The Joomlashack Blog

17 Point Checklist To Harden Your Joomla! Site Security

Written by Steve Burge Steve Burge
Published: 27 March 2017 27 March 2017
17 Point Checklist To Harden Your Joomla! Site Security

Being one of the most popular and most downloaded Content Management Systems, Joomla is also one of the most attacked.

Learn in this checklist how you can protect your Joomla based web site by developing and fostering appropriate security mindset, even if you are not tech savvy. Equipped with this checklis, you can start fine tuning your Joomla site security right away.

#1. Remember that internet is a wild jungle

Your Joomla web site, once published on the internet, becomes open to all and that means that sooner or later it will most likely become an object of malicious attacks. They may come from goofing around script kiddies or from ill-intentioned seasoned hackers. But they will come.

However insignificant for a would-be hacker your site may seem to you, Joomla is one of the most popular, most downloaded Content Management Systems today. As such, it is also the most attacked one. Stay vigilant from the get go!

#2. Take personal responsibility for your site security

Your Joomla site security is your own personal responsibility. There is no other way around it and you personally have to stay in control. The good news is that however intimidating the subject of your Joomla site security may sound to you, you still can learn it, even if you are not tech savvy.

Experience is the best teacher and you can indeed learn how to harden your Joomla site safety. One step at a time but, yes, you can. Start learning by doing now. If you need help, do ask us questions in the comments section underneath this post. You can also ask your questions at helpful and friendly Joomla Security community forum.

Start taking actions now. You will be glad you did.

#3. Keep a "never enough" attitude 

If we have your attention now and you are impressed with how dangerous the internet is and decided to take a full responsibility for your Joomla site safety, here is one more sobering (sorry, - no sugar coating) word for you: never assume that you have done enough.

There is no such thing as "too much security". The old "better to be safe than sorry" adage can not be more true than in this case.

#4. Keep your CMS version up-to-date

Making sure you run the latest stable Joomla version is one of those "first things first" steps towards tightening your Joomla site security. Every time Joomla project releases a new stable version, you will immediately find a corresponding notification within your Joomla administrator control panel.

Watch for such notifications every time you visit your Joomla administrator backend. Never neglect to act on them. Update your Joomla installation to the newly released version right away! 

#5. Subscribe to Joomla security announcements

The Joomla Security Centre releases announcements on security issues and vulnerabilities, right once they are found in the system.

Subscribe to Joomla security announcements at https://feeds.joomla.org/JoomlaSecurityNews and stay abreast of latest threats to your site.

#6. Reduce the number of super users

Your Joomla user with the super user access level has permissions to perform absolutely every action within your Joomla system. Should you delegate any tasks at your site to a team member, make sure you assigned to that member only minimum required access level.

Do your best to keep the number of super users at your site to a bare minimum.

#7. Always check how hard your Joomla! super administrator password is

The vast majority of Joomla sites are hacked only due to weak super user passwords. Use this nifty tool at https://howsecureismypassword.net and make sure you are aware of how long it will take for your password to be cracked.

Don't play Russian Roulette with your site safety. Choose passwords to crack which a computer will need thousands of years, - the ones that are long enough and consist of a combination of small and capital letters, numbers and special characters.

#8. Impose a strict Joomla password policy

Before you decide to enable user registration at your site, never assume that your users will be creating for you a hard to guess passwords when they register. They never have and they never will. Utilise Joomla's built in feature to control passwords being created (see Users -> Manage -> Options -> Password Options).

Force your users to create hard to guess password right out of the gates, while they are registering at your site, and tighten your Joomla site security that extra notch.

#9. Use security features that come with your hosting

Always check with your hosting provider if they offer in-house security tools or services to their customers with Joomla sites.

Such services, like, for example, HackAlert from SiteGround.com, don't require any skills for you to run them. There is not need to download anything or install anything. Just activate them once in your hosting control panel and you are good to go.

Once you turn them on, they will immediately start running in the background for you, scanning your Joomla website against hidden malware and drive-by downloads. What's more, once they identified any such malware, they will send you an immediate warning.

#10. Password protect your Joomla administrator

There is no such a thing as "too much security". Even if you created a decent hard-to-guess password for your Joomla super administrator, it is still a sound practice to protect your Joomla administrator login page with extra layer via its own password with an .htaccess file.

You can enable this option easily using your hosting cPanel. Just contact your hosting support team if you never did this before and need help. Your Joomla administrator login page is the first port of call for would-be hacker.

Hide this page behind its own password layer. It will take you only a few minutes but save you from a lot of grief in the long run.

11. Backup, backup and more backup

In case a disaster suddenly strikes, nothing will secure your site more than a good ol' backup. Your hosting most likely already creates automatic backups for your site. This is great. With backup you can always recover your Joomla site and its database to its past state.

You should also regularly create and download your own full backups. You can easily do this via Joomla's popular and award winning extension Akeeba Backup for Joomla.

Is also important to make sure you regularly test your backups, so that you're always prepared for any situation.

#12. Protect your site with an SSL certificate

If your web site interacts with its users, collecting data from them and sending information back to them, then consider protecting your site with SSL. 

While data travels between your site users computers and the server where your site resides, there is a chance that this data can be intercepted by a third party and used for malicious purposes.

Before reaching to your wallet, please check with your hosting if they already provide a free SSL. For example, if you are with Rochen, then you can deploy Rochen's latest free "Let's Encrypt" SSL feature and secure data exchange between your Joomla site users and your server.

#13. Disable or delete unwanted Joomla! extensions

If you installed one or more third party extensions to enhance your Joomla site functionality but, for whatever reasons, don't need any or some of them - disable them or, better still, simply deinstall them. Just to be on the safe side.

#14. Install security extensions

As your own Joomla security administrator, you are only as good as your tools. Make use of well established, popular and useful Joomla security extensions, namely - Admin Tools Core or Admin Tools Pro.

They are very intuitive and relatively easy to learn. Install them via your Joomla extension manager and instantly harden and monitor your site security, - all from within your Joomla administrator control panel.

#15. Download Joomla extensions only from the developers' sites

Always download Joomla extensions for your site only directly from web sites of their developers. You may be tempted to download a commercial Joomla extension for free from a file sharing site and apparently save yourself some money but don't!

There is no such a thing as free lunch. If you see that a paid Joomla extension is available on some third party site for free download, avoid this website right away! Be vigilant.

Chances are that whoever uploaded that extension for free download from that site, most likely embedded into it some malicious files or malicious code.

Once you install such "free" extension, it becomes a back door to your site and its server, ready to be used by its malicious creator.

Avoid such "gifts" the first thing you see them.

#16. Check your Joomla! extensions integrity against official "Vulnerable Extensions List"

Joomla extensions can be both a blessing and a curse to a Joomla site. They can be both functional and vulnerable at the same time.

Develop a habit of checking your Joomla extensions against official Joomla Vulnerable Extensions List.

#17. Enable Joomla SEF URLs to mask extensions names in your site URLs

This one is really from the box of fine-tuning tricks. Out of the box, in your site URLs, your Joomla displays to your site visitors what extensions it uses to generate your web pages. This gives away to potential abuser a vital piece of information.

Enable SEF URLs in your Joomla back end (System -> Global Configuration -> Site -> SEO Settings -> Search Engine Friendly URLs -> Yes) and hide that information from public eyes for good.

Congratulations! You just learned how you can take your Joomla site security to the next level. Equipped with renewed mindset and this Joomla security checklist, your Joomla site safety is not intimidating subject for you any more.

What has been your experience with Joomla security so far? Do you need any help? Submit your questions in the comments section below.