How to Secure Joomla

New to DJ-Extensions?
How to Secure Joomla
31 May 2016
Follow Us

How to Secure Joomla

26 November, 2021

Joomla, along with WordPress, is the most recognized and used web development platform in the world. In this article, we explain how to secure Joomla and monitor its performance. Joomla can be secured from unauthorized access, bugs, trojans, and any other form of malware. Your website is your intellectual property, and securing it is critical. This article discusses how you can enhance the security of your data in Joomla and prevent any data loss or theft.

Keep your Joomla and extensions updated.

Joomla can be efficiently secured if you ensure that all the extensions are updated, and only the latest ones are installed. It will help negate any vulnerabilities that might have existed in the previous versions.

The developers consistently strive to detect and patch the vulnerabilities in their products. Hence, by ensuring that only the most recent version of the extensions is installed with your Joomla, you will be able to secure your data. It will also allow you to derive the best performance from Joomla as the latest extensions will be compatible with Joomla.

Joomla also provides a list of extensions that it considers vulnerable – the "Vulnerable Extensions List" (here's the live version: ). By tracking it, you will know which extensions require your attention so that you can take the necessary action.

Download extensions and themes only from official repositories

Using extensions (components, modules, and plugins) and templates downloaded directly from official sources is a crucial task. Unofficial sources often provide an additional code that can be a gate for attackers interested in infecting your site.

Even if you are on a tight budget, it is not a good idea to download premium extensions for free from untested sites. It is also often a trap, as they are infected with malware.

Don’t install too many extensions - remove old and unnecessary ones

Keeping your Joomla clutter-free from all the obsolete and unwanted extensions is an excellent way to improve its performance and boost security.

Only install the extensions that you will be using. If there is an extension you don't need, get rid of it. It will reduce the processing requirement and protect Joomla from any vulnerabilities in the unwanted extensions that the hackers can potentially exploit. Again, only install extensions from known and secure sources.

If you already use Joomla and have extensions installed to it, review them, and if there are extensions from unknown developers, uninstall them immediately.

Choose a Reliable Hosting Company

Secure Joomla hosting is always a vital investment for your business. You should know that not all hosting companies offer secure Hosting (protect PHP applications like Joomla!).

Don't leave yourself open to hackers, and don't allow them to affect the whole operating system.

The same rules apply to PHP and web server installation as Joomla and extensions. Make sure your PHP version is up to date, or choose a hosting company that will proactively do this for you.

Regular backups

Taking regular backup is helpful if there is data loss due to a system crash or if somehow a hacker gains access to it and deletes it. Ensuring regular and scheduled backups helps you retrieve your data if you lose it and restore your Joomla website. A weekly backup is advisable. Plan a schedule and adhere to it. Use Akeeba Backup for backups.

Disable FTP layer in Joomla

The FTP layer is a significant security hole in Joomla, considered an insecure protocol (it does not use encryption), and comes with inherent data security risks.

Data sent via FTP is vulnerable to various types of attacks. However, in many cases, the FTP layer is unnecessary for Joomla, and there is no need to enable it (it is disabled by default).

However, if you have enabled it for some reason, it is recommended to disable it immediately after use. It can be done directly from Global Configuration under the "server" tab.

Use a solid admin password.

A strong password is the most critical and effective way to secure your online accounts, whether it's an email, your bank account, or Joomla. However, it is often the factor that gets easily overlooked by many, as they don't understand how crucial it is NOT to keep the default admin or an easy password.

The more complicated the password, the more difficult it is for the attackers to crack it. The most secure passwords are long and have a combination of capital and small alphabets, numbers, and unique characteristics.

Hide the admin login URL

You can significantly improve the security of your Joomla! website if you restrict access to your admin area. There are two popular ways to achieve this goal:

  • replace or hide the login page URL (It is straightforward to change the login page URL with security extensions found on JED like Akeeba Admin tools or RSFirewall.)
  • password protect your administrator page by locking it (It can be done from cpanel main page.)

