• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Protecting your website is essential to your online business availability and operations.

    Internet security is a fast-moving challenge, and one should always keep an eye on online threats found almost every week. You may not need to do this manually instead you can perform a regular security scan to your website.

    There is no perfect security, but you can do your best to secure them.

    Joomla is the second largest CMS downloaded over 110 million times and the latest research by SUCURI reveals a second infected website platform.


    Most of the websites are hacked due to misconfiguration, lousy hosting or vulnerable code. The following practices would help to boost the Joomla security.

    Secure Administrator login with Strong password

    Don’t leave default administrator account as “admin” and bad password; this is probably the biggest risk in Joomla. By keeping default “admin” and guessable password, you are helping hackers in their job.


    Change default administrator login “admin” to something else, which is not easily guessable.

    Use a password manager to generate long, complex password strings. Avoid keeping password with includes your name, site name. You may prefer to use the Secure Password Generator.

    Take Regular Joomla Backup

    Backup is your friend and a lifesaver. When things go wrong, backup is probably one of the quickest ways to restore your online business operations.


    Host your website with a reliable hosting company, which provides an excellent backup plan like SiteGround. SiteGround is one of the best hosting providers who take daily backup free. Along with hosting backup, use an extension like Akeeba backup.

    Use secret key to login into Joomla Admin

    Hide your administrator backend from potential hackers and allows those that have a secret URL to access the administration area.


    Use login protection extension like AdminExile who helps you to add a secret key. This means whenever you need to access the admin login page you need to enter the secret key after administrator.

    Ex: example.com/administrator?testing

    testing is the secret key here. If you don’t use this key, then you will be redirected to the home page. Isn’t cool?

    Use the latest version of Joomla & Extensions

    Most of the website owners don’t upgrade to the newest version which is a significant risk. Almost every release, you will notice some security fixes so not upgrading to the latest version means keeping your website vulnerable.


    Review a vulnerable extension list provided by Joomla and update the old extension. Review the change log each time Joomla releases and upgrade if you see any critical fixes.

    Monitor your Joomla site

    How do you know when your website goes down or defaced? Get notified by email, Slack or SMS when your website is not reachable so you can take necessary actions immediately.


    Use a FREE tool like StatusCake which monitors your website and notifies you when it goes down. There are many others do similar jobs which I mentioned here.

    Enable Search Engine Friendly (SEF)

    SEF makes the URLs of your Joomla website more Search Engine Friendly. And good SEF component also gives security benefits. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.


    Enable Search Engine Friendly URLs into Joomla Administration area.

    • Login into Joomla Administration
    • Click on Site>>Global Configuration
    • On the Site, tab selects “Yes” next to Search Engine Friendly URLs

    Delete unwanted & avoid unidentified developer’s extension

    Joomla is open-source, and as an Administrator, you install many modules to try out new functionality. It’s good to try and improve but bad without knowing the developer you install a module. Delete extensions, which you are not going to use.

    Use Security Extensions

    Use extensions to fight with spam, brute force, two-factor authentication, and known vulnerabilities. There are many, and I’ve listed some of the best ones here.

    Keep file/folder permission appropriate

    All files should have a proper CHMOD configuration. Preferably,

    PHP files – 644

    Config Files – 644

    Other folders – 755

    Use Web Application Firewall

    Web Application Firewall (WAF) is essential for any website to protect from top OWASP 10 security, known vulnerabilities & malware.

    If you are hosting your Joomla website on a cloud or VPS, then you may use ModSecurity which is free. However, if you are on shared hosting or don’t have time, then you may consider a cloud-based web application firewall. Using WAF will help you with the following.

    • Bot protection
    • Login protection
    • Backdoor protection
    • DDoS protection
    • SQL injection
    • XSS attack
    • Joomla specific vulnerabilities
    • Brute force attack
    • Layer 7 DDoS protection
    • and much more…

    If you follow these steps then chances are that your Joomla website is more secure.