Best Practices to Secure and Harden Joomla Web Site

Protecting your website is essential to your online business availability and operations.

Internet security is a fast moving challenge, and one should always keep an eye on online threats found almost every week. You may not need to do this manually instead you can perform regular security scan to your website.

There is no perfect security, but you can do your best to secure them.

Joomla is second largest CMS downloaded over 68 million times and latest research by SUCURI reveals second infected website platform.

website-infected-platform

Most of the websites are hacked due to misconfiguration, or vulnerable code. The following practices would help to boost the Joomla security.

1. Secure Administrator login with Strong password

Don’t leave default administrator account as “admin” and bad password; this is probably the biggest risk in Joomla. By keeping default “admin” and guessable password, you are helping Hacker in their job.

Solution:

Change default administrator login “admin” to something else, which is not easily guessable.

Use a password manager to generate long, complex password strings. Avoid keeping password with includes your name, site name. You may prefer to use Secure Password Generator.

2. Take Regular Joomla Backup

Backup is your friend and a life saver. When things go wrong, backup is probably one of the quickest ways to restore your online business operations.

Solution:

Host your website with a reliable hosting company, which provides good backup plan like SiteGround. SiteGround is one of the best hosting providers who take daily backup in free. Along with hosting backup, use an extension like Akeeba backup.

3. Use secret key to login into Joomla Admin

Hide your administrator backend from potential hackers and allows those that have secret URL to access the administration area.

Solution:

Use login protection extension like KSecure who helps you to add a secret key. This means whenever you need to access admin login page you need to enter the secret key after administrator?.

For ex: example.com/administrator?testing

testing is the secret key here. If you don’t use this key, then you will be redirected to home page. Isn’t cool?

4. Use the latest version of Joomla & Extensions

Most of the website owner don’t upgrade to the latest version which is a big risk. Almost every release, you will notice some security fixes so not upgrading to the latest version means keeping your website vulnerable.

Solution:

Review vulnerable extension list provided by Joomla and update the outdated extension. Review the change log each time Joomla release and upgrade if you see any critical fixes.

5. Monitor your Joomla site

How do you know when your website goes down or defaced? Get notified by email, slack or SMS when your website is not reachable so you can take necessary actions immediately.

Solution:

Use a FREE tool like StatusCake which monitors your website and notifies you when it goes down. 

6. Enable Search Engine Friendly (SEF)

SEF make the URLs of your Joomla website more Search Engine Friendly. And good SEF component also gives security benefit. An SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.

Solution:

Enable Search Engine Friendly URLs into Joomla Administration area.

  • Login into Joomla Administration
  • Click on Site>>Global Configuration
  • On Site, tab selects “Yes” next to Search Engine Friendly URLs

7. Delete unwanted & avoid unidentified developer’s extension

Joomla is open source, and as an Administrator, you install many modules to try out new functionality. It’s good to try and improve but bad without knowing developer you install a module. Delete extensions, which you are not going to use.

8. Use Security Extensions

Use extensions to fight with spam, brute force, two-factor authentication and known vulnerabilities. There are many, and I’ve listed 12 extensions for Joomla security. If your website is not available on public Internet, then you may try Joomscan which you can install on your server and perform the security audit.

9. Keep file/folder permission appropriate

All files should have good CHMOD configuration. Preferably,

PHP files – 644

Config Files – 644

Other folders – 755

10. Use Web Application Firewall

Web Application Firewall (WAF) is essential for any website to protect from top OWASP 10 security, known vulnerabilities & malware. If you are hosting your Joomla website on VPS, then you may use ModSecurity which is free. However, if you are on shared hosting or don’t have time, then you may consider cloud-based web application firewall. Using WAF will help you from following.

  • Bot protection
  • Login protection
  • Backdoor protection
  • DDoS protection
  • SQL injection
  • XSS attack
  • Joomla specific vulnerabilities
  • Brute force attack
  • Layer 7 DDoS protection
  • and much more…

If you follow these steps, the chances that your Joomla website is more secure and you’ll be able to recover from a hack quickly than ever. I hope this helps you.

Was this answer helpful?

 Print this Article

Also Read

How to Use an SSL certificate for WordPress Multisite

If you want to enable HTTPS everywhere, then there are simple steps that can make your multisite...

How to Password Protect a Directory

This tutorial will teach how to password protect a directory. Password protecting a directory...

Ways to Secure Your WordPress Site You’ve Probably Overlooked

WordPress security is often referred to as “hardening.” Makes sense. After all, the process is...

Our Server Security Measures

Security is of paramount importance on today's internet. We pay special attention to each...

About Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s...


Our official partners