Joomla! Security

Simon Grange.

When your Joomla! site is online, you still have some work to do ;)

You will most certainly want to add new contents, edit some of the existing content and maybe also add new features to your site.

But this is not what this chapter is about. A task that requires some commitment is your site's security. The purpose of this chapter is to give you some tips to quickly fix your site in case a security problem arises, e.g. if your site has been hacked, if you or another administrator made a wrong command, if there's an issue with your host... This chapter will also give you some advice to help you avoid such security issues.


Here are some rules that you should always follow:


1 - Backup, backup and backup

Rule number 1: definitely make backups. If you regularly back up your site, in most cases you will be able to restore it after a hack.

These backups must not be stored on the server on which your site is located, you should transfer them and test them. A backup that is not tested is not a backup.

Normally, you should make backups of your site as often as you can. You need to back it up before and after you install, uninstall or update an extension and before and after updating Joomla! itself. You should also save your data after you have created content. You should back up your site after you've made some changes and above all, before you perform any action, especially if you're not sure about how it will affect your site.

If your site goes down or if it's been hacked, it's likely that the best option is to restore it from a recent backup. If your latest backup was made two month ago, you lose two months of work...

To back up a Joomla! site, you need to save both the files AND the database. For more information on how to make a backup of your site, you can read the chapter Back up, Move, Restore a Joomla 3 site.


2 - Updates

Rule number 2: always keep your Joomla! site and your installed extensions updated. With Joomla 3, updates can be done with only a few clicks. Regarding third-party extensions, some of them can also be quickly updated and for the others, you just need to download a corrective patch which can be install like any other extension or sent via FTP. It takes only a few minutes.

Each time an update is released, the developers make the changes included in the patch public, it is therefore very important to quickly install these updates.

Remember to make a backup before installing an update ;) 


3 - Passwords

Rule number 3: choose strong passwords. Avoid simple words, or too obvious ones like your name, your first name, your birth date...

To create a strong password, you can for example pick a sentence, keep the first letters of every words (or the second or the last letters) and create a word with them. Put every two letters in capital and add some numbers. This way, the sentence and consequently your password, will be easy to remember but hard to crack.

Similarly, it is strongly recommended that you do not use "admin" as the administrator username.


4 -  Install only useful extensions

Do not make the mistake of installing many extensions. You should install only the extensions that are necessary for your site to work properly. Beginners often install extensions because they find them fancy, funny, or just because they want to try them out. But before you install a new extension on your site, make sure that it is useful, that it matches your needs and install it first on a test site so you can test the extension. If you have useless extensions on your site, uninstall them.

Each extension needs to be maintained so if you keep extensions that are not updated on our site, you're opening the door to hackers.

You can also have a look at the Vulnerable Extensions List which gathers all known vulnerable Joomla! extensions.


5 - Warez sites

When you download and install extensions on Warez sites, you're also installing a malicious code inserted by the people who offer these extensions, not to mention the fact that you're also stealing a developer's work. These malicious codes leave the door open for hackers.

Quick reminder, Templates are also extensions.


6 - Choose a good web host

Many users insist on getting their site hosted with a free hosting provider. So, let's say it once and for all: Joomla 3 doesn't work properly on these web hosts.

And if by any chance you manage to install Joomla! on one of these hosts, not only will you find bugs but you will probably also face security issues.

You can get a proper and reliable web host for about 3 euros per month (hosting services + domain name).


7 - Folders and files permissions

You may need to change the folders and files of your Joomla! site. Before you edit these permissions, make sure that you know what you're doing and ask your host to give you some advice.

For security reasons, you should NEVER have 777 permissions (except if specially recommended by your host). Normally, you should have 755/705 permissions for your folders and 604/644 for your files.


8 - Third-party extensions

You can find many extensions enabling you to improve your site's security. For example:


aesecureaeSecure allows you to secure your Joomla! site on different levels. The extension intercepts all the access to your website even before the URL reaches your php pages. Therefore, Joomla! will not even see a dangerous URL for it's been blocked by aeSecure.

aeSecure also allows you to "hide" your administration login page, to check your files and folders permissions, to "hide" the version of Joomla! you're using, etc.

aeSecure is very simple to use and to install, and above all, it is easily manageable because all the functionalities are gathered on the very same screen. Each parameter can be simply enabled or disabled thanks to an on/off button.

You will find more information on aeSecure in the article Secure and Optimize your websites with aeSecure, and you can download aeSecure from the author's website.



admin-toolsAdmintools is a Joomla! component with different functionalities such as the "hidden" feature which hides the login page of your admin area. You can also change your database table prefix and enhance your site security by changing your htaccess file. You can download Admin Tools from the author's website.


Other extensions

You can find other interesting extensions in this JED category and you can also have a look at Crawlprotect, an extension that blocks hacking attempts on your site.


Even if you scrupulously follow these rules, you must keep in mind that nothing is absolutely risk-free. There's always a possibility, a slight chance that your site can get hacked. In this case, a major part of the work to fix your site is already done if you have followed rule 1.