Joomla Security - Complete 10 Step Guide

Joomla is a free open source content management system (CMS), built on a MVC framework. It is currently the 2nd most widely used CMS on the internet at 2.6%. While that doesn't sound like a lot, that is is still millions of businesses and blogs that have chosen to power their websites with Joomla. As with any major platform, additional security concerns always present themselves. Your risk of attack is greater and vulnerabilities are constantly being discovered or exploited. Follow our complete guide below on what you can do to harden your Joomla security and help prevent yourself from getting hacked or becoming a victim of the next brute-force attack.

Joomla vulnerabilities

So just how at risk are you when it comes to using Joomla to power your website? Well, according to CVE Details, an online security vulnerability data source, there are have been 321 Joomla vulnerabilities reported to date (since 2005).

If you read our previous posts on Drupal Security and WordPress security, the vulnerability percentage rate of Joomla if you compare market share to incident rate is less (at least in the past seven years). So just from the data it appears that Joomla is the more secure CMS.

What types of Joomla vulnerabilities are they? According to CVE Details, 39% of Joomla vulnerabilities are from remote code execution. You can see the percentages of the rest below.

You can stay up to date with security incidents and vulnerabilities by subscribing to Joomla's official security announcements RSS Feed. You can also see a full list of Joomla vulnerabilities on CVE details.

Joomla security

Even though Joomla is a pretty secure CMS, it is still very widely used, which means it is always going to be at risk of being attacked or hacked. You can never prevent security breaches all the time, the best thing you can do is implement the best security practices to protect yourself. Follow the recommendations below to harden your Joomla security.

No matter what, you should always keep your version of Joomla up to date as well as all of your extensions. Developers patch these for a reason and if you fall too far behind you will open yourself up to a lot of vulnerabilities, as hackers generally target older versions. Such as the SQL-injection vulnerability that was discovered in October 2015 which affected millions of Joomla installations. You can always download the latest version of Joomla from joomla.org. In these examples we are using Joomla 3.4.8, which was released on December 24th, 2015.

If there is an update for Joomla available it will show up in the administrator dashboard. You can also use a free extension like Akeeba CMS Update to auto update your Joomla installation and back it up at the same time.

To check or run updates, navigate to "Components" > "Joomla! Update." If there is an update available click on "Install the Update." Joomla will then begin updating your installation which will take a few minutes. Joomla will log you out after the install has completed.

It is also recommended to only use trusted Joomla extensions and templates. Get your extensions and templates from the Joomla extensions directory or from well-known companies. This will cause less problems for you in the future.

Always backup your Joomla website. If you maintain keep regular backups this allows you to quickly rollback and restore your CMS in case of an attack. We also recommend running backups before you update your Joomla version and extensions. You can easily test your updates locally using software like XAMPP or MAMP before pushing the changes to your production site.

There is also a very popular (almost 1,000 reviews) free backup extension available for Joomla, Akeeba Backup, that we recommend. This extension features:

One click backup.

Site transfer wizard. Transfer your site between servers fast and easily.

AJAX powered backup

The fastest native PHP backup engine.

Exclude specific files, folders

Exclude specific database tables or their contents

Unattended backup mode (CRON job scheduling)

Restore with Akeeba Kickstart (free of charge script)

Archives can be restored on any host. Useful for transferring your site between subdomains/hosts or even to/from your local testing server (XAMPP, WAMPServer, MAMP, Zend Server, etc).

2. Smart usernames and passwords

Be smart with your usernames and passwords that you choose to use in Joomla. Don't use "admin" as your username and choose a more complex password. This is probably one of the best ways to harden your Joomla security, and ironically it is one of the easiest. Many people though use something they can easily remember such as "1234567" and end up regretting later when they are hacked. Remember there are always bots crawling the internet and as your site grows they will always be trying to spoof your login. See this guide on how to choose a strong password.

Approximately 76 percent of attacks on corporate networks involved weak passwords. - applieddi

Unlike WordPress where you can only change your administrator's username in the database, Joomla lets you update your administrator's username from the dashboard. Follow these quick steps.

Click into "Users" > "Manage", select your administrator's (Super User) account and click on "Edit." Then simply change the value in the "Login Name" field and click "Save."

We also recommend using a free program like KeePass or KeePassX which allow you to generate secure passwords and store them in a database locally on your computer.

3. Joomla security extensions

There are a lot of good Joomla security extensions which will lock down your site and help protect you from attacks. These plugins allow you to rate limit or block security threats, block malicious networks, scan for vulnerabilities, enforce strong passwords, see which files have changed, implement a firewall to block common security threats, and much more. Here are some popular Joomla security extensions:

ACL Manager: Easily discover & fix issues with your Joomla assets (permissions) table / ACL.

AdminExile: Brute force detection, blacklist and whitelist IPs.

QuickLogout: Get rid of logout confirmation prompt to ensure people log out.

Securitycheck Pro: A global protection suite designed to protect your website without affecting your server's speed.

jomDefender: CSRF prevention, remove Joomla PHP header, Admin password prompt

There are three additional security extensions which deserve a little more attention. The first is Akeeba Admin Tools. This developer makes great Joomla extensions. He is a basic version of the extension will:

Notify you about and install new Joomla! releases

Fix your files and directories permissions

Secure your administrator directory with a password

Change your database prefix

Set a secure Super Administrator ID

Migrate links pointing to your old domain on the fly

The professional version includes additional features such as:

Restrict administrator with a secret URL parameter

Web Application Firewall to block common exploits (SQL injection, XSS, DFI, RFI, malicious user agent, CSRF/spam-bot protection, uploads scanner)

IP Whitelisting for the administrator section

IP Blacklisting

Geographic block (deny access to specific countries/continents)

Automatic IP blocking of repeat offenders

If you are going to invest in a Joomla security plugin that is the one you want to go for.

