Articles IT and Development

Airtract Aakanchha Keshri Tagline Not Available

Top 9 Joomla Security Tips to Keep Hackers Away! 02 March, 2020   

Joomla CMS, despite its several security features, can be easily hacked. Most of the time, hackers are more likely to exploit a misconfiguration than a bug present in the code. Hence, a careful application of Joomla security measures can prevent most attacks. These Joomla security tips are easy to apply and go a long way in protecting your site.

Follow these Joomla security tips to make sure your installation is secure:

1. Regular Updates

Almost daily, a CVE (Common Vulnerability and Exposure) is dropped that can be exploited if not updated/patched.

 Always be prompt with security patches and updates.

To update your Joomla Installation, follow the following steps:

  • Login into Joomla Dashboard as administrator and got to Components

  • Then go to Components->Joomla!updates.

joomla security tips dashboard

Check for the latest updates for your Joomla installation and install the update. For this, go to Extensions->Manage->Update.

2. Backing Up Joomla Installation

Sometimes the new updates may break some features in your Joomla Installation or its extensions.  To avoid such a situation, backup your Joomla site before you push an update.

For this purpose, you can use an extension called Akeeba CMS Update. It can backup and update your Joomla installation. 

Follow these steps to set up the extension.

1.  Download the Extension from the provided link

2. Login into Admin Panel and then Extensions -> Manage->Install.

install dashboard (joomla security)

3. Upload the extension and then install it.

upload and install screenshot


4. Once you have installed it, go to Components-> Akeeba Backup. From the drop-down menu, select the option you want to proceed with.

backup with akeeba screenshot

5.  Click on backup to create a backup for the current installation and Follow the wizard.

backup wizard

The Akeeba extension will create backups for your site. A functional backup can quickly restore your site in case of a hack or a backup gone astray.

3. Directory and File Permissions

Files and folder permissions are the most important configuration on your Joomla installation. Wrong file & folder configurations pose a huge security risk. In typical Joomla installations, file permissions are listed in the form of numbers (just like in Linux filesystem). You should be able to understand them to configure them. 

Here are some common Joomla files permissions:

  • 0755: only the owner of the file can read write execute to it, rest can only read and execute.

  • 0644: The owner can read and write to them; the rest can only read them.

  • 0444: Nobody can write to it, all can read them.

Never set file permissions to 0777 as it gives all access (read, write, and execute) to all users and can be exploited by the attackers. Secure file permission on your site improves your Joomla security like no other.

4. Use a Web Application Firewall

The internet can be a very hostile place. Various botnets and hackers are trying to access your site every second. To protect your website, it is important to deploy a Web Application Firewall to monitor and protect your Joomla website in real-time.

A firewall scans all the incoming network traffic coming to your site. It also blocks attacks like brute force, SQL injections, XSS, spam, CSRF, etc. One recommended Joomla Security extension is Astra Joomla Security Suite.

Besides monitoring and blocking attacks, you can also use this extension to scan your site for malware. With this, you also get a pack of other security features such as login protection, one-click malware removal, IP & IP range blocking/whitelisting, Country blocking/whitelisting, ready-made GDPR compliance bar and more.

To use this extension, sign up from here. Next, install the Astra extension on your Joomla site after following a couple of simple steps, and you have a guard set up on your website. 

5. Configure Your PHP Setup

The Joomla CMS is primarily written in the PHP language. PHP, if not configured properly, shows bugs that can be exploited. Thus configuring the PHP setup is an essential step towards enhancing the Joomla Security. To do so, edit your php.ini file with the following changes.

5.1 Hide your PHP version

PHP version info can be used to find relevant bugs to that version by the attacker, hence make sure it is hidden.

expose_php = 0

5.2 Add a Directory WhiteList

Allow access only to those directories that are needed by the user. Deny access to everything else, including the sensitive ones.

open_basedir = "/var/www/"

Note: You must allow access to those directories that PHP needs access too. Else, it may hinder the workings of your website.

5.3 Detailed Errors

Errors that reveal more than the required information are also a threat. Customize those errors so that no crucial information is given away.

display_errors = 0

6. Code Execution

In most cases, the remote code execution is caused by misconfigurations in the installation rather than bugs in the codebase. Thus properly handling the events that may cause them on your site is essential.

If your site doesn't use functions that result in executing code on the server, it’s recommended to disable them in the config file in order to stop potential RCE (Remote Code Execution) on the site.

disable_functions = exec,passthru,shell_exec,system, proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec, show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog

While at it, it is recommended to disable the following too, to stop LFI/RFI.

allow_url_fopen = 0

allow_url_include = 0

7. Limiting Permissions

You should always follow the principle of least privilege while assigning permissions and roles to members on your site.

  • Assign a minimal set of privileges to a user to perform an action.

  • Allow privileges only for that exact action to be performed.

The following guidelines are recommended to improve the Joomla security.

  1. Assign the lowest permission to the new user roles.

  2. Revoke privileged permission when not required by the role.

  3. Remove roles that are not being used.

  4. Ensure that the default role is with the lowest permissions.

8. .htaccess Configuration

A correctly configured htaccess file can improve the security of your website by a huge margin. Most third-party vendors will configure your htaccess file when hardening your Joomla security.

Joomla ships with a pre-configured htaccess file named htaccess.txt. To use it, rename the file to .htaccess and place it in your site's root directory.


Using Captcha on login forms is an effective way to protect your site's login form from attacks like brute force, bot spam, etc. Recaptcha is a Captcha implementation by google and can be easily deployed on your Joomla installation(v2.5 and above). Follow the Official Joomla guide to install it

Thus, with these simple steps, you can protect your Joomla site from attackers. These simple Joomla security tweaks can improve your site's security significantly. Joomla Site offers a variety of Joomla security tips to improve your Joomla security.

#Joomla Security How to secure my Joomla website? Securing my Joomla website Joomla security tips Actionable Joomla Security tips

Related Articles

Tips to follow for securing your website on a budget A Comprehensive Guide To Automated Penetration Testing Impact of Fake News on the Society Multi factor authentication - leading security methods for your compliance solutions ... IP Address, Username, and Password

IT and Development Courses


ASP.NET Webforms from Scratch for Beginners

hari systems

0 (0) New Course

Learn ASP.NET, The first step to ASP.NET you need to learn to succeed in web application development, it is easy to learn and understand our online ASP.NET Training course is designed for you with ...

8 hrs 56.52 mins 0 Students Enrolled 49 Lectures


74.67 % off $75


Buy Now

Complete PostgreSQL for Beginners: Bootcamp

hari systems

0 (0) New Course

Learn PostgreSQL, The first step to SQL you need to learn to succeed in SQL development, it is easy to learn and understand our online SQL Training course program is designed for you with the compl...

6 hrs 3.12 mins 0 Students Enrolled 56 Lectures


90.45 % off $199


Buy Now

The Complete MySQL from Scratch: Bootcamp

hari systems

0 (0) New Course

Learn MySQL, The first step to SQL you need to learn to succeed in SQL development, it is easy to learn and understand our online MySQL Training course program is designed for you with the complete...

7 hrs 54.51 mins 0 Students Enrolled 55 Lectures


65.45 % off $55


Buy Now

Complete Microsoft SQL Server from Scratch: Bootca...

hari systems

0 (0) New Course

Learn SQL, The first step to MSSQL you need to learn to succeed in SQL database application development, it is easy to learn and understand our online MSSQL Training course is designed for you with...

8 hrs 54.27 mins 0 Students Enrolled 61 Lectures


57.78 % off $45


Buy Now
View All
Item added successfully. Go to cart for checkout.
Accept Reject