In an age of constant news of security breaches, it’s more important than ever for webmasters of Joomla websites to keep their sites safe and secure. While there’s no one-size-fits all solution for keeping your Joomla site secure, there are some good rules of thumb to follow to help ensure that your site is as secure as possible and it’s not as hard as it may seem.

Keep Your Joomla Installation Up-to-date

This is the biggest area where we see users fail in keeping their site secure and is the easiest pitfall to avoid. With the built-in updater that’s been available since versions following Joomla 1.5, updating is really no more difficult than a few clicks.

We strongly recommend backing up your site before applying any updates. You can easily do so by installing Akeeba backup or using the App manager in the client area of your account at

Once you successfully backed up your site, you can then proceed to upgrading your site by using the built-in updater or you backup and update all in one step from our App manager.

Keep Your Joomla Extensions Up-to-date

While many users tend to keep their Joomla installations up-to-date, they often ignore all of the wonderful extensions that they have installed, leaving their sites open to attacks.

Start by visiting the extensions > manage area of your Joomla administration area and then click on “update” to review extensions updates that are available to update. After backing up apply any available updates.

There are still plenty of extensions which do not use the updater built into Joomla, so you’ll need to click on “manage” and then compare your list of installed extensions against the Vulnerable Extensions List to find any of your extensions that may be vulnerable. You will want to update any you find pronto.

Lastly, even if you do not have any vulnerable extensions installed, there are likely updates available for your particular extensions. Some 3rd party extension developers have updaters built into the component, which you can utilize to update their extensions and enjoy the benefits of new features and bug fixes. Even if they have no updater available, there still might be newer versions available, which you can download and install via the Joomla extension manager.

Permissions, Passwords, and Protecting Your Administrator Area

File Permissions

You need to use a hosting provider that utilizes something (e.g. suPHP) to keep your file permissions secure while you interact with them. Generally speaking, files should stay at 644 and folders should be 755 to prevent world read/write access.


When creating passwords for your users, we recommend that you should always create strong passwords, with letters, numbers–both lowercase and uppercase, and characters with at least 10 digits. Utilize some sort of password manager such as LastPass, 1Password, or Dashlane, to assist with generating strong passwords and managing them.

For additionally security, utilize two factor authentication. Joomla has this built-in which can easily be turned on by visiting your plugins area and searching for “Two Factor Authentication” where you can select frontend, backend, or both options. and enable the plugin to use with google authenticator or a physical YubiKey.

If you don’t have the need for users to sign-up on your site, disable registration. Simply visit Users > Manage > Options and select “No” next to “Allow User Registration”. This will help prevent plenty of issues including, but certainly not limited to, spamming from your site by nefarious users taking advantage of your site.

Protecting Your Administrator Area

Believe it or not, a hacker can gain access to your administrator area if you make it easy for them. Make sure to avoid using usernames like “Admin” or “Administrator”. These will be a hackers first guess.

Strong passwords help, but if a hacker can brute-force attack your administrator area, they’ll eventually get the right combination of usernames/passwords given enough time. So, we recommend making it harder for them by hiding your administrator area from them. The standard Joomla administrator url has always been and hackers know this. There’s a free plugin for Joomla named kSecure that will allow you add a secret key to your administrator url like to make it even more difficult to access. It also gives you the option to protect your administrator directory through http authentication.

You can find additional tips and resources on securing your Joomla site at the Joomla Security Checklist page.

If you’re looking for professional assistance with keeping your Joomla site secure, we do all of these things and more for you with Joomla Hosting Complete. Joomla Hosting Complete is totally managed, end-to-end hosting solution for your Joomla website.

Leave a Reply