WebCitz Blog

20 Joomla Security Tips For Rock Solid Security Against Hackers – A Complete Guide

20 Joomla Security Tips For Rock Solid Security Against Hackers – A Complete Guide
Timothy A
Timothy A
September 24, 2021
Posted in  Cybersecurity

Are you looking for some Joomla security tips? If so, this article is for you. We are going to cover 18 different ways that will help secure your Joomla site against hackers. These are tried and tested methods that have been proven to work over the years. As such, it is vital to take these steps if you want to avoid being hacked at all costs!

20 Joomla Security Tips

1) Take regular backups

Backups are a very important step that every Joomla user should be taking. Without backups, you will not know what happened to your site if it gets hacked or if there is any damage after an update.

It’s also the best way of recovering from a hack, as you can simply revert back to a previous version and try again without losing any valuable content.

Hard Drive backup on a desk

2) Joomla database tables prefix

It is highly recommended to always change the default Joomla database table prefix. By changing this, you can prevent hackers from being able to easily identify your site tables and thus make it impossible for them to hack into your database.

In order to do this, in cPanel go under MySQL Databases section > MyISAM tab > click Show All, then change the prefix (you can set up any random one you like) and click Save.

It’s also recommended to make this changes in your PHPMyAdmin section too if you are using it for managing your Joomla databases.

You should always check that everything is working correctly after making these types of changes by running a MySQL query.

3) Keep your Joomla website updated

By keeping your Joomla site updated, you are minimizing the chances of being hacked as new security holes are closed with every update. You should always make sure that everything is up to date by checking for updates regularly via Extensions > Extension Manager.

If there are any available updates, install them immediately, and if they require you to overwrite files or database changes, make sure to do them.

It’s also important to use only trusted sources when downloading extensions. If not, you are putting your whole website at risk by installing unknown or untrusted commercial components/templates.

Update typed out on a piece of paper using a type writer

4) Hide your Joomla version

It’s always a good idea to hide your Joomla version number so that hackers cannot find out what vulnerabilities have been fixed. For example, if you are running Joomla Version xyz and the latest released one is ABC, then hiding this information will prevent potential attackers from knowing what exploits can be used against your site.

5) Use .htaccess to deploy basic configuration settings

You can deploy some of your Joomla configuration settings by using the .htaccess file. This is a simple text file that gets placed at root level of your website and allows you to configure apache server options for the whole site or even specific directories.

Some useful examples are:

  • Preventing directory listing (which displays all files and folders on the website
  • Blocking direct access to various file types such as php, xml etc.
  • Password protecting directories via .htpasswd (this is a good way of restricting access to sensitive areas)
Person hiding in a box peeking through a little hole

6) Use Joomla two factor authentication plugin

There are many Joomla Two Factor Authentication plugins available that you can quickly install and take advantage of this additional level of security. If a hacker manages to get hold of your username/password, they still cannot access the site unless they also have your secondary device or code, such as an OTP (one time password) generated by Google Authenticator.

These plugins will make your site more secure, which is why it’s strongly recommended that you add Two Factor Authentication wherever possible!

The same thing goes for your hosting account, make sure to use two factor authentication via SSH if possible (or any other method you prefer) in order to protect complete access and limit the chances of being hacked.

mini orange two factor authentication homepage

7) Restrict access to Joomla admin area

It’s a good idea to restrict access to your Joomla Admin Area by only allowing trusted IP addresses. This is done via the .htaccess file and you can add multiple entries, like follow:

Order Deny, Allow
Deny from all
Allow from xx.xx.xx.xx

The first line tells the server to allow access and then subsequent lines define which IPs or subnets are allowed (beginning with “allow”).

Parking gate resorting access

8) Limit login attempts in Joomla

You should limit the number of failed login attempts as this can help prevent brute force attacks. You can do that by setting a specific configuration parameter in your Joomla site (i.e maximum failed logins before blocking an IP address).

This is done via System > Global Configuration > Security and then choosing how many times users are allowed to fail logins before being blocked.

9) Use strong passwords

As with any website that holds sensitive information, such as login details and payment card data, it’s vitally important to use strong passwords.

Strong passwords should consist of at least 12 characters and include a mixture of upper/lower case letters, numbers and special symbols (i.e !ӣ$%^&*). Also avoid using the same password for different services as this will make all of them insecure if one account is hacked.

It’s also important that you do not use the same password for your Joomla site and email because hackers are known to try common usernames/passwords combinations, which can lead to complete account takeover in some cases. It’s recommended that each service/site has its own unique password.

There are many ways to manage and remember pass It is also important not to write down your passwords anywhere that might may be accessed by others (including on Post-it notes stuck to the monitor or under keyboards).

If you wish, there are many ways of storing passwords securely, which includes using a Password Manager, such as the well known LastPass. This is free for personal use, but there’s also a premium service available if you require additional features.

a chain locked onto some phones computers and books

10) Set recommended Joomla file permissions

When you install Joomla it’s recommended to set the file permissions on your website directories and files correctly. Not doing so will allow hackers to possibly gain complete access and wreak havoc, such as inserting malicious code into your site or accessing sensitive information, including database details, usernames and passwords etc.

However, if the permissions are too restrictive then you may run into issues when trying to upload, edit or delete files/folders.

11) Update PHP version of your Joomla website

Joomla can run on multiple PHP versions including the latest release of PHP (i.e version v.52), which is known as Zend Guard Loader. It provides performance increases, additional security features and bug fixes over older releases, such as v.44.

