Joomla security
In this article we describe the main steps that can help you to make your Joomla built website more secure and avoid it being hacked. Of course, we cannot guarantee that your site will be 100% secure after you perform these steps because even the most secure websites (such as Facebook) may be hacked. Nevertheless, we advise to follow the recommendations in this article to be on the safe side.
Note! We highly recommend to check the general security recommendations as well because they will not be mentioned in this article. They are applicable for all sites, not depending on the CMS used. This article describes recommendations specifically for Joomla CMS security.
How to secure a Joomla-built site?
1. Updates
Don’t forget to update your CMS on a regular basis. Newer versions are more secure as all of the previously found vulnerabilities are usually fixed.
2. Security modules
Most of the following steps can be performed automatically by means of security modules. However, these modules are mostly paid ones. Nevertheless, these modules have lots of various features, including email notifications regarding unauthorized access attempts. The most popular Joomla security modules are RSFirewall! and Admin Tools.
3. .htaccess
Most likely the htaccess.txt file will be created automatically. You need to rename it to .htaccess and configure it in the right way in order to secure your website. The guidelines can be found in the hosting provider’s knowledgebase.
4. Login IP-address restriction
Restrict the access to the admin area by IP address. To block all IP address, apart from one IP, you need to enter the following text to the .htaccess file:
order deny,allow
allow from xxx.xx.xxx.xx
deny from all
The xxx.xx.xxx.xx should be replaced by the IP address that you use to log in to the admin panel (or the by the one that should not be restricted).
Afterwards, only users that log in using the indicated IP address will have access to the administrator folder.
5. Third-party extensions
Do not download suspicious third-party extensions. We recommend to download them only from the official website because Joomla itself is quite a secure CMS, however, hackers can gain access to your website through extensions or modules. For instance, you install a discussion module. The hacker can insert malicious code instead of a comment or an attachment and gain access to your website data. In case you have already installed third-party extensions, we would recommend to delete them.
6. File permissions
Set up the following permissions values: 755 - for folders and 644 - for all files, except configuration.php. The latter should have 444 set up as the permission value.
7. Super administrator username
Do not use ‘admin’ as the Super Administrator username. Create a complicated and non-obvious username.
8. Enable SEF
Enabling SEF (Search Engine Friendly) links is not a very effective way to secure your website, but still it is worth a try.
9. PHP settings
Disable the following PHP settings: register_globals, safe_mode, allow_url_fopen, and allow_url_include. Also, enable the disable_functions and open_basedir functions. In case it is not possible to edit the above-mentioned settings via the hosting control panel, contact the hosting provider’s support team in order to check if they can enable/disable these directories.
10. FTP
Delete all FTP data. To do so, click on System, select Global Configuration and click on the Server tab.
11. Session lifetime
Make sure that the session lifetime value is 10-15 minutes. You can change the session settings in the System menu by selecting Global Configuration. Once you click on it, select the System tab.
12. Move the configuration file
If it is possible, it is better to remove the configuration.php file from the public folder (usually, public_html). To do this, follow the steps below:
a) Copy the configuration.php file and paste to any other folder outside public_html (for example, to a folder that is one level above in the file hierarchy).
b) Locate the /includes/defines.php and /administrator/includes/defines.php files and then find the line that contains in them.
define( 'JPATH_CONFIGURATION', JPATH_ROOT );
c) In this line you need to indicate the new location of the configuration.php file. For example, if you are moving the file from public_html to the folder called ‘test’ that is one level above the public_html folder, the line should look like this:
define( 'JPATH_CONFIGURATION', JPATH_ROOT.DS.'..'.DS.'test' );
d) Move the configuration.php file to the new folder and delete it from the old one.
e) Note that you will no longer be able to change the system configuration through Joomla admin panel. From now on you will need to edit the configuration.php file directly.
13. Logs and temporary files
We recommend to remove the temporary (tmp) and log files from the public_html folder as well. To do this find the following lines in the configuration.php file (we replaced the real file path with letters):
var $log_path = '/home/xxxx/yyyyyy/zzzz/logs/';
var $tmp_path = '/home/xxxx/yyyyyy/zzzz/tmp/';
Once located, edit the existing paths (indicate the path of the new directory) and then copy the temporary and log files to the new folder.
14. Database prefix
Change the default database prefix. Here you can find the detailed instructions. If you are not very aware of the database work principles, it is better not to make any changes on your own (security modules described in point 2 would be a better option). This method can partially protect your website from SQL-injections, for instance, it can prevent the hacker from accessing the admin panel login credentials (from jos_users table). Nevertheless, to be fully protected from SQL-injections we recommend to use security modules (point 2).
15. Backups
To be on the safe side it is recommended to make backups every day. If you do not have the opportunity to make them this often, at least backup your site before changing any settings or installing a new plugin or module.
16. Virus scan
Scan your websites for viruses at least once in two weeks and especially after installing a new plugin or module.
17. SSL-certificates
There are lots of companies offering SSL-certificates such as Comodo, Symantec or Let’s Encrypt. The latter one is usually offered by hosting companies for free. In order to enable an SSL-certificate, it is required to edit the corresponding settings in the hosting control panel and in the configuration.php file in the following way:
Locate the live_site directive and enter
$live_site = ‘https//yourdomain.tld’;
Make sure that the is NO slash after the domain.
Set the force_ssl value to ‘2’. This will means that both website and it’s admin panel will be accessible only through https protocol.
If you have any suggestions regarding Joomla website security, feel free to leave them in the comment section and we will gladly add them to the article. Also, please note that the implementing any of the above-mentioned security measures may influence your website’s performance. So make sure that you’ve backed up your website before making any changes.
We highly recommend not to purchase the cheapest hosting package. Usually, they come with a row of issues: the server is often down, the hardware is outdated, lousy and slow support, registration and payment errors, etc.
For your convenience, we have created a tool that can help you to choose the right hosting package for you just by answering a few simple questions.
CMS is a content management system. A lot of hosting providers offer so-called CMS optimized packages. However, this is a marketing trick because most CMSs do not have special software or hosting requirements.
Trial period is a period of time, usually from 7 to 30 days, during which you can use the hosting services for free to test them.
Moneyback policy allows the customer to receive a refund for his order within a certain period after the purchase.
OS means the operating system is installed on the server. We recommend to choose Linux hosting unless your website requires another OS.
Bulletproof hosting - it’s a type of service that allows to host almost any type of content, even the restricted one (adult content, warez, spam etc). Bulletproof hosting providers do not remove your content in case someone reports an abuse.
Unlimited hosting - refers to companies that provide packages with unlimited disk space, bandwidth, number of domains, databases or email accounts, etc. This is usually a marketing trick but sometimes you can find something worth a try.
Secure hosting - it’s a type of service when the hosting provider is mostly responsible for the security of the user’s account: updates the software installed on their servers, provides an antivirus and malware scanner, firewalls and basic anti-DDoS protection, etc.
DDoS-protected hosting - companies that provide packages that include anti-DDoS protection. These packages are considerably more expensive than regular ones. Nevertheless, they’re totally worth their price because the company will ensure that your website is secured from cyber attacks.
Most websites require MySQL and PHP installed on the server to work correctly. Almost all hosting providers support these technologies.
ASP.NET is a Microsoft web application development platform.
The more comfortable the control panel is, the easier will it be for you to change the website and hosting account settings.
Most hosting providers that are in TOP20 in our rating offer user-friendly control panels, such as cPanel, Plesk or DirectAdmin. That’s why we recommend to pay attention to other, more important parameters, while choosing a hosting provider.