Login using two-factor authentication

Usually, when you log in to a website, you need to provide a username and password. This solution can be insecure as it's sufficient to have both data to log in to the website. Login and password can be stolen (for example, when using unsecured public WiFi hotspots), broken with brute-force attack or phishing, or just guessed. You can prevent that by using the two-factor authentication that is built-in to Joomla.
With Joomla's built-in plugin, you can enable 2FA for administrator and frontend logins. Joomla 2FA allows users on your site to use two-factor authentication using Google Authenticator or other compatible time-based One Time Password generators, for example, FreeOTP.

Learn how to enable two-factor authentication in Joomla

Use a login protection extension

Joomla provides a range of admin login protection extensions that help secure your login credentials from attackers. These extensions offer privileged and secure access to your Joomla login. You can select from a host of attachments and do some research by reading the user feedback about which extension to use along with your Joomla. Also, you need to ensure that only the latest versions of these extensions are installed. Keep tracing the updates released by the developers of the extensions to get the latest update. Similarly, always install extensions from known sources such as those listed on Joomla's website.

Force users to change the password frequently.

A good security solution is to force your current and new Joomla users to change their password on the first login and after a selected number of days.  

You can, for example, select password change after X days - and the user will be prompted to change the password after a set period.

You can easily achieve this goal using the free Joomla extension: DJ-PassReset.

Use security extensions

If you are worried about your site protection, install a security extension. Use it to block hacker attacks and close your website's security holes.
There are a lot of Joomla security extensions that will protect your website from attacks.

Security extensions offer features as:

  • Block certain IPs
  • Adding backend password
  • Prevent brute force attacks
  • Detecting and deleting dangerous files
  • Optimizes and repairs database
  • Displays CAPTCHA during login
  • Automatically updating extensions
  • Website's backup
  • Website's scan
  • Check SSL certificate

Some of the most reliable Joomla security extensions are RSFirewall! and Akeeba Admin Tools.


Captchas are supposed to decide whether a website user is a human or a bot. The acronym stands for "Completely Automated Public Turing test to tell Computers and Humans Apart."

This feature is handy for stopping automated bots from accessing your Joomla dashboard, as well as submitting unwanted spam through forms.

Learn how to use reCaptcha in Joomla

Switch to HTTPS and SSL 

HTTPS is now a standard. For most Joomla-based sites, the reason to use it is the login page (SSL increases the security of the site)
whereas for eCommerce sites, the reason to use an SSL certificate is that online shops process sensitive data.
If sites are not running over an HTTPS connection, then the username and password are sent in the clear/standard text over the internet and can easily be stolen by hackers.

Joomla brings a Force HTTPS feature to force the SSL (Secure Sockets Layer) Certificate on your Joomla-powered site. 

Usually, it's also possible to force SSL right in your hosting cPanel.

Learn more from the tutorial: How to use SSL on the Joomla website?

Monitor and audit your website

To have complete and constant control over your site, you need to be informed that it is up to date and still working. You also need to monitor it to make sure it hasn't been hacked. Several proven tools will allow you to gain this control - for example, or Watchful.

In addition to the monitoring, it's a great tool that will enable you to keep your installed extensions and Joomla up to date. It is also a great tool to manage many Joomla and WordPress websites.

DDoS protection

DDoS means: Distributed Denial of Service. DDoS is an attack in which multiple computer systems attack a target, such as a server, website, or another network resource, and cause a denial of service to users of that resource. The attacks result in system slowdowns, crashes, or website closures (preventing it from functioning).

Take precautions and ensure protection. By using Cloudflare's DDoS services, you get protection for your servers with complete DDoS protection against cyber threats.

Cloudflare offers DDoS protection solutions that protect everything on your cloud and local network. Websites, applications, and networks - all are protected thanks to their global cloud network.

Cloudflare has free plans that are sufficient for basic security, and in Pro, plans have options to secure Joomla specifically.

Uptime monitoring

Several tools will notify you when your website is down. We're using both Freshping and UptimeRobot, and they have free plans to monitor your website from different locations to let you know when the site is down. 


Follow steps from our guide, and drop your chances of being hacked. It can take some time to implement all (or most of) recommended solutions, but only this way you'll avoid struggling with your hacked website. After all, you will feel confident, knowing your Joomla site a little more secure from various threats.

If you have any other suggestions - let us know in the comments, and we'll update this article. Thanks.

© 2023 All rights reserved.