You can also scan your Joomla site with Sucuri's Website Malware and Security Scanner and Unmask Parasites. If the test doesn't show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.

The second Joomla security extension we recommend taking a look at is jSecure. It offers two-factor authentication to further prevent someone from getting access to your site. KeyCDN also now has two-factor authentication so you can secure Joomla on your web host as well as on your CDN account.

The third Joomla security extension we highly recommend is ECC+ - EasyCalcCheck Plus. This extension protects Joomla! core forms and third party extensions through the integration of anti-spam services and adds an arithmetic problem, a question, a hidden field and a time lock. It is developed by Viktor Vogel, a Joomla! specialist at 1&1 Internet SE. It also features the following:

Integrated external antispam services: Google ReCaptcha, Akismet, Honeypot Project, StopForumSpam, Mollom, Bot-Trap, Botscout

Protects the backend via a token.

SQL Injection and Local file Inclusion protection.

Joomla also has a great guide on securing your Joomla extensions with additional tips on protecting yourself against XSS, SQL injections, remote file inclusion, and more.

4. Block bad bots

There are always bad bots, scrapers, and crawlers hitting your Joomla sites and stealing your bandwidth. You can see a comprehensive list of bots at botreports.com. Many of the security extensions mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent strings at once, you could add the following to your .htaccess file.

RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC] RewriteRule .* - [F,L]

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase "agent1" bots BrowserMatchNoCase "Wget" bots BrowserMatchNoCase "Catall Spider" bots Order Allow,Deny Allow from ALL Deny from env=bots

And here is an example on Nginx.

if ($http_user_agent ~ (agent1|Wget|Catall Spider) ) { return 403; }

KeyCDN now has a feature as well that you can enable to block bad bots on the CDN side to save money on bandwidth.

5. Secure connections

No matter where you are you should always trying to ensure the connections you are using are secure when connecting to your Joomla website. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.

Some FTP clients store passwords in plain text or encoded on your computer. Even some encoded passwords can be converted back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password.

It is also important to make sure your firewall rules are setup properly on your home router. And remember whenever you work from a public place like an internet cafe or Starbucks these are not trusted networks.

Your web host where your website resides should also be running secured hosting. This means Joomla should always be running on up to date and supported versions of PHP, MySQL, account isolation, web application firewalls, etc. Be careful with cheap shared hosts as you can run into issues if they are overcrowding servers and sharing resources such as IPs.

6. File permissions

To protect your Joomla website you want to make sure and use the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your Joomla install as extensions and the Joomla installation need to be able to write to certain directories.

Joomla has good documentation on security permissions.

Usually setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. Joomla recommends the following configuration on default installs:

PHP files: 644

Config files: 644

Other folders: 755

However, you can get even more restrictive than the above recommendations to really lock down your installation.

7. Protect administrator login

You can further harden your Joomla security by password protecting your admin login area. You can easily do this with the free Admin Tools extension we mentioned above.

Click into "Components" > "Admin Tools", and click on "Password-protect Administrator." This feature will password-protect your administrator area using .htaccess files. Your server must support this type of password protection.

You can also do this manually in your .htaccess file.

8. Enable search engine friendly URLs

It is always recommended to enable search engine friendly URLs and hide the file names such as index.php from appearing in your URL structure. This helps mask information and prevent hackers from finding vulnerabilities.

Click into "System" > "Global Configuration", and enable both "Search Engine Friendly URLs" and "Use URL Rewriting."

If using Apache rename htaccess.txt to .htaccess before activating. If using IIS 7 rename web.config.txt to web.config and install IIS URL Rewrite Module before activating.

9. SSL certificate

HTTPS everywhere is happening. For ecommerce sites, the reason you need an SSL certificate is because they are processing sensitive data. For other sites the biggest reason for this is your Joomla login page. If you aren't running over an HTTPS connection your username and password are sent in clear text over the internet. Many people will argue that blogs and informational sites don't need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from all sorts of different networks, so running over a secured connection can only help harden your Joomla security.

With the SEO advantages of HTTPS and performance benefits of HTTP/2 there is no reason not to be running on HTTPS and using an SSL certificate. And KeyCDN now also offers free SSL certificates with our Let's Encrypt integration.

We also recommend checking out Joomla's security guide as it has a lot of useful information. It is also important to note that as of Joomla 1.7, they started using random database prefixes for more security. In our WordPress security guide and Drupal security guide we recommending changing this, but there is no need in Joomla.

10. Harden HTTP security headers

HTTP security headers provide yet another layer of security for your Joomla site by helping to mitigate attacks and security vulnerabilities. They usually only require a small configuration change on your web server. These headers tell your browser how to behave when handling your site's content. Below are six common HTTP security headers we recommend implementing and or updating.

Make sure to check out our in-depth post on HTTP security headers.

Summary

As you can see there are many ways you can harden your Joomla security and some great extensions to help you do so. From keeping Joomla and extensions up to date, being smart with usernames and passwords, using security extensions, secure connections, file permissions, two-factor authentication, using an SSL certificate and more. Many of these recommendations can be implemented within a matter of minutes and you can rest easy knowing your Joomla site a little more secure from intruders and hackers.

Have any other good Joomla security tips that you think we missed? If so, let us know below in the comments!