Joomla! is a popular Content Management System (CMS) having the second largest user base on the earth and the Internet is a really big, big, big thing. As good things come in this area, bad things also surface. One of the worst things among them is the security flaws that make websites vulnerable to exploitation.
Security is a huge matter. It is not possible to make the security 100% flawless by following any standards. Because security holes can surface not only in software but also at the hardware level. However, the hope is that security experts have asked to follow some steps regarding stepping up securities.
The Joomla! The team is very serious about security. Whenever any security vulnerability is found, they fix it and release a fix immediately. On their official websites and in many seminars, they have provided many guidelines using various means to ensure the security of the websites.
There are NO perfect Security Measures, but, all we can do is do our best to secure our Joomla! powered websites. In this blog post, I have compiled these security measures to help you raise the security level and safeguard your website.
Security Measures From Within Joomla! CMS
Use a strong password for Super Admin
In most cases, users keep the default “admin” username and password during installation and forget to change it to something rock-solid later. This is seriously bad practice.
Do not use common, guessable words for passwords, like love, god, pass, admin, admin123, etc.
Protect your Administrator page URL
The URL to access Joomla! Administrator page is known to all, www.example.com/administrator. Wrap up this URL in camouflage to protect it from everyone! Use a free Joomla! plugin, AdminExile by Richeyweb.com. Using AdminExile, the administrator URL will take the form of something like,
Reading its document will give you the detailed information.
Use Two-Factor Authentication
Enable Two-Factor Authentication on your Joomla! site. It will provide an extra level of security besides the conventional login system. If anyone gets a hold of your credential, they still need a code that is generated every 30 seconds and the owner of the website has the app that generates the code. There is a detailed discussion on Two-Factory Authentication on Joomla!’s website.
Use the latest Joomla! version
Whenever Joomla! released a new version, whether a major, minor or security fix release, you will receive a notification from your website about the new release. In almost every new release, there are scores of bug fixes and few security fixes. It’s most important to update your Joomla! website as soon as possible.
Failing to update in time, you keep your website open to known security vulnerabilities.
Use the latest version of the extensions you use
All major Joomla! extension providers use the extension update server as per Joomla! standard. Whenever any extension provider publishes a new release of any extension, as a user of that extension, an owner of a Joomla website receives a notification when he/she logs in in the administrator area. Keep your extensions up-to-date when you see such an update notice.
Do not use illegal “Nulled” copies of paid Joomla! extensions
Use extensions from trusted providers. Many users tend to get Joomla! extensions from various websites run by unscrupulous people. These extensions are stuffed with evil code punched into the extensions to get compromised by the host servers and get away with valuable information like credit card info, user info, product info, etc.
If you run an e-commerce business, or blog then run Google Adsense, do not even think of using nulled or illegal copies of paid Joomla! extensions. Using such extensions will leave your website to various exploits and poses serious security holes.
Get rid of unused users
Disable, block or even delete all the user accounts which are not used anymore.
Many times, super user accounts are created for website developers. When the development work is done, these types of accounts will create a security threat to your site. Therefore, it is desirable to delete these types of user accounts as soon as possible.
Disable Error Reporting from Global Configuration on Production Website
Error Reporting is enabled on the default Joomla installation. However, after migrating to the production server, this setting has to be disabled. Because, if there is a script error at the production level, it shows some information about that script with detailed information on the script, which helps hackers to penetrate the security of the site.
In Global Configuration of Joomla!, click on the Server tab and you can turn off error reporting in just one click.
In order to improve the security of the website, the developers’ routine work list must contain a line to stop this error reporting option.
Security Measures outside Joomla!
Host on a reputable hosting providers
Most of the cheap hosting companies sell re-seller hosting through year-end offers and sell them into small packages. Most of them have no experience in the hosting business. They just manage the hosting business solely from a commercial perspective. So, take advantage of the hosting service from a good hosting company, without being deceived by the flashy AD.
Rochen, Siteground, InMotion are good hosting service providers to name a few who are specialized in hosting setup favorable for Joomla! websites. Furthermore, you could get a good Virtual Private Server (VPS) if you are confident to set up one. Digital Ocean and RamNode are two good VPS providers.
Set proper file/folder permission
Due to the fact that most web servers are in Linux, there must be sufficient knowledge of how to set permissions on files and folders in this operating system. Otherwise, setting permission incorrectly means the security of your Joomla! site is blown like cotton in the air. Generally, the permissions of files, folders, and particularly, configuration.php must be set as follows:
- Set the permissions for your Joomla folders to 755
- Set the permissions for your Joomla files to 644
- Set the permissions for your configuration.php file to 444
- Never use 777 (full access) permissions!
From the System Information menu item in Joomla!, your Joomla! website will provide much important information. By clicking on the Folder Permissions tab, it is easy to see and know whether Joomla! File and folder permissions are set correctly on the production server!
After the Joomla-powered website is deployed, this checkup must be kept in the developer’s security routine checkup.
Backup your Joomla Site often
If something goes very, very wrong with your website, like being defaced by hackers, deleting important files, server crash, or the last backup files of your Joomla! website is your only lifeline to save your million-dollar business. It is the quickest and best means to bring your website back online again from the last backup you had taken.
The website and database can be backed up from the Linux hosting server’s cPanel. However, the popular extension on Joomla! to back up websites and databases is Akeeba Backup. The backup system can be automated in Akeeba Backup. Even backup files can be stored in Dropbox and made automated after a certain time interval.
Akeeba has written detailed information on this backup system in their official documentation.
Use Content Delivery Network (CDN)
Content Delivery Network (CDN) is used for better User Experience, reduced server load, reduced latency, and saving your server from traffic surges or spikes. Cloudflare is one of the CDN that you can use freely, besides its commercial packages for more advanced users. One of the benefits of Cloudflare CDN is that it saves your website from a level of a DDOS attack, and unethical attempts to comprise your website, serves the content of your website when your server is down, and many more.
So, it is a good idea to configure your system to get the benefit of using a CDN service.
Security Measures for Joomla!
Check your Joomla! extensions for known vulnerabilities.
Joomla! maintains a list actively where third-party extensions which are found vulnerable are listed. If you use third-party extensions on your Joomla! website, make a list of it. Then match this list one by one in this list. If you have an extension used from this list and decide to continue using them, it means that you have met a hacker and given valuable information about your business to them.
Is it OK to do it?
You can find the list of “Joomla! Vulnerable Extensions List” and see if any of your extension matches.
Get connected to Joomla!’s social media channel and feeds
Prior to the launch of social media, newsletter services and RSS feeds were the usual methods of getting updated blog information. However, after the launch of social media such as Facebook, and Twitter, we can learn their updated information by “Like” or “Follow” the related social pages of any organization. Joomla! announces all their seminars, Joomla Day, boot camps, any updates, and security announcements on Facebook, Twitter, and other media regularly. Therefore, updates to security-related information are easily accessible by connecting to these social media.
Sign up for Joomla security notifications.
“Joomla Security News” has a Subscription List Service, Serious Joomlars should subscribe to this list. If Joomla! finds a security hole in Joomla! or in any of its extensions, then all those who are on this list will be able to know about this security issue announcement.
1. Joomla! Security – https://docs.joomla.org/Security
2. Top 10 Stupidest Administrator Tricks – https://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks