Joomla Security Best Practices – List to Secure Your Joomla Website

Joomla is has evolved as the second-largest used CMS after WordPress. It has left behind many of its competitors, and with 4.9% of total live websites on the internet, the number is growing steadily. The reason behind the increasing popularity of Joomla is its simplicity and ease of using. However, with all sorts of benefits, we cannot deny the growing vulnerability.

But before we get deeper into the Joomla Security best practices, let’s know some interesting things about Joomla.

Begin with…

What is Joomla?

Joomla is the second most popular CMS after WordPress, which helps merchants publishing web content and take them to customers across the world.

Here are some facts and market share of Joomla

  • Joomla accounts for 4.82 million Joomla websites out of the total number of internet sites using the CMS (Content Management System) between September 2017 and October 2019.
  • Linux, IKEA, Holiday Inn, Lipton Ice Tea, etc. are some of the famous sites built on Joomla
  • Joomla accounts 5.2% of market share which is the second largest after WordPress
  • United States, Russia, and Germany are the top three nations having more sites based on Joomla

These are some of the basic facts which will help you understand Joomla even better. Now coming to core points, why you need to be extra cautious against the hackers and find ways to protect your Joomla sites.

Everything with an internet connection is vulnerable, this is undeniable facts. In a simple sentence, it is not just Joomla, but all other websites, apps, eCommerce sites, or others contain security risk. You cannot escape from it but can reduce the chances of being simply trapped into the hands of cyber robber waiting for your precious website to show weaknesses.

But, that’s not easy for them either, provided that your Joomla website is well protected and maintained. So, what you all need to keep your website safe from internet robbers? You might be assuming that when you have everything right in place, why you need to work for the website being hacked. That’s good thinking as every website comes with security protection, they protect your website to the extent. But still, cybercrime is on the rise. Even Joomla has faced it in the past.

When Was Joomla Hacked?

Even though the IT scholars say that among all other CMSes, Joomla is more secure, there were several occasions when Joomla was hacked. For instance, in 2017, Joomla suffered SQL injection vulnerability.

According to CVE stats, out of total hacked websites, Joomla accounts for 4.3%, which is not ignorable.


Something similar happened in 2018 as well when “Inadequate checks in the InputFilter class could allow specifically prepared phar files to pass the upload filter.”

If we talk about the type of vulnerabilities, it has suffered from. Then the XSS attack is the biggest one with a 36.9% ratio.

There are such examples that took place in the past. But, that does not mean that only Joomla is not suitable for you. Hacking is common, and not a single CMS, Framework, or Library is untouched from it.

What we are putting stress upon is you can reduce the chances of vulnerabilities by following certain Joomla practices and principles.

Why you need to secure your Joomla Website?

A website, especially a business website, is a very precious merchant. It contains plenty of sensitive information, customers’ data, plan, strategies, and much more, which you need to protect it at all costs. You would never want to precious customers’ data get into the hands of hackers, even you would not want your business strategies, or documents to get hacked. These are not only the two things, but there several others that make it compulsory to have security protection.

So, keeping this in mind, we have suggested the best tools and best practices of Joomla security, which you would find useful to follow.


Check out our Article : Joomla Performance Optimization – Steps to Improve Joomla Page Speed


Best Tools To Check Website vulnerabilities.

Web Inspector

Just scan your site and get thread reports of everything, including Blacklist, Phishing, Malware, Worms, Backdoors, Trojans, Suspicious frames, and so much more. Just get the tool, run scan, and secure your Joomla website.


Checking through your website, if it has any affected files on the website, the Sucuri is the best and free website malware and security scanner to do that. We have chosen it to be in the first place as we have found most popular and can help you with many things, including a quick test for Malware, Website blacklisting, Injected SPAM, and Defacement.


Quttera is yet another cybersecurity software which enables merchants to browse through the website and check if anything such pages or website affected. Just run the scan, you will get the list right in time.

