Joomla Security

  • Increase font size
  • Default font size
  • Decrease font size
Joomla Security Info

Joomla Security Info is your guide how to keep your Joomla-based website secure. We assure you that the developers of Joomla! CMS take security threats seriously and Joomla is in fact very secure. However, you need to understand that there is no such thing as a 100 % secure CMS. To keep your Joomla website secure from hackers you need to take the following steps.


Use only secure third party extensions and keep them updated

Most times when people say their Joomla website has been hacked, the security problem has nothing to do with Joomla itself. In most of the cases, the hacker came in through an unsecure third party extension that the site owner installed. Check this list for vulnerable 3rd party/non Joomla! extensions.

Use secure username and password for Joomla administrators

Don’t use the default admin username. Change it to something safe and choose a safe password.  A safe password contains at least eight characters and includes both letters, numbers and special characters. Here is a great Secure Password Generator »


Use a SEF component that makes your Joomla more secure

A SEF component is used to make the url:s of your Joomla website more Search Engine Friendly.  But a good SEF component also gives security benefits. A default Joomla url tells the viewer a lot about the page visited; that it is a Joomla page and what components are used to produce that page. A SEF component masks that information and makes it harder for a hacker to find eventual security vulnerabilities.

The SEF component sh404SEF also includes a security component that stops various attacks on your website and sends you a warning whenever your site has been exposed to an attack. It also gives you the option to remove the generator tag from your site. The generator tag tells the world that your site is generated by Joomla. Of course it is a nice thing to give credit to Joomla, but there are other ways to pay back to the Joomla community that does not help hackers. If you do not tell the hacker that your website is built with Joomla, you make it a lot harder for him to know where to start hacking. 


Use a secure web host / secure server configuration for Joomla

  • Avoid any web host that uses php safe_mode, i.e. safe_mode should be OFF.
  • If you use Joomla 1.0.x, make sure to Joomla's Register Globals Emulation OFF. You find the setting in the Joomla Global Configuration.
  • Use PHP5 rather than PHP4.

Don’t tell everyone about your configurations

  • Make sure that no outsider can view php information (server configuration) by phpinfo.
  • Hide the generator tag that shows that you use Joomla CMS. Note that we are not suggesting that Joomla would be insecure. This suggestion is just to make it harder for Joomla-specialized hackers to recognize that your website is Joomla-powered.
  • Use an SEF component that masks what components are used on your website.

Write-protect your Joomla configuration file (make unwriteable)

You should definitely write-protect your Joomla configuration file. The file is called "configuration.php" and is located in the root folder of your domain. Joomla 1.5 write protects the configuration.php by default, but in Joomla 1.0 you must actively choose to write protect the file. You do that by checking the option "Make unwriteable after saving" in the Joomla Global Configuration. You can also manually CMOD the file to 444.


Delete the Joomla templates that you do not use

It is important to delete Joomla templates that you do not use for your website. If you keep the default Joomla templates, someone could for example link to your site with the url /index.php?jos_change_template=rhuk_solarflare_ii and show your website with the default template. Besides that your website may look terrible for anyone clicking that link, it may also show content that you never intended to publish on the web, for example through module positions that does not exist in your chosen template.

Change file permissions to restrict editing or overwriting

You can restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions:


Disallow User Registration

If your website isn't a community or otherwise needs to allow user registration, you should disallow user registration for security reasons. Here is how to: