joomla security

A handy list with recommendations for improving the security of Joomla based websites. Web security is an important issue and when not done properly can expose your site to various hacks and exploits that circulate the web. Read the whole article to find the most important ways to make your website immune to the most common attacks.

Keep the CMS and the extensions updated.

Probably the most important part of securing your Joomla website is to keep it updated to the latest version. In almost all version releases there are fixes for security issues.

Keeping your Joomla extensions up-to-date is equally important for the security of your website. Actually, there are more attacks that utilize security issues in extensions than in the actual Joomla 3 core files.

First, you should avoid using default user names like "admin" or "administrator". Those will be first in the list of words a potential attacker would try.

Next, it is important to have a strong password for your website. Many attackers try to brute-force your login details. This means that they use a list of commonly used passwords to guess yours. There are several tips that will help protect you against such attacks:

Enable and Use the htaccess File

By default the htaccess file is not in use. Make sure you rename it from .htaccess.txt to .htaccess. Then it needs to be placed in your root folder. You can also add some rewrite rules to it to prevent common exploits. This will add an additional layer of protection to your system.

Do Backups!

The most important thing to do is Do Backups of your website. Do it at least on monthly basis. It depends so often you update your content; what changes are you making to your website. I personally recommend that you do updates on weekly basis. Some hosting providers do regular backups too.

Use Proper File Permissions & Ownership

File permissions are a method of controlling what you and other people can do with a file or folder. You will want to configure your permissions so that files and folders can only be accessed by your account, and that outside visitors can’t read important Joomla configuration files.

  • All files should be set with a CHMOD value of 644
  • All folders should be set with a CHMOD value of 755
  • Your configuration.php file should be set with a CHMOD value of 640

Remove Unused Joomla Extensions

There are people out there who spend their time trying to find weaknesses in software. The older the software the more likely that it is vulnerable to hacking as someone has found and published the weaknesses.

The most vulnerable elements found in Joomla websites are old third party extensions, if you are using add-ons then you must keep them up to date but it's easy to forget about the ones you installed and never used. Remove all unused extensions and you will greatly reduce the chances of your site getting hacked.

Use security extensions

Use ‘firewall’ extensions such as: jHackGuard (, Marco’s SQL Iniection – LFI protection (
or commercial solutions: Akeeba Admin Tools Pro ( or RSFirewall! ( to protect against the most popular hacking attacks – SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!