SSL Labs

SSL Labs, as per SSL Labs website, is a “non-commercial research effort,” which helps merchants troubleshoots and improve their usage of SSL. Using the tool, you can scan the Joomla website and get the list affected stuff right in no time.

12 Online Free Tools to Scan Website Security Vulnerabilities & Malware


Best Security Practices to Keep your Joomla Website Secure

Keep Strong Login Credentials and protect your Admin URL

“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Chris Pirillo.

Simply put, the first step to protect your website is to protect the Admin URL, and it begins with keeping a strong and complex password. Here are some points to note;

  • Keep changing passwords quite frequently
  • Avoid using a username like “admin” and “administrator.”
  • Never have a password with the website name
  • Don’t use your name in your password
  • Avoid using your mobile number in the password
  • Use a unique character in the password
Login Credentials

Use 2-factor Authentication

Two-factor authentication is important to keep your Joomla website secure. It adds an extra layer in terms of security. You need to enable the two-factor authentication by following the tips here;

  • Log-in to your Joomla website
  • Then click to User Manager => Edit => Two-Factor Authentication tab
  • And, enable the Google authenticator

Two Factor Authentication With Google Authenticator
In case you are not able to find the Two-factor authenticator there, you can get it from the Plugin Manager and enable it.

You need to enable it from Google as well, and for that, you need to download the Google Authenticator app on your devices such as mobile or PC.

When you open your Joomla site, you will get QR code as options, you can scan the QR code using the device or add the key if it is in your computer.

Setting up the Google Authenticator with a QR Code
You will have a 6-digit code generated in your Google Authenticator App. Using that code, you can enter the code in the Activate Two-Factor Authenticator field of your Joomla site. Now, click on save, and your job is done.

Activate Two Factor Authentication
From now onwards, every time you log-in, you will be prompted with a secret key along with the password to enter. You will find that secret key in your Google Authenticator app on your mobile or computer.

Host site in Secure Environment

Selecting a good host will ensure to keep your website safe and protected. You also need to ensure that the hosting provider correctly implements and executes the Joomla security safeguards. If you have a shared server, the subnetting needs to be implemented first. In my opinion, selecting cheap hosting serving can cost you even more. Therefore, take a deep breath, think about it, and make decisions.

Use Latest Version of Joomla

Using the latest version is necessary. Some merchants don’t mind to update their Joomla website and go on running the old version of Joomla for a long time. Hackers are waiting for such a mistake to commit.

Joomla keeps rolling out security patches regularly. You need to update it as well. If you are not updating the website regularly, you are missing out on some crucial security for your website. Updating your Joomla website will provide you safety and stability.

Steps to update:

Joomla Update

  • Log-in Joomla website => Components => Joomla Update
  • Now, if the update available, you will be prompted with the option “Install the Update.” That’s it. Your job is done.
  • However, before you install the update, you need to ensure if,
  • Templates are updated and compatible with new updates
  • All Joomla extensions are updated and consistent with the new versions
  • Note: once you update the latest version, you need to clear the cache from the Joomla site.

Update Extensions Regularly

Extensions are very essentials parts of the Joomla website. They should be compatible with all interdependent tools, other extensions, and others. For instance, if you are installing security patches, then you need to ensure that the present extensions are compatible with the updates. Or, you can choose to update the extensions first. Sometimes, extensions are outdated after certain times, so you need to keep this in mind also.

Restrict Admin Access

Limiting access by IP filtering to the admin area is one of the safest ways to keep threats aside. You have plenty of sensitive resources in the admin panel and other folders. You can protect them by following the step given below;

  • Create a .htaccess file, if not done yet
  • Add code (given below) to the .htaccess file
  • ” Order Deny, Allow
  • Deny from all
  • Allow from xx.xx.xx.xx

You can enter the IP you want to all access from in “Allow from xx.xx.xx.xx,” though if you have dynamic IP, you can try another method, instead.

