Tips to Keep Your Joomla! Website Secure

Joomla is a popular Content Management System (CMS) that is used by thousands of people across world. If you own Joomla sites, it is important for you to take the necessary and practical steps to protect them from the most common security holes, malicious attacks, hackers, and spammers and help keep your site safe and secure.
Here, we provide you with some simple hints and tips to optimize Joomla! security

1. Make sure your Joomla site is kept up-to-date

If you leave your website without updates for a long time, the potential chance of being hacked will increase accordingly. Older versions of Joomla usually contain security holes, vulnerabilities and bugs. Therefore, with the installation of the latest Joomla version, they will be fixed and resolved with the latest fixes and security patches. Keeping your site up-to-date, the risks of attack will minimize.

2. Ensure that you are not using out-of-date and vulnerable extensions and only install reliable and community-trusted extensions

You need to make sure that you always have and update the latest version of the extensions whenever there’s a new one. Keeping your Joomla extension up to date both helps improving security at high level and makes your joomla run faster.
Besides updating Joomla extensions, using trusted extensions is the important part of securing your Joomla website. Before installing any extension, you should check: how many people downloaded/reviewed the extension. If the number is small, you should find another one instead. Don’t forget to see the reviews by other users. Do they complain about security issues about the extensions?...
Lastly, cleaning up unused extensions also can eliminate unseen vulnerabilities and help speed up your joomla too.

3. Use strong username and password for login details and change your passwords regularly

You need to use unique username and password, especially, pay attention to your password. Instead of choosing random passwords, a safe password consists of at least eight characters and includes letters, capital letters, numbers and special characters. You should avoid personal information in passwords like your personal or family name or birthday which is guessed easily. Not only to choose a secure password but also change them regularly including: the password of the “admin” user, the FTP password, the MySQL password, the hosting password (e.g. the cPanel password).

4. Change the default Joomla database table prefix

When you're installing Joomla, you had better change the table prefix for the database Joomla uses from the default value. But if you skip this part and move to the installation, you still can easily change the prefix by clicking the 'Database Table Prefix Editor' button, it will open the Prefix Editor and display your current database prefix along with automatically suggesting a new one (although you can override this with your own preferred prefix). Simply click the 'Change my prefix' button to immediately perform the change, helping prevent any potential hackers from trying to access tables in the database.

5. Use a SEF component that makes your Joomla more secure

As you know, a SEF component is used to make your Joomla url get a higher rank in Search Engine Friendly. But a good SEF component can do more than that, it also increases security for your Joomla. Using a SEF component to re-write your URL's will prevent hackers from finding the exploits.

  • Login into the Administration area
  • Click on “Site/Global Configuration”
  • Click on the “Site” tab
  • Select "Yes" next to Search Engine Friendly URLs

You can click here to see SEF components

6. Install security extensions

Joomla! security extensions (website firewall) assist to protect your Joomla! website from intrusions and hacker attacks. There are several additional extensions that you can view and download from the Joomla Extensions Directory. You can search and install a suitable and highly recommended one to increase your sites security.

7. Disallow User Registration

If your webpage isn’t a community or social network, you should disallow user registration for security reasons by following these steps:

  • Login into the Administration area
  • Go to "Users/User Manager" and find the Options tab at the top of the page
  • You will see the option "Allow User Registration", and then set “No” for “Allow User Registration”
  • Click “Save” button

8. Use a secure web host

A good host will ensure your site safe. You need to check your hosting provider is using the latest version of PHP, Apache, MySql, phpMyAdmin, and cPanel. Contact to your server to update them.

9. Change the default permissions on your Joomla .php files to restrict editing or overwriting

You can set permissions on some important .php files to control what other people can do with your files, also to make it harder for hackers to overwrite your files:

  • Set the permission of /index.php to 444
  • Set the permission of /configuration.php to 444
  • Set the permission of /templates/*yourtemplate*/index.php to 444
  • Set the permission of the folder /templates/*yourtemplate*/ to 555

10. Change your .htaccess file

Adding .htaccess file to block out database and some common file exploits.

11. Disable the FTP Layer

For the majority of Joomla installations the FTP layer is not required, so we recommend that you disable this.

  • Login into the Joomla administration
  • Go to “Site/Global Configuration/Server”
  • In “FTP Settings”, select “No” for the “Enable FTP” option.
  • Click on the “Save & Close”

12. Do not allow users to upload scripts to your website

Allowing a user to upload files or scripts to your website is like opening another door for a malicious file to compromise your server. Although uploading files is a necessity for any web application with advanced functionality, you should take caution and think carefully. If you feel scripts necessary for your website to have a feature, ask some Joomla security experts for advice if it should allow people to upload them.

13. Review the joomla security checklist

Joomla Security Checklist will allow your site to be always protected. It is good to review and follow the hints and steps in checklist to keep your Joomla site secure

14. Run a vulnerability scan

Vulnerability scan analyzes and helps to search and eliminate security vulnerabilities of applications, installed on your computer, and in operating system settings.
Here is some vulnerability scans you should know

15. Setup a backup and recovery process

Take time to make a strong backup and recovery protocol for your live website. Having a full backup of your website is important to the recovery process.
You don't need to create a full backup often. Because Joomla stores all the data you create in a database, you only need to do it when you've installed or updated extensions.