How to secure a Joomla 3 site against hacker attacks

Most Joomla attacks are a result of plugin/components vulnerabilities, weak passwords, and obsolete software. Perhaps the biggest disadvantage of every OpenSource CMS is that anyone can download the full source code; this makes it easy for an attacker to determine if your site is running Joomla!, and often he will know the weak points of each version, sometimes even better than you do.


Let this motivate you: we see between 100 – 1,000 unauthorized login attempts every single day at the sites we host (Documentation, Magazine and the main The vast majority of these are hackers using brute force techniques to get into websites. That’s why you should be ready; so take some precautions to minimize the risk of your website getting broken into.

  1. A classic example of weak security is continuing to use the word ‘admin’ as a user name – this is the default super administration account that’s created when you first install Joomla! – along with a password that brute-force attempts are likely to succeed in guessing. So don’t waste time anymore and rename ‘admin’ account with a different name and ensure it has a strong password.
  2. Ensure that you have installed the latest versions of both the Joomla core itself and any third-party extensions.
  3. You can use Akeeba CMS Update tool – which allows you define specific Super User accounts to be emailed when an update is available, Automatic updates and gives automatically backup your site before updating Joomla.
  4. Outdated versions of the Joomla extension may contain a very serious security vulnerability that allows a hacker to upload files to a website. Exploitation of this vulnerability has been a common cause of the hackings among the hacked Joomla websites. Even if your Joomla doesn’t show if new version is available regularly check on developer page.
  5. Turn on Search Engine Friendly URLs – this will hide typical Joomla URLs.
  6. Disable New User Registration in User Manager – if you don’t need new users added from front-end.
  7. Rename htaccess.txt to .htaccess– because it include some rewrite rules to block out some common exploits. For example you can add this code to your .htaccess file, paste it just after “RewriteEngine On” :
    RewriteCond %{REQUEST_URI}  ^/images/  [NC,OR]
    RewriteCond %{REQUEST_URI}  ^/media/  [NC,OR]
    RewriteCond %{REQUEST_URI}  ^/logs/  [NC,OR]
    RewriteCond %{REQUEST_URI}  ^/tmp/
    RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]

    This code will block all attempts to run scripts outside the Joomla control.

  8. Never leave permissions for a file or directory set to 777: this allows everybody to
    write data (including exploits) to it. A wrong CHMOD may also allow access to the hackers.
  9. Use ‘firewall’ extensions such as: jHackGuard (, Marco’s SQL Iniection – LFI protection (
    or commercial solutions: Akeeba Admin Tools Pro ( or RSFirewall! ( to protect against the most popular hacking attacks – SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!
  10. Install only extensions that have a good reputation; check the reviews on JED ( Because many extensions (from different sources) contain vulnerable code , which when installed makes it easy for the hackers to get in.
  11. Always have a backup ready to restore your Joomla! site to its most current healthy state.
  12. Password protecting your /administrator folder can add an extra layer of security to your server, as password protection can break any script that uses ajax on the front end. To do this, you will need to create a .htpasswds file (htpasswd-generator), putting it in this directory causes the browser to display a login dialog.

Was this answer helpful?

 Print this Article

Also Read

Block some exploits, bad / unwanted user agents .htaccess

Add this to your .htaccess file########## Begin - Rewrite rules to block out some common...

Joomla .htaccess: Option FollowSymlinks not allowed here

.htaccess: Option FollowSymlinks not allowed here Try changing that option to read...

PHP Firewall for Your CMS website

PHP Firewall is a small free PHP script, but secure all websites writen in PHP.PHP Firewall...

Brute Force Amplification Attacks Against WordPress XMLRPC

Brute Force attacks are one of the oldest and most common types of attacks that we still see on...

How to secure a Joomla 3 site in .htaccess (security tips)

Warning: Read the hashed areas! Incorrect settings on some servers may cause 500 page errors. The...

Powered by WHMCompleteSolution