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?administrator$

RewriteCond %{REMOTE_ADDR} !^xx\.xx\.xx\.xx$

RewriteRule ^(.*)$ – [R=403,L]

Now, it will work and let people access only on the allowed IP address and geolocation.

Set Joomla File Access Permission

You can limit the access of Joomla files by setting the correct permission. You have 644 for files and 755 for directories, which you can enable to restrict access.

Step to enable the default Joomla suggestion;

Go to FTP client such FileZilla and connect this to your website

Select the files, folders, and directories which you want to change the permission for

Now, click right and change the permission option

Use 644 for files and 755 for directories as the numeric value

Your job is done.

Disable User Registration

Disabling user registration, if not needed, is the crucial thing to keep in mind. If your website contains only blog contents or you corporate website, then you don’t need user registration, and it should be removed.

Steps to disable user registration;

In the Option, go to User manager => Manage and set “No” in the section “Allow User Registration.”

User Manager Options modal window

Automate Comment Spam Filter with Extensions

There are bots that crawl through websites and inject spam links into the comment fields. These comments are irrelevant to your website and even contain a severe threat to your website. You can filter these comments by filtering using Joomla extensions like Akismet, which will filter the spam comments.

Back-Up Your Site Routinely

Backing up your website is essential as you can restore you website content when needed. All you need to do is to choose the hosting server, which provides daily or frequent backup facilities. Backing up your essential files and documents of your website will enable you to quickly rollback and restore the CMS in case of an attack.

What to BackUp;

There are two crucial things that you need to backup to prevent any mishaps in the future. They are;

  • Backing up the Joomla core files including other essential and necessary files
  • Backing up the Joomla Database

You can automate the backup process so that you don’t need to remember backing up the files, though the manual backup is also available with Joomla.

How to Backup?

If you are doing it manually, then you need to follow these steps;

To backup Joomla files;

  • Use FTP utility or file manager, in case of using third party hosting
  • Download FileZilla
  • Download it on the local machine where you wish to keep the backup
  • Connect to your Joomla website using SFTP
  • You need to enter “sftp://” followed by your website name in the host file to connect
  • Locate a folder on the local machine to save the backup files
  • Now, enter the folder name in the address bar (of local site windowpane)
  • All your files will be copied to the local machine.

For Joomla Database;

Joomla Database

  • Find out the Joomla Database name (You can find them in configuration.php file in the directory of Joomla)
  • Search the following code;
  • public $user = ‘user1’;
  • public $password = ‘abc’;
  • public $db = ‘user_db’;

Keep these codes or command lines in mind (this code holds your username, password and database name)

Log-in to Joomla website via SSH and move to the folder where you want to save the database file

Run the command given below;

mysqldump -uuser1 -pabc user_db > db-backup.sql

Now, the command will save the database user_db the designated file called db_backup.sql.

Once it is saved, you can download it and save it to the preferred and safe location.

For Automate Process;

  • Install it on your Joomla site
  • Now, log-in to Joomla and in the admin area, navigate to;
  • Extensions =>Manage =>Install

Joomla Backup

  • You will get a button like “Or Browse For File’, click on the button by selecting .zip file
  • It installs the Akeeba, and once it is done, it will prompt you will confirm Option
  • Now, to backup, you need to navigate to Components >Akeeba Backup
  • Having things accessed, you will get the Option like “Backup Now.”
  • Click on it, and you will be prompted with yet another page to add a short description
  • Having done with these, you can click on backup now options, and the process will begin
  • At last, after the procedure is over, it will navigate to the page
  • You will have options such as “manage backups.”
  • Clicking on, it will open up a page which will have all the backup

Now, you can download it and save where you want to

That’s it.


Check out our Article : Tips To Reduce Joomla Website Maintenance Cost [Save Big Bucks]


Hide Your Joomla Version

Hiding Joomla version is essential as it contains some of the malicious scripts on the internet. Sending out Joomla to each page will simplify for attackers to choose and exploit for the site, injecting specific version as attackers, before they hack your website, fingerprint it. You need to hide it, and you have two ways to do it.

