Joomla Security

Having created a wonderful website and being proud of the result, it is most annoying to discover that your website has been hacked and/or infected with malware. On the internet here are always naughty guys around trying to hack websites maybe just for fun ... To prevent this, we have to take security measures.

First the bad news: there is no 100% security

Second the good news: one can make it very difficult to hack the website and if the worst comes to the worst one can always restore the complete website.

1. Keep Joomla and all Extensions up-to-date

Before you start doing anything, backup your website and test the backup. This will for sure save you time and nervous energy! Update Joomla and all extensions as soon as possible, test everything on your webserver (WAMP, XAMPP) on your local computer first.


2. Download only from reliable sources

A very reliable source for extensions is the website. You can trust all extensions listed in the extention directory. Download these extensions only from the original developer's website. Sometimes these extensions are listed also at Do not use vulnerable extensions (see List of Vulnerable Extentions (new) ).


3. Do not use default Settings

Do not use generic usernames like "admin" or "super user". Very common usernames are a security risk, hackers only have to guess the password...


4. Use strong Passwords

A password should have more than 7 characters, the more the better. Use a combination of uppercase letters, lowercase letters, numbers and special characters. Do not use usernames as passwords.
Yor may replace some letters, f.e.:

Letter A, a B, b E, e I, i O, o P, p S, s
Replacement /-\ or 1 8 or 13, 6 3 ! 0 9 5 or ?


5. Joomla 3.x: Use Two Factor Authentication, if possible

Traditionally you login with your username and password. Now Joomla 3.x provides a much more secure way to login: the Two-Factor-Authentication. This requires an additional six-digit security code you get from Google Authenticator App, which is available for most mobile devices and Windows 8. The six-digit-code changes every 30 seconds.
How to enable Two-Factor-Authentication:

  1. login at the backend as Super User
  2. enable the plugin "Two Factor Authentication - Google Authenticator"
  3. download and install the Google Authenticator App on your device
  4. enable Two Factor Authentication in the User Manager, click on the account name. You can choose this authentication method for any user.
  5. Joomla now shows the account name and the key for this account. Enter these account details in the Google Authentication app on your device.
  6. the app will generate a code you have to enter in the Joomla backend in the Security Code Field
  7. save your changes Now you need for login username, password and a secret key.

There are other secure login systems available: see Login Protection


6. Use Unix/Linux file Permissions (chmod) for File Protection

Protect your files by setting access permissions using change mode (chmod) commands. These settings tell the server who has access to a file or a folder. Chmod the entire site to 644 or 744.
Some explanations:
To change chmod settings using FTP-software like Filezilla. You can not change chmod setings using Joomla.

r = Read permissions
w = Write permissions
x = Execute permissions

rwx 7 Read, Write, Execute
rw- 6 Read, Write
r-x 5 Read, Execute
r-- 4 Read
-wx 3 Write, Execute
-w- 2 Write
--x 1 Execute
--- 0 no permission

Example: chmod = 777

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1
4 + 2 + 1 = 7 4 + 2 + 1 = 7 4 + 2 + 1 = 7


7. Use Joomla-Extentions for Security

Joomla Extentions: Access and Security First I like to mention once again Akeeba Admin Tools, a "Swiss Army Knife" for your website. Additionally there are Firewalls, Malware-Scanner, SPAM-protection,  e-mail-protection, captcha, ...
I like to highlight (see: Login Protection):
- AdminExile: protect yor website with Access keys, IPv4/6 Black/White Lists, Brute Force detection, ...


8. Backup you Webproject regularly

Backup your website/webproject regularly, test the backup on your local webserver (f.e. WAMP or XAMPP)!
tore the backup-files in a directory outside your Joomla installation

9. Keep yourself informed

You may visit regularly: Joomla Security Center
You may read: Joomla Docs: Introduction to Joomla Security
You may check the Joomla Extentions Directory: Security and Site Protection
You may register for the Joomla Security's newsletter.
You may check regularly: List of Vulnerable Extentions (new)

You may subscribe to Joomla Security Feeds
You may join a Joomla User Group
You may not choose Microsoft Servers: Joomla requires Apache/PHP/MySQL which runs best on Unix/Linux servers
You may set PHP register_globals = off (php.ini)


10. Use .htaccess to Protect Your Website

10.1 Blocking Specific IP-Addresses

If you want to block one IP-address, f.e. add

<Limit GET POST>
order deny,allow
deny from

to your .htaccess file.
If you want to block a whole range of IP-addresses, add

<Limit GET POST>
order deny,allow
deny from # Works the same as wildcard 192.168.1.*
deny from # Works the same as wildcard 192.168.*.*
allow from # Allow from one IP in the denied range
deny from # Denies accesses from the domain

to your .htaccess file.

About IP-Addresses
Geolocation on the internet: the IP-address tells you the country, city and post code. This implies that you are able to block IP from
The list of Major IP Addresses Blocks By Country enables you to block access from a certain country.
Have a Look: IP-Webmaster Tools

10.2 Password Access

To protect access to the backend login (administrator directory), you may add an .htaccess username and password. This means you have to login twice.

- First add to your .htaccess file:

AuthType Basic
AuthName "Please enter your password:"
<Limit GET,POST>
require valid-user

- create a password directory .htpasswd

For more information visit:

Apache HTTP Server Tutorial: .htaccess files
htpasswd - Manage user files for basic authentication

10.3 Block Index Listing

To block directory listing, add on top of your .htaccess file:
Options -Indexes

11. Joomla and SSL (Secure Socket Layer)

- configure the server

- get a SSL-certificate

- configure Joomla using SSL

Some links:

Apache SSL/TLS Encryption

enabling ssl on wamp with startssl on a live site

Wamp2 HTTPS and SSL Setup Step-by-Step guide

How to use SSL in a Joomla! Site