.

Related: Check out this tutorial about forcing HTTPS in the .htaccess file.

6.) Use a Joomla two factor authentication plugin

Newer versions of Joomla include built-in support for Two Factor Authentication. This includes support for Yubikey and Google Authenticator, both of which are our favorite tools for improving security within sensitive applications. You can read more about how to enable 2FA in Joomla within the documentation.

At the same time, if your hosting control panel supports MFA/2FA then you should consider enabling that as well.

Two factor authentication, also referred to as multi-factor authentication, is very helpful in preventing unauthorized access by automated systems or individuals who happen to obtain your username and password credentials. With 2FA or MFA, anyone logging into your system will also need to get a time-sensitive code from a hardware device (Yubikey) or a software application (Google Authenticator, Authy, etc).

mini orange two factor authentication homepage

7.) Restrict access to the Joomla admin area

Another great security improvement is restricting the Joomla /administrator folder to specific IP addresses. This is done via the .htaccess file and you can add multiple entries.

Order Deny, Allow
Deny from all
Allow from xx.xx.xx.xx
Allow from xx.xx.xx.xx

The first two lines basically configure the default access to be none, which are then overridden with the “allow” lines. Multiple IP addresses would be on separate lines as shown above, not comma-separated.

8.) Use strong passwords

Please, don’t use a simple password. This shouldn’t need to be said, but we often get passwords from new customers that are as simple as their first name, their dog’s name, or their kid’s name. These are incredibly easy for an automated script to crack. Here are our password recommendations:

  • Invest in a password manager, such as LastPass, to store and share complex passwords.
  • Use a free tool like our secure password generator to create a complex password with uppercase, lowercase, numeric, and special characters.
  • Don’t use the same password for more than one site.
  • Update your passwords every 6 months.
  • Make sure your passwords are at least 16 characters long.
  • Don’t send important passwords to people over insecure chats or emails

9.) Set recommended Joomla file permissions

When you install Joomla, it’s recommended to set the file permissions on your directories to 755 and your files to 644. You can do this through a web-based file manager offered on cPanel hosting accounts, or through an FTP client like Filezilla. Alternatively, you could ask your hosting provider to make this change for you. If you have a lot of time to spare, feel free to read this in-depth article on Linux / Unix file permissions.

10.) Keep your PHP version updated

Although Joomla supports older versions of PHP, you should always utilize the newest stable PHP release for your production website. Most hosting control panels allow you to choose your desired PHP version. If you can’t, just open a support ticket with your hosting provider and ask that they upgrade your PHP version to the latest release. If your website doesn’t properly work on the latest version you will need to resolve the programming conflicts yourself, or hire an expert web developer who can assist you.

11.) Choose a good web hosting service

Is your website hosted by a reputable company? If you have a friend or family member providing you free hosting, the answer is probably no. Additionally, if you are paying a couple dollars a month for hosting, the answer is also likely no.

The hosting of your website is an important service. Don’t simply trust a hosting company because you’ve been with them for years and they are super cheap. Instead, check if your hosting provider is keeping your server’s software updated, if you are on the latest PHP version, if they perform nightly and weekly backups, if they store backups offsite, if they utilize a firewall to reduce malicious traffic, etc. Focus on the quality of your hosting service, not just how cheap it is.

12.) Disable dangerous PHP functions

If you have access to PHP configuration settings, you could experiment with disabling these commonly exploited PHP functions that might not be necessary for your website to run properly.

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

13.) Filter spam comments in Joomla

If your website accepts user-generated content, such as forum posts or comments, then you should put some kind of spam filtration system in place. We’ve seen Joomla message boards grow to have millions of spam topics, and we’ve seen blog posts have thousands of spam comments linking to malicious websites.

The most common steps to reducing spam including activating a reCaptcha plugin, which is native to Joomla. Check out this Joomla article on setting up Google reCaptcha.

a person hacking on a computer in the dark

14.) Force HTTPS connections

It is recommended that all websites on the internet switch to https:// for a connection protocol. This is often referred to as having an SSL/TLS certificate installed on the hosting service. After that has been installed, you can configure Joomla to only load from a secure, https:// connection.

Not having your website load from HTTPS can result in data transmission theft and reduced search rankings.

15.) Hire a website security auditing service

It isn’t a bad idea to consider hiring a third-party security audit service to review your Joomla website. This isn’t going to be a cheap method to improving your security, but if you are running a popular Joomla website with a lot of sensitive data or user registrations, it might be a necessary expense.

This would allow you to get an expert to jump into your website, review your configuration, scan your code for vulnerabilities, and provide an expert recommendation on next steps.

Related: Check out our blog article Performing a Security Audit.

16.) Use a Joomla firewall

You can greatly improve the security of your Joomla website by taking advantage of the benefits of a firewall.

There are multiple types of firewalls. For example, your hosting provider might have hardware-based firewalls sitting in front of their web servers to prevent malicious traffic from interacting with their web servers. Additionally, your hosting provider might take advantage of software firewalls like CSF and ModSecurity to help filter out other traffic that gets through.

The type of firewall you can easily control is a Joomla-based firewall, such as RSFirewall!. We have no affiliation with RSFirewall!, but we’ve used their software on Joomla websites in the past and it was rather intuitive.

17.) Remove unnecessary extensions

If you aren’t using a previously installed extension, component, plugin, module, or theme then you should remove it. There is no reason to clutter your application with unnecessary code that could serve as an attack vector for a future security exploit.

Final Thoughts on Joomla Security Measures

Joomla is a popular content management system that has numerous beneficial security measures built into its framework. However, as with any content management system or web application framework, there will be security measures that can and should be taken to reduce your risk of a cybersecurity incident. In some cases, the security measures aren’t even related to a deficiency in the code, but rather a human-error such as failing to use secure passwords or neglecting to keep a platform updated.

If you follow the previously mentioned security suggestions, and consult other resources for additional tips, you’ll greatly improve your cybersecurity posture. If you need help with any of these security improvements, consult a professional web developer for assistance.

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.