It’s also possible to run Joomla on previous legacy releases, although this is not recommended as they contain known security vulnerabilities and bugs, which can lead to complete compromise.

On top of that, it’s also worth noting that PHP v.52 is the only version supported by the latest Joomla release (i.e version v.57). All other versions are considered unsupported due to potential security risks involved in using them.

If you’re hosting your Joomla website on a Linux server, then ensure that it is running an up-to-date LEMP stack, which includes Nginx, MariaDB and PHP.

12) Use secure hosting

Using secure hosting that provides a free SSL certificate as well as advanced server level security, such as automatic firewall protection, daily offsite backups, and much more.

Simply choose the plan that works best for you and install Joomla or WordPress following our simple installation guides to get started right away!

a phone on a yellow background with a lock on the screen

13) Disable dangerous PHP functions

PHP has a variety of built-in functions such as eval() that allow you to execute arbitrary PHP code. This is commonly used by hackers in order to run malicious scripts or gain access to your website’s files/database.

Therefore it’s recommended that you disable dangerous PHP functions (if they are not already) in order to prevent attackers from gaining access and potentially compromising your website/server etc.

14) Disable script injections

Script injections allow hackers to inject malicious code into your website, which can lead to them manipulating the appearance of web pages, redirecting visitors elsewhere, stealing sensitive information etc.

Many script injection attacks can be prevented by setting server-side PHP variables (e.g via .htaccess file) which prevent direct execution of any files in the server’s document root.

15) Watch for suspicious files/activity

You should regularly monitor your website for suspicious activity (e.g creation of new files, unusual access requests etc.). This allows you to detect breaches early on before any damage can be done and also gives you a chance to try and remove hackers from the system as quickly as possible.

a person hacking on a computer in the dark

16) Filter spam comments in Joomla

It’s worth mentioning that bad bots can be quite annoying and leave spam comments on your website.

This is because many of them crawl the web for SEO purposes and will post comments/content in order to gain valuable backlinks that help improve their search engine rankings (SEO).

Therefore it’s recommended that you install a plugin, such as bb-botmanager, to filter spam comments and prevent them from appearing on your site.

someone filtering coffee with a coffee filter

17) Use SSL to boost Joomla security

SSL is recommended for every website these days and should be considered as a basic requirement.

SSL certificates provide an encrypted connection between your server and the end user which helps prevent hackers from intercepting sensitive information such as login credentials etc.

18) Joomla security audit

It’s also worth mentioning that you can perform a Joomla security audit to identify potential problems/flaws that could be exploited by hackers.

This allows you to fix any errors prior to them being used against your site and will help keep your website secure against future attacks.

19) Use a firewall

One of the most important things that you can do to secure your Joomla website is to use a firewall.

A firewall basically blocks all unauthorized traffic and will prevent hackers from gaining access to your server (e.g via malicious scripts etc.).

There are many firewalls available, such as ModSecurity, Naxsi, Suhosin etc.

a brick wall

20) Remove unnecessary plugins/themes

It’s also recommended that you remove all unnecessary plugins and themes from Joomla as these could be used for malicious purposes by hackers to gain unauthorized access, inject scripts into web pages, etc.


Why is SSL important when it comes to securing a Joomla site?

SSL certificates provide an encrypted connection between your server and the end-user, which helps prevent hackers from intercepting sensitive information, such as login credentials etc.

How often should I monitor my website(s) for suspicious activity?

It’s recommended that you regularly monitor your sites/systems so that any breaches or vulnerabilities can be detected early on before any damage can be done e.g via spam comments, injection attacks, access exploits etc. This allows you to take steps to fix problems quickly rather than waiting for hackers to exploit them and gain access etc.

What is a firewall and why should I use one?

A firewall basically blocks all unauthorized traffic and will prevent hackers from gaining access to your server (e.g via malicious scripts etc.). There are many firewalls available such as ModSecurity, Naxsi, Suhosin, etc.

How can you remove unnecessary plugins/themes in Joomla?

It’s recommended that you remove all unnecessary plugins and themes from your website(s) as these could be used for malicious purposes by hackers to gain unauthorized access, inject scripts into web pages.

Is Joomla safe to use?

Joomla is a great content management system that offers the best of both worlds in terms of ease of use and flexibility. However, just like any other CMS out there, it’s never 100% secure so you should always take steps to harden your site against potential vulnerabilities from hackers, etc.

What is RSFirewall?

RSFirewall is a powerful Joomla plugin that provides you with the ability to fully control and monitor access to your site via an easy-to-use interface. You can use it to block IP addresses, limit access by time of day, etc.

What is ModSecurity?

ModSecurity is an open-source web application firewall (WAF) that provides you with the ability to control and monitor traffic entering/leaving your server(s). It’s a powerful tool for preventing hackers from being able to gain access to your site.

What is a security audit and why should I consider performing one on my site(s)?

A security audit basically identifies vulnerabilities/problems which could be exploited by hackers. It allows you to fix any errors prior to them being used against your site and will help keep your website secure against future attacks.


In conclusion, Joomla is a very popular CMS that contains many security vulnerabilities. As such, it’s important to follow the practical steps in this article to keep your website secure.

Even though Joomla has been around for quite some time, there are still users/developers who don’t take security seriously enough. This gives hackers have full access to their servers without any resistance from the owners

So make sure you’re doing everything you need to do when it comes to Joomla security!

Related Topics: