The "Joomla Best Practices Checklist" is based upon our many years of experience building Joomla solutions and the best advice we've gleaned from the Joomla community. Most sites do less than 10% of these best practices and are missing out on opportunities and exposing themselves to risk. It is our hope that this checklist and the explanations below will help to improve on this and help you to have a more robust and better performing website.

Download the Joomla Checklist here.

About the Recommendations

We have categorized the best practices into four areas: security, performance, stability, and marketing. These four areas are common needs across almost all websites and provide the platform for which you can use your website to achieve your goals. Below are brief explanations of each best practice along with a difficulty rating to implement that practice.

  • Easy: less than 15 minutes
  • Medium: 1 to 2 hours
  • Hard: days and weeks to execute


Security is more and more important with each passing year. Hacker attacks have become more persistent and more complex. Every website will be probed for weaknesses within a matter of weeks once it is linked to on the Internet. It is critical that your site repels these automated attacks in order for it to fulfill its function for your organization.

Visitors cannot access the administrator login area. (Easy)
The administrator login area is the administrator folder. For example: It's important to prevent public access to this area because it is a login form that is targeted for password guessing. If an attacker can guess your password here, they will essentially control your site.

Common methods of preventing access are two implements password protection on the directory or use a plug-in to require a "URL parameter" to be attached to the location in order to load the form (for example: these protections can be easily performed by installing a plug-in or extension from the Joomla! extension directory: protect administrator directory.

File system is automatically scanned for hacked files on regular basis. (Medium)
Regular scanning is important because it will alert you to a hacked file prior to it causing damage. Often, sites are hacked by automated scripts and are not immediately accessed or exploited by the hacker. This provides a window to prevent damage from occurring should a site become compromised. This is most effective when it is automatic via a Cron job or something similar.

Site is updated according to a schedule. (Easy)
Out of date extensions or the Joomla! core are a common reason that sites become compromised. The problem that most website owners face is that they are too busy to stay on top of each update to keep their site secure. The best way to surmount this obstacle is to have a simple schedule where someone is assigned to keep the site up-to-date.

For sites that don't have registered users on the front-end, user registration is disabled. (Easy)
Some sites have front-end users that participate on the site. For example, an e-commerce site that stores user logins so that they can view their previous purchases. However, many sites do not have users of the site so much as visitors. For example, a tourism site does not need visitors to login and become users, they simply want people to peruse the website pages. A common problem is for hackers to register with a site as a normal user and then attempt to use various attacks to change that user into a superuser so that they can exploit the site resources. The easiest way to shut this attack down is to turn off user registration if it's not in use. This can be accomplished through the options in the user manager.

An application firewall is configured and in use. (Medium)
There are several application firewalls available as Joomla components and as non-Joomla
web server software. The easiest way to locate and implement a firewall is to review the security software in the Joomla extension directory: Joomla security extensions.

The default admin username is changed. (Easy)
The most common password guessing attacked is conducted against the admin user which is the default or chosen username on many Joomla installations for the first superuser. By changing the admin username to something else, this problem is negated.

Administrator passwords can't be cracked in less than a month. (Easy)
Regardless of whatever security features are in place, super administrator passwords should be very difficult to crack. You can measure the strength of your passwords using the following tool:

How Secure Is My Password?

We recommend using a password program like LastPass to make coming up with and using difficult passwords easy.

Directories have 755 permissions and files have 644 permissions. (Medium)
Directory and file permissions determine who can access and change files. By default, these permissions are automatically configured when Joomla installs. However, it's common for website owners or developers to change the permissions when they run into a problem they don't understand. Because of this, a typical hacker attack is to look for directories or files with the wrong permissions and overwrite them with a malicious script.

You can automatically fix this by following the directions at the bottom of the following tutorial in the Joomla! documentation: How do UNIX file permissions work

Additionally, several of the security extensions in the Joomla extension directory can check for and do this with the click of a button.

Magic quotes are disabled on the server. (Hard)
Magic quotes is an out of date PHP feature which contributed to developers writing insecure code. Current versions of Joomla! (3.x as of the time of this writing) will not install if you have magic quotes enabled on your server. If it is enabled, you are currently on an out of date Joomla installation and need to update to the current long-term support version. You can learn more about how to disable Magic quotes and upgrade to Joomla 3.x in the official documentation.


Performance relates to the speed with which your website loads. It is important because it not only impacts user engagement, but also your rankings in the search results pages of major search engines.

Caching is enabled. (Easy)
Caching is a technique your Joomla site uses to save itself brainpower.  It temporarily stores parts of your site in memory, the "cache," so that it doesn't have to build the whole site when someone asks for it. Periodically, it will check to make sure that nothing is changed and update the cache.  In your Joomla sites backend, in the global configuration, under the system tab, there is a heading "Cache Settings." All you need to do is enable either progressive or conservative caching. Because of how caching works, it can impact the correct function of your website for more complex tasks (beyond the normal content pages.) Because of this, I recommend that you try conservative caching. If you're willing to go through and test the various functions of your site, progressive caching does have more of a performance boost.

Gzip compression is enabled and working. (Easy)
Gzip compression is a server process which takes your normal site content and compresses it before sending it over the wire to a visitor's computer.  To enable gzip compression, in your Joomla site's backend, in the global configuration, under the server tab there is a heading, "Server Settings." Beneath that heading is a switch to turn on gzip compression. All you need to do is enable it and then save. Once you have saved the setting, navigate to the following page to test whether it is working:

Template image files are optimized for web use. (Medium)
Image files are generally saved in graphics programs under the paradigm of providing the best quality image. However, this makes them extremely large and on the Internet, large image files will slow down and overburden each webpage that is delivered to your visitors. In order to prevent this, every image displayed on your site should be saved to using a common web optimization feature. For example, Photoshop has, "save for web." Image files will still have good quality but their size will be reduced to the recommended amount. In particular, images used by the template should all be optimized for web use because they will load on nearly every page.

JavaScript and CSS assets are minified. (Medium for developers)
JavaScript and CSS help to determine how your web browser displays a webpage. When developing templates that use these resources the developers will write the code in such a way that it is easy for them to read. Your browser does not read JavaScript and CSS the same way that a human does and these resources can be compressed or "minified" using various programs. By compressing these assets, less information needs to be transmitted to the browser thereby increasing the page load speed.

Site assets that are not regularly updated have expires headers. (Medium for developers)
Expires headers tell the visitors browser that the content will not likely be updated anytime soon and the browser can simply load a cached resource instead of checking for a new one. Typically, this is selectively accomplished using an htaccess file.

Site uses a content delivery network (CDN). (Medium to Hard for developers)
Content Delivery Networks are highly optimized servers that position content closer to the physical location of the visitors web browser. They can dramatically improve the speed of a website. Implementing a content delivery network can take a few hours to a few months depending upon the needs and goals of the website. A popular content delivery network that is very quick for developers to set up and it still provides much utility is Cloudflare.

Template uses sprites to reduce image downloads. (Medium for developers)
Sprites are an image technique that reduce the number of downloads a web browser needs to do and thereby increases the speed with which a page loads. Developers can typically alter template files from individual assets into sprites in a matter of hours.

Website page loads in under 2.5 seconds. (Easy to Hard)
This is more of a measure of performance than a technique. You can measure your website speed using a tool such as GT Metrix.

Images use width and height attributes. (Easy)
Width and height attributes are needed on every image and can help the browser more quickly determine how to display the image on the page.


Stability concerns how tough your website is and how likely it is to survive the eventual disaster scenario.

Backups are automatic. (Medium)
Site backups should be automatically executed because people generally perceive backing up as a low priority which is easily overshadowed by whatever is currently urgent. Backups that are not automatic do not get done.

Backups are redundant (for example, the web host takes a regular backup and the site takes a regular backup.) (Medium)
Backups should be redundant because the need to recover from a backup is always a disaster scenario and if there is ever a problem with one backup source, the second one will be critical. In the military, this is commonly referred to as, "One is none and two are one."

Backups are tested on a schedule. (Medium)
Backups that are not tested cannot be relied upon. Tests that are not scheduled do not get done. If you are not testing on a schedule, you are not truly insured against disaster.

Site uses a nonpublic staging clone to test and integrate updates. (Hard)
A staging site is a key part of a robust site strategy. There are not always problems performing extension or core updates, but when there are, you want to catch them in an environment that is not critical to your website's success. This is not essential for sites with little traffic but becomes of paramount importance to larger, more traffic, websites.

Site files are under version control. (Medium for developer)
Version control tracks what files are changed in a file system. This is helpful in a couple of different ways. First, if you run into any problems with an update or file change, having the files under version control can help to identify the problem or to roll back to before the files were changed. Additionally, version control can help to identify hacked files if your server becomes compromised.

Site is hosted on a high uptime environment. (Easy)
For maximum robustness, your site should be hosted in an environment which guarantees an uptime of better than 99.9%. In layman's terms, this means that the server should never go down. For larger more trafficed websites, this is very important. For smaller websites, it's good enough to have your site hosted on a reputable web host or environment. For shared hosting, we have had good experiences with Rochen, SiteGround, and Hostgator. We would not recommend 1 and 1 or Go Daddy.

Site is using a site monitoring service to detect if it goes down. (Easy)
Site monitoring services can alert you to problems and allow you to respond more quickly to disaster scenarios. There are various services which provide this and can be reviewed by performing a web search for, "site monitoring service." Similar to a few of the above examples, the importance of this corresponds to the traffic your site receives. Some hosting providers, such as Rack Space or Amazon Web services will send you automatic alerts if the status of the site changes.


Regardless of the goals of the website, all websites exist on the Internet to be visited and marketing provides the channels for visitors to encounter your website. Below are specific best practices that have to do with Joomla features.

URL rewriting is turned on and working. (Easy)
URL rewriting is a setting enabled through the global configuration of Joomla! that makes the location of webpages on your site easy for a human to read. Beyond looking pretty, this is part of the information that search engines use to determine the content of your webpage and where it should rank in the search results.

Pages have unique meta-descriptions. (Easy)
Meta-descriptions are the blurbs that show up in the search results next to the page title. They are what tell potential visitors what is on the page they might navigate to. Meta-descriptions are set in the article settings and in the menu manager. If they are not set, Joomla will default to the global meta-description which will fail to provide accurate information about an individual page.

Page titles use keywords and aren't longer than 60 characters. (Easy)
Keywords are the hooks that link search engine results to individual pages on websites. Using keywords in your page titles will help you to rank better for those pages as well as convince visitors to access your pages. 60 characters is around what is displayed in search results for a page title. You can set a page title in both the article settings and in the menu manager (what shows depends upon the context of the page indexed.)

An XML site map is set up and current. (Easy)
XML site maps are used by search engines to ensure that everything that you want indexed and available for searches is included in their results. Setting up a site map is as easy as installing a site map extension from the Joomla! extension directory.

Website is using Google Webmaster tools. (Easy)
Google Webmaster tools is useful for a couple of reasons. For marketing, it will tell you whether Google is having any problems indexing your site. It will also allow you to submit a site map to Google and show you the relative rankings of different pages on your website. Finally, having Webmaster tools installed you enable you to receive alerts if there are any problems with their website's ranking. For example, it's common for Google to remove the site from the search engine results once Google detects that it is been hacked. Webmaster tools will not only let you know that this issue has occurred but also give you a channel to resolve it so that your webpages are in the search results again.

Site is using Analytics tool (e.g. Google Analytics, Kissmetrics, etc.) (Easy)
Analytics tools will provide insight upon how people find and use your site. They are easy to install and provide key marketing information. Additionally, Joomla extensions exist which will integrate the analytics to show you your marketing statistics from your website's administrator area making it easy to keep tabs on this data.

Site uses a blog or other ongoing content creation technique. (Hard)
Search engines put a high importance on fresh content and maintaining a relevant blog or other ongoing content creation stream is a key component of marketing online. Beyond search engine optimization, blogs help to build your brand and display your expertise in your chosen niche. For integrated blogging, there are a variety of techniques you can use from adding comments to articles to using a full-fledged blogging component like Easy Blog.


John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.