First, making change in the core Joomla file

Second, making change in the main template file

When you want to make change in the core Joomla file, follow these steps;

Open /yourwebsiteroot/libraries/joomla/document/html/renderer/head.php

Now search the following code in the file;

$strHtml .= $tab.'<meta name="generator" content="'.$document->getGenerator().'" />'.$lnEnd;

You can change it with;

//$strHtml .= $tab.'<meta name="generator" content="'.$document->getGenerator().'" />'.$lnEnd;

To make change in the template file, you need to take the following steps;

Open /yourwebsiteroot/templates/yourtempaltename/index.php

You will get the file opened on your screen

Now, add code (code given below) right before the code

"<jdoc:include type="head" />:"




$document = &JFactory::getDocument();

Both methods are methods are effective, though the first method is not recommended as you will not be able to upgrade your Joomla version.

joomla development services

Update PHP version regularly

Upgrading the PHP version regularly will protect you from attacks and provide robust security Joomla security. If you are using shared hosting, you can ask your service provider for the regular update.

Track Script Injection Regularly

Injections are very common today, though you can stop it by disabling the script injection. Hackers inject malicious code into your PHP files, which can sploit your Joomla website. You can use a .htaccess file. Add the code (given below) to .htaccess file and disable the script injection attacks.

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]


SSL stands for Secure Socket Layer certificate, and it provides encryption of the communication between your Joomla website and users. However, it is not considered good in terms of Joomla security, but it helps your website achieve ranking on Google search engine. All you need to do is to get an SSL certificate from a verified certifying authority. At the same time, you need to ensure that the entire HTTP traffic transferred to HTTPS. To make sure this, you can add the following code (given below) to the .htaccess file.

# Redirect HTTP to HTTPS
RewriteEngine On RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Remove Unnecessary Extensions

Using unnecessary extensions will make your website more vulnerable than safe. You need to ensure that the extensions you are using are;

  • Reliable and provided by trusted community
  • Not out-of-date
  • Active and receives regular updates

These are some of the basic things you need to keep in mind. At the same time, you also need to check if there is any unnecessary extension installed on your Joomla website. If yes, remove it immediately.

Enable SEF URL

SEF stands for Search Engine Friendly, and it’s a feature that you have on your Joomla website. You can configure it by making changes. Follow these steps and suggestion;

Go to Global Configuration

Enable SEF
Now, rename htaccess.txt to .htaccess

Now, it re-writes the URL and mask your website and prevent hackers from making any exploitation.

Use Web Application Firewall

A firewall, as the name suggests, becomes a wall to all coming attacks from the internet to your Joomla website. Now, all the requests from the internet will pass through the firewall, and if it finds something malicious, it will prohibit or block the request.

You need to choose the hosting provider carefully after examining whether it provides a robust Firewall or not. You can enquire about the hosting provider, which you find affordable and safe.

Use 3rd Party Extensions that Secure Joomla Site

Choosing a third-party extension is significant. There are many third extension which provides robust security to your website. There are various such extensions developed by developers and available for free to use. Some of the top third-party extensions include Securitycheck Pro, Brute Force Stop, QuickIcon Administration, miniOrange
OAuth Client, Cerberus etc

Top Extension To Secure Joomla
Final Words

These are proven tips and suggestions to keep your Joomla website safe and protected from hackers. When you follow the Joomla security best practices, you not only protect your website from hackers but also smoothen your website and provide the best user experience.

Need Consultation?

Put down your query here...

    Ronak Patel

    Ronak Patel, the CEO of Aglowid IT Solutions, is a NASSCOM member and a published writer in top tech publications like DZone and Hacker Noon. With a background as a full-stack developer, he brings a wealth of technical expertise. Ronak's marketing acumen complements his technical skills, ensuring the delivery of innovative IT solutions that excel in the market.

    Related Posts