Joomla security checklist: 9 ways to keep Joomla secure

Joomla security checklist

Joomla is a widespread CMS specially for across the worldwide web. It empowers a good 2.8% of all active websites and shares great accountability for its user security and integrity.

Despite having a strong security framework, Joomla still lacks security endurance like other CMSs. According to research, it’s been observed that Joomla is accountable for almost 4.3 % of all hacked websites. In fact, a sudden surge in CVEs has been observed over the past few years.

The recent trend of security vulnerabilities found on Joomla is quite a bit alarming. Hence neglecting recommended security best practices can end up catastrophically for your Joomla website.

joomla cve details

Joomla CVE details; Source: Astra Security

What should you be doing to secure your Joomla website? For one, you should be following this Joomla security guide!

Today we are discussing the most practical Joomla security best practices (with steps) that would help you tighten your Joomla website’s security.

Joomla security checklist

1. Take Regular Backups

You should be ever-ready for the worst-case scenario, i.e. a hack. Keeping a complete working backup handy can help restore any mishap — internal or external almost instantly. The key here is to be regular and time stamp the backups. A functional backup can help you revive your website in minutes in case of a cyber attack.

Basically, The two main segments of an organized backup are:

  • Joomla Core Files and additional important files
  • The Joomla database

You can do it manually or get an extension to automate it for you.

2. Update your Joomla Core & Extensions

Joomla has a dedicated team of security professionals who are working 24/7 to roll out the security patches in order to be on top of risks and vulnerabilities. However, it is possible that you might not automatically grab the update, in that case, you can manually check for the patch updates onto your admin panel. To be safe, do ensure that you are running the latest versions of your core, themes and extensions.

3. Hide the Joomla Admin Panel

Open (default) admin panel is the major honeypot for cyber intruders. By default, the root address for the Joomla admin panel is-

Hackers aim to gain unauthorized access to your site by launching a brute-force attack against the /administrator URL. These attacks attempt thousands of passwords per second. However, a strong password comprising an alphanumeric special character can somehow mitigate this attack.

For ease, we recommend using the free Joomla security extension “AdminExile” which helps you to append the default admin URL with a unique series.

4. Use Joomla Two Factor Authentication

Two factor authentication adds an extra layer of security to your Joomla admin panel. In order to log in, you require an  OTP sent to your mobile phone or email. The 2FA feature in Joomla is available on version 3.2.0 or higher.

Jot down the steps to enable 2FA in Joomla:

  1. Login to your  Joomla Administration Panel.
  2. Click on Components, then traverse through Post-Installation Messages
  3. Click on Enable two-factor authentication.
  4. You will be driven to your personal profile section/page.
  5. Install a Google Authenticator client.
  6. Browse the QR Code with your mobile phone using Google Authenticator.
  7. Enter the six-digit code on the Two-Factor Authenticator field seen on your phone.
  8. Click on Save & Exit.

5. Limit Login Attempts in Joomla

It is a necessary step in Joomla to protect the site from brute-force attack. Basically, this function restricts the number of login attempts an user can try in case of a failed login. At present, this feature is only accessible through Joomla extensions. One of such extensions is “Limit Login Attempts”.

limit login attempts in joomla


6. Disable Dangerous PHP Functions

PHP files comprise several source files which are very crucial from a security point of view. These functional files are a threat to Joomla security. Thus, it should be properly managed.

Below given steps will disable the unwanted PHP files and their derivatives-

  1. Log in to your admin panel and navigate through the file manager.
  2. Traverse through the php.ini file.
  3. Add the following line of code to the file:

disable_functions = “show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval”

7. Set Recommended Joomla File Permissions

The security and integrity of your website can be further strengthened, if the permission given to each file is managed correctly. Set your files permission to 644 and folders permissions to 755. Follow this guide to learn how to set joomla file permissions.

joomla security file permissions


8. Disable Script Injections

Hackers always amend malicious attempts of injecting foreign code into the PHP files using the .htaccess file. But don’t you worry, all you need to do is to append the following line of code into the .htaccess file and mitigate yourself from the risk of being compromised.

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

9. Joomla Security Audit

A security audit is currently the need of the hour. It helps you to uncover the hidden potential threat to your website. It’s a way of approaching the website exactly the way a hacker does. A proper Joomla security audit uses an optimized way of both manual and automated mechanisms to discover vulnerabilities. A complete detailed report is provided once the audit is finished. Astra Security is the leading Website Security Audit provider as of now.


Web Security is the basic need to start off any website. Raising and sustaining a successful website takes immense effort and time. Although all these tips can do wonders in improving the security of your website, they are still not enough. Getting a security solution for your website is what we recommend you do. If you liked this blog, share with your friends.