How to Secure and Harden Joomla Web Site

Protecting your website is essential to your online business availability and operations.

Internet security is a fast-moving challenge, and one should always keep an eye on online threats found almost every week. You may not need to do this manually instead, you can perform a regular security scan of your website.

There is no perfect security, but you can do your best to secure them.

Joomla is the second largest CMS downloaded over 110 million times, and the latest research by SUCURI reveals a second infected website platform.

Most of the websites are hacked due to misconfiguration, lousy hosting, or vulnerable code. The following practices would help to boost Joomla security.

Secure Administrator login with Strong password

Don’t leave the default administrator account as “admin” and bad password; this is probably the biggest risk in Joomla. By keeping default “admin” and guessable passwords, you are helping hackers in their job.


Change default administrator login “admin” to something else, which is not easily guessable.

Use a password manager to generate long, complex password strings. Avoid keeping password with includes your name, site name. You may prefer to use the Secure Password Generator.

Take Regular Joomla Backup

Backup is your friend and a lifesaver. When things go wrong, backup is probably one of the quickest ways to restore your online business operations.


Host your website with a reliable hosting company, which provides an excellent backup plan like ASPHostPortal. ASPHostPortal is one of the best hosting providers that take daily backup free. Along with hosting backup, use an extension like Akeeba backup.

Use the secret key to login into Joomla Admin.

Hide your administrator backend from potential hackers and allow those with a secret URL to access the administration area.


Use a login protection extension like AdminExile who helps you to add a secret key. This means whenever you need to access the admin login page, you need to enter the secret key after administrator.


testing is the secret key here. If you don’t use this key, then you will be redirected to the home page. Isn’t cool?

Use the latest version of Joomla & Extensions.

Most of the website owners don’t upgrade to the newest version, which is a significant risk. Almost every release, you will notice some security fixes, so not upgrading to the latest version means keeping your website vulnerable.


Review a vulnerable extension list provided by Joomla and update the old extension. Review the change log each time Joomla releases and upgrade if you see any critical fixes.

Monitor your Joomla site

How do you know when your website goes down or defaced? Get notified by email, Slack, or SMS when your website is not reachable so you can take necessary actions immediately.


Use a FREE tool like StatusCake, which monitors your website and notifies you when it goes down.

Enable Search Engine Friendly (SEF)

SEF makes the URLs of your Joomla website more Search Engine Friendly. And good SEF component also gives security benefits. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.


Enable Search Engine Friendly URLs into the Joomla Administration area.

  • Login into Joomla Administration
  • Click on Site>>Global Configuration
  • On the Site, tab selects “Yes” next to Search Engine Friendly URLs

Delete unwanted & avoid unidentified developer’s extension

Joomla is open-source, and as an Administrator, you install many modules to try out new functionality. It’s good to try and improve but bad without knowing the developer you install a module. Delete extensions, which you are not going to use.

Use Security Extensions

Use extensions to fight spam, brute force, two-factor authentication, and known vulnerabilities.

Keep file/folder permission appropriate.

All files should have a proper CHMOD configuration. Preferably,

PHP files – 644

Config Files – 644

Other folders – 755

Use Web Application Firewall

Web Application Firewall (WAF) is essential for any website to protect from top OWASP 10 security, known vulnerabilities & malware.

If you are hosting your Joomla website on a cloud VM, then you may use ModSecurity, which is free. However, if you are on shared hosting or don’t have time, you may consider a cloud-based WAF such as Sucuri or Astra.

Using WAF will help you with the following.

  • Bot protection
  • Login protection
  • Backdoor protection
  • DDoS protection
  • SQL injection
  • XSS attack
  • Joomla specific vulnerabilities
  • Brute force attack
  • Layer 7 DDoS protection
  • and much more…

If you follow these steps, then chances are that your Joomla website is more secure.

Rate this post
error: Content is protected !!