How to Keep Your Joomla Site from Being Hacked

Maintaining a secure website is one top concern for a lot of people. Many look for the best ways to ensure that their sites are running safe and fully secure. Unfortunately though, there’s the harsh reality that no system is going to be a hundred percent secure. Whether it’s Joomla or the mainframe system running your bank accounts, they are both still susceptible to security breaches. But it doesn’t mean this is a hopeless case right here. Of course, you can still do something to protect your site from attackers and hardware failures. Here’s how:

  • 1. Update everything!
  • 2. Follow the basics:
    • Never use “admin” as your username.
    • Use a secure password.

To create the strongest password possible, you can choose a line from your favorite movie quote or from a long phrase you read in a book. Add punctuation symbols, remove white spaces, add capital letters and you will have something strong like: We.all?Go!Alittle I Mad2sometimes.

Remember to:
i. Avoid using password generators.
ii. Refrain from using very common words such as pass, love and admin.
iii. Avoid using your personal information as password.
  • 3. Protect your administrator folder with a password.
    • Go to the cPanel > Password Protect Directories > Administrator.
    • 4. Restrict administrator area access by IP
      • Check your IP at
      • Add this rule in your administrator folder .htaccess file:
Deny from all
Allow from (your IP address)
    • 5. Fix your ownership and permissions.
      • Files: 0644
      • Folders: 0755
      • Configuration.php: 444
      • Remember never to use 777 permissions
Fixing your permissions in the cPanel:
a. Go to cPanel > File manager
b. Click Change Permissions and check all boxes for the Read row, the User box for the Write row and all boxes for the Execute row as well.
    • 6. Keep PHP scripts in the appropriate folders.

In media, logs, libraries and language folders: Deny from all

  • 7. Legacy security issues (Note that this is only for Joomla 1.5 and older)
    • Change your default admin username
    • Change default jos_DB prefix
  • 9. Stay updated on the top security updates by subscribing to Joomla feeds:
    • 10. Establish a Joomla RSS feed
a. Login to the Joomla admin area
b. From the menu, choose Extensions > Module Manager > Administrator
c. From the icon menu, choose New and select Feeds Display
d. Enter the details asked for in the configuration page
e. Enter in the Feed URL
f. Choose cpanel as the position
g. Click save.
  • 11. For additional protection through .htaccess rules:
    • Avoid visual fingerprinting
    • Block popular tools hackers typically use
    • Remove PHP sensitive data
  • 12. Finally, make sure you keep a backup of everything!

You also have the option to protect your server using Mod Security. Here’s how:

Modsecurity is an application firewall engine but one that can only provide little protection on its own. For it to be useful, it needs configuration with these rules:

    • OWASP rules – provides generic protection from vulnerabilities found in website applications.
    • Trustwave paid rules – complement the open source OWASP CRS and create custom virtual patches for the public vulnerabilities
    • Atomic rules – provides powerful, easy to use GUI for managing the modsecurity

Just follow the simple guide above and your Joomla server will remain hack-proof in the days to come!

Submit a Comment

Your email address will not be published. Required fields are marked *