As Joomla site recovery specialists, we are regularly approached for help and see the same Joomla vulnerabilities come up time and again. What's sad is that they are incredibly easy to correct, but once a Joomla site is hacked it comes at considerable cost to get it fixed and secure again.

In this blog post, we will look at the five most common security issues and how to correct them.


The Security Issues

#Issue 1: Build it and Forget It

The number one cause of hacked sites is lack of maintenance. It is incredibly simple and doesn't require much investment in time, but most sites get hacked simply because they do not stay up-to-date with the security releases for the Joomla core or its extensions.

If your Joomla login looks like this and you haven't updated in years you have a major security issue.


The problem stems from the fact that hackers are more and more aggressive and use automated tools to execute attacks at scale. 10 years ago you could leave a site as it was for several years, but these days any open source software, including Joomla, requires maintenance and security patch application.

The web is wild west and your website needs to stay up-to-date if you're going to keep the desperadoes out.

The fix:

If you're the site builder: make sure and offer your clients some form of maintenance service. Include it on any estimates or proposals you provide them along with the rationale for why it is important.

#Issue 2: Prevention Is Key

Preventing your site from getting hacked by taking password security seriously is the best measure you can take. An incredibly common attack on websites is password guessing because of how often it is successful.

No one likes to have to remember difficult passwords but it is essential to security.

A tool that is very helpful in realizing how quickly a password can be hacked is How Secure Is My Password. This extremely insightful tool will simply show you Passwords that are simple words with numbers or relatively short are quickly guessed using automated "brute force" attacks.

The fix:

Use long passwords that are nonsensical and use a few special characters, but that you can remember. This works because password length creates complexity which makes using a computer script to guess them difficult so long as there is some variation.

For example, president!Tokyo!furious!zebra

If you're the site builder: make sure and explain to your clients why this is important and provide them with these longer passwords.

#Issue 3: Self Hosting (or Bottom Barrel Hosts)

It's not difficult to get a virtual private server, dedicated server, or even in-house box set up. For some agencies and freelancers, it's attractive because you can host many sites at cost savings compared to shared or reseller hosting.

However, it's critical that the server environment is set up with the security packages and configured correctly. Additionally, just like for any Joomla website, servers require maintenance in order for the security to remain effective.

ConfigServer common Linux firewall on servers.


Even if your Joomla site is in good shape, if your server is vulnerable, you're going to end up hacked. Self-hosting or choosing bottom barrel hosting providers is a common issue we run into that will ultimately end up in trouble.

The fix:

Either use some form of a managed server or hire a system administrator to regularly audit your server security.

#Issue 4: Poorly Chosen Extensions & Templates

Poorly chosen extensions and templates often create flaws in Joomla security

A couple of common scenarios:

  • The site builder needs functionality which is more esoteric and has a hard time finding a solution. So they find an extension which fits the need fairly well but doesn't appear to be of high quality or well-maintained. They install the extension anyway and trust that everything will work out.
  • A site builder tries to save some money by downloading a commercial extension or template from a free scripts website and not the developer who created it. (This is not quite pirating because it's open-source, but still unethical because they are sticking the developer by not supporting their work.)

The above are a not so "free" templates on Pirate Bay.


Both of these scenarios could incur and when they do, they not only allow holes to be created in the Joomla security itself, but that the site builder may actively be incorporating malware and other malicious code without realizing it.

The fix:

Use extensions and templates from reputable sources. If you can't find one, either hire a Joomla developer or Joomla development company to create it bespoke or find another solution if you can't afford custom work.

Sometimes it's better to do without then to do with!

#Issue 5: Legacy Directories/Code

For any site that's been on the web for more than a couple years, it's likely that it has accumulated some legacy code. If this code isn't cleaned up, it significantly increases the chances that the site will be compromised. This is because over time more and more vulnerabilities are discovered by hackers.

Time to clean up your filesystem.

The 3 most common scenarios:

  1. The webmaster or site builder installs an extension, doesn't end up using it, and forgets about it.
  2. A Joomla developer working on the site creates a staging or backup directory to test some updates in and once the updates are incorporated in the live site forgets to remove the staging directory from the server.
  3. The website uses multiple applications and while one is actively updated the others are neglected. For example, a Joomla site with a WordPress blog that is not updated.

The fix:

  • Once or twice a year audit your Joomla extensions for anything that you're no longer using and uninstall it.
  • Check for and remove any staging or backup directories. Whenever you're finished using a staging directory, make sure you clean it up as a final step.
  • Remember that vulnerabilities can be exposed by any code on your server, so make sure and keep all applications updated with the latest security patches.
  • Hire a Joomla Developer to keep your website up to date and manage extras that would cause a security breach.

What About Joomla Security Holes?

Joomla is developed by veteran developers who are highly aware of the security environment of the Internet and the risks involved. Joomla has a built-in security model to combat common vulnerabilities in web applications. Because of these factors, even though the core application is under an incredibly high level of scrutiny by hackers it rarely has significant security issues and when they are discovered they are patched very quickly.

Security holes are more likely to appear in poorly coded extensions that don't use the Joomla security model due to the inexperience or laziness of the developer. This is why it's critical to be particular when choosing extensions and not haphazardly installing everything that might work.

For More...

These are the most common vulnerabilities that we see and their fixes. If you're interested in doing an in-depth audit of your site security, check out our blog post on Joomla security best practices which covers these vulnerabilities and more.

This post's cover image Sinking Ship 001 by Tony Evans used under Creative Commons


John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.