The security environment of the Internet seems to get riskier and riskier every year. Hackers and security professionals are locked in ever escalating battles and websites are subject to continual probing for vulnerabilities.

Wondering how to protect your Joomla website against hackers can keep you awake at night— and for good reason because dealing with a hacked Joomla site is a sure way to ruin your week and sometimes your month.

But figuring out how to secure Joomla can be daunting and it's easy to dream up a silly story like, "My site is not that important, no hacker will target me," and then try to ignore your anxiety whenever you think about it.

Instead of laying awake at night, what if instead you could sleep like a baby because you knew you had methodically protected your Joomla site against hacking? Instead of ignoring that pit in your stomach, what if you were serenely confident in your website's security because you knew and had implemented Joomla security best practices?

Peace of mind is a wonderful thing and this Joomla security checklist will provide you with exactly that. We will go step-by-step down the list of best practices in order to remove vulnerabilities, secure your defenses, and make your Joomla site an extremely tough nut to crack.


The security checklist is organized into four castle themed sections:

  • The Foundation - The core processes that provide Joomla security.
  • Eliminate Vulnerabilities - Removing vulnerabilities from your castle.
  • Build Defenses - Adding security measures to make you keep a hard target.
  • Hire Archers - Install additional software which will catch attackers when they test your defenses and penalize them for targeting you.

The instructions in this guide are for Joomla 3.9

The Foundation to Secure a Joomla Site

Without a strong foundation, even the thickest walls have no base and can be easily undermined. Similarly, without the following steps in place, any extra security precautions you take are frivolous. If you care about security, these are not optional.

#1 Get up-to-date.

The number one reason Joomla websites get hacked is that the site owners or Joomla developers failed to patch an out-of-date Joomla core or an out-of-date extension. Check your control panel for updates and make sure that you are running the latest Joomla long-term support version.

Update to Find Joomla Updates" style="display: block; margin-left: auto; margin-right: auto;">

Important: you can't rely on all extensions to notify you when they need to be updated. It is up to the extension developer to use Joomla's capability to do remote updates and many extension developers don't take advantage of this.

Due of this, you'll want to check the developer website to make sure you are running a current version, this is exponentially mission critical for less established or commercial extensions.

#2 Stay up-to-date.

Schedule 30 minutes in your calendar at least once a month to check your site for updates. Monday mornings and Friday afternoons are great times to set aside some time where it's unlikely you will have interruptions.

#3 Check your extensions for known vulnerabilities.

Go to the extension manager in your Joomla backend and make a list of all non-Joomla core components, modules, templates, and plugins you have installed.

You can tell an extension is not a core extension if the author listed is not the "Joomla team". Once you have your list, enter each extension into the Joomla vulnerability database to see if that version is vulnerable.

Apply any patches needed to fix a vulnerable extension or template. There is more detailed information on how to do this in our guide on How To Fix A Hacked Joomla Site.

Keep that list! You'll use it in the next step and later on.


#4 Sign up for Joomla security notifications.

Joomla has two email notification services that notify list members when a vulnerability is discovered in the Joomla core or when an extension has been discovered to have a vulnerability.

You can find that here at Joomla Core Security Notifications, just enter in your email address and you should be good to go.

Pro tip: having a list of extensions installed on your site makes it easy to check if a vulnerable extension is one you have installed.


#5 Check your administrator's password strength.

Easy to crack passwords are a common security hole. The technique that hackers used to crack easy passwords is called brute forcing and it's where they use a computer script to guess combinations in order to gain access to your control panel.

The best metric of password strength is not randomness, but length. Use a long password with some variability in characters and then check it using an online tool like how secure is my password.

For example: butchsmiley!Eviltupper ("It would take a computer about 12 SEXTILLION YEARS to crack your password.")

Another great tool to come up with stronger passwords is: Password Meter. This tool helps to come up with secure passwords that are easy for people to remember. (thank-you for the suggestion Adam)

#6 Set up backups.

Many hosts provide automatic backups. This is great, but it's a good idea to maintain your own backups as well to create some redundancy for failures. The backup tool that we use and love is Akeeba.

If your host does not provide backups or you'd like redundancy, install Akeeba and configure it to back up regularly to an off-site location. Then send manually send the backup to Dropbox, this is an easy backup to set up for most people. Instructions on how to do this are here:

Backup Joomla to Dropbox Using Akeeba

Once you have automated, regular, backups set up, schedule time 3 to 6 months from now to check a backup to ensure it is indeed a copy of your site.

The adage that most webmasters are familiar with is that "a backup that you do not test is not a backup."

#7 Use a reputable host.

There are many cut-rate web hosts on the Internet where you can host your site for next to nothing. Using this type of service is something we don’t recommend.

Hosting requires technical skill and it costs money to hire skilled engineers and invest in solid architecture. Budget hosts don't have that built into their cost structure.

The risk you run is that your host doesn't have the server correctly configured for Joomla security, making it easier for hackers to probe, compromise, and spread the effects of their hacks across several accounts.

The two hosts that we use and recommend most are Rochen and Siteground.


Eliminate Vulnerabilities to Secure Joomla

Now that you've gone through and done the tasks that provide the core to your site's security.

A check needs to be done to make sure that there are no weaknesses that will potentially undermine those core files.

#8 Check and fix your file and directory permissions.

In your Joomla file system, files and folders have what are called permissions which indicate whether they can be changed and by who.

This helps to prevent unauthorized changes from occurring. However, it's common for Joomla developers who are not as skilled to get frustrated by these restrictions and change the file permissions to allow anyone to make changes.

When a Joomla site goes on to the Internet like this, it opens the site up to being much more easily hacked.

There are several different ways that you can check and fix file permissions and I am going to tell you the easiest way...

The first is to install a firewall extension and have it do it for you automatically.

There are two firewall extensions we suggest can be found further down in this guide under the "Hire Archers" section. Both of these will check and fix permissions for you. (Admin Tools and RS Firewall)

Secondly, you can manually fix permissions which requires more work and more technologic skill.


Go to Components, Admin Tools, in the main interface is a button to check and fix permissions.

If you'd like to learn more about permissions or how to manually accomplish the same, check out the Joomla documentation:

#9 Check your PHP version to make sure it is secure.

The programming language that powers Joomla is PHP and like most things on the internet, the language has its own security vulnerabilities.

To check whether you're running a secure version of PHP, in your Joomla backend, go to the "System" menu item and at the bottom open "System Information". In the system information tab, it will tell you your PHP version.

Take your PHP version and enter it into the search form of a vulnerability database (which often refer to known vulnerabilities as CVE - Year - Record Number. CVE stands for Common Vulnerabilities and Exposure.)

If you find your version of PHP has several vulnerabilities, your next step is to submit a support ticket with your host and request that they upgrade you to a secure version. Again, this is why it's important to host your website with competent professionals.

Here is a graph showing the current PHP release cycle to give you an idea of what version of PHP you should be on for the long term:

#10 Clean up old admin users.

It's common for a Joomla site that is been around for any length of time to accumulate super administrators, this could be anyone from old developers or previously hired employees.

The old accounts provide another avenue for brute force password guessing. As an example, you may have forgotten that you set up a temporary account with a fairly easy password so that an extension developer could debug a problem you are having with one of their extensions.

Then, a few years later, a hacker is able to successfully guess it and use that password to install malware onto your site.

To check and correct this, simply go to your user manager, and filter by administrators and super administrators. Then, delete unused accounts.

Important! If you see a super administrator account that is active and enabled and that you are sure shouldn't be there, you likely have been hacked and you need to initiate a recovery. A common tactic for hackers is to register a user on the front end of the site and then use a vulnerability to escalate that user's privileges to super administrator. This may be the case for you if you find someone who doesn't belong.

#11 Check for and rename the admin user if needed.

While you're in the user manager, check for a user named, "admin." If this user exists, change their name to something other than admin.

The reason why this exists is that this was the default username that Joomla shipped with years ago for the super administrator and it provides a user to run brute force password guessing scripts against it.

If the name is anything other than admin, they have to guess the username and the password and not just the password.

#12 Uninstall non-core extensions that aren't being used.

It's also common for a Joomla site that is been around for any length of time to accumulate lots of extensions that it no longer uses.

These constitute security risks because even if there are no known vulnerabilities for the extensions now, that doesn't mean that one won't be discovered in the future.

These extra extensions increase the likelihood that something will be discovered that affects you. Because of this, it's a best practice to remove unused extensions. Code that does not exist cannot be hacked.

Important! Anytime you're deleting anything from your site you should start with a backup. Additionally, it's helpful to disable an extension first and see if it has any effect on your site before deciding to remove it completely.

While you're disabling things, you'll want to disable caching so that you are seeing an accurate representation of the website state.

#13 Remove old installations and files.

Joomla sites that have been online for years tend to have extra files that are no longer needed.  Check for and remove:

  1. Any non-essential PHP files pose a security risk and should be removed.
  2. Backups that expose information like database dumps (typically end with ".SQL") or publicly available backups of your site files.
  3. Older versions or backups of your site in subdirectories. Just because an older site is not linked to doesn't mean that hackers cannot find it. It doesn't do you any good to have an up-to-date installation if you have a publicly available older version of the site installed because once a hacker has compromised any part of your server, they can make changes anywhere. (Similarly, if you run a WordPress blog or a non-Joomla shopping cart it's critical that you keep those applications secure and up-to-date as well.)

Remember: all it takes is one hole in your defenses to blow everything wide open.

#14 Check to make sure error reporting is disabled.

In your global configuration, under System > Global Configuration > server tab, check to make sure that error reporting is set to none.

The reason why is simply information disclosure. Hackers will attempt to disrupt the operation of your site in order to gain information about how the site is running and the file paths being used.

By disabling error reporting, you provide them with no information about most errors they can generate.

Strengthen your Joomla Security Walls

Now that you've checked and eliminated common weaknesses, it's time to buff up your defenses. This is the section on how to secure your Joomla website where we take your Joomla security up a notch.

#15 Protect your administrator login.

One way to prevent attempts to guess the administrator password is to prevent users from being able to access the administrator to log in at all.

The two most common ways to accomplish this are to either password protect the administrator directory or to add a secret URL parameter to that area so you have to enter a special URL in order to access the login.

Of these two approaches, the easier one is to set up is the secret URL parameter.

This is because you can easily use an extension to get it into place and you don't have to go through two password screens in order to access the backend of the site. Both the Admin Tools and RS Firewall have features that make doing this relatively easy.

Otherwise, you can learn how to password protect your Joomla administrator folder in the official documentation.

#16 Use and buff up your htaccess file.

Joomla ships with a file in the web root named "htaccess.txt." When you rename that file to "htaccess" you can enable search engine friendly URLs.

However, this file also includes some basic but solid protections against hacker attacks regardless of whether you are using search engine friendly URLs.  

The htaccess file basically sets rules for what URLs can be accessed and how they are handled for your Joomla installation.

Something to note: Admin Tools has a htaccess builder tool that makes building a more defensive ruleset easy.

#17 (Optional) For sites targeted by more aggressive hackers, or with many administrative users, consider implementing two-factor authentication.

Two-factor authentication will tie your phone to your Joomla login and require you to enter in a special code that will be texted to your phone whenever you log in.

This reduces the chance of password guessing to nil because hackers not only have to guess your administrative password but somehow get access to your phone.

You can learn how to set up two-factor authentication here:

What constitutes more aggressive hackers?

This is worth setting up any time you think that your site may be under attack by hackers with specific goals: disrupting your business, stealing information, and etc.

Whereas most attacks on websites are automated and nonspecific and are simply looking to take advantage of *any* site's resources.

#18 Set up either https or VPN access to your administrator folder.

Any information sent between your computer and the Internet that is not accessed via https has some chance that a program on one of the computers between you and the destination can observe your traffic.

If this occurs, any hacker observing the traffic will be able to read your username and password when you log in.

The way to surmount this security issue is easy, simply set up an SSL certificate for your website. If you're not sure how to do this, ask your web host- it's their bread and butter and they'll streamline it for you.

Once you have purchased and installed the SSL, in your Joomla global configuration, enable the option to force SSL for the administrator folder.

An alternative to purchasing an SSL certificate is to always access your administrator folder using a VPN. This accomplishes the same effect where your traffic is encrypted between you and your destination.

A few VPNs:

In this scenario, you don't force SSL for the administrator folder like the above, but simply access your site using the VPN.

Hire Archers to Protect Your Joomla Site at Range

Now that your castle is buffed up, in this final section, we'll look at a few additional steps you can take to keep attackers from probing your defenses with automated attacks.

#19 Install an application firewall.

An application firewall will analyze incoming traffic for threats and deny any traffic that looks like it may be initiating an attack.

Additionally, some firewalls will automatically ban traffic after a certain number of threats have materialized from a user computer.

Two popular firewalls are:

For whatever firewall you choose to install, it's worth digging through the features and documentation to make sure that you're taking advantage of all its features.

For example, both firewalls listed above allow for geographic blocking which can be very helpful because the majority of attacks originate in Russia and Eastern Europe and few websites serve those regions.

By installing the Geo IP databases needed for the feature to work, you can eliminate attacks on your website by 60% or more.

#20 Bonus! Sign up for a cloud-based firewall.

There are two well-known SaaS (software as a service) applications that can provide another layer of security for your website: Cloudflare and Sucuri.

Cloudflare is designed to boost the performance of your site by caching and speeding up the delivery of your site resources.

The pro version of Cloudflare adds a cloud-based firewall to the service. This functions very similarly to the application firewall by detecting and filtering out attacks but does so before the request ever touches your server.

Sucuri is another service that provides a cloud-based firewall. Different from Cloudflare, the service is focused solely on the security of your site and includes a few extra tools around that need.

Both of these are great services and worth considering in order to add yet another layer of protection to your site. They have access to an active and ever-expanding pool of bad user agents and behavior that they will automatically protect your site from.

However, something to be aware of for these services is that if a hacker can determine your server IP address, they can easily avoid these protections and interact directly with your website.

Because of this, the services should be considered as a nice addition, but not reliable enough to protect your site on their own.

A Little Bit of Work Now, A Lot Less Pain Later

It can take a bit of work to go through these 20 steps, but if you review the Joomla security forums, you'll find pages of stories about people wasting days and weeks dealing with hacked websites.

Don't be a victim to rampaging Huns- strengthen your foundation, eliminate vulnerabilities, fortify your walls, and hire archers.

You'll sleep like a baby even as the battle rages outside your "castle's" walls.

A final note: If you found this security checklist helpful, help others benefit from it by sharing it to Facebook, Twitter, or LinkedIn using the buttons below.

John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.