Skip to content
Security

Joomla security

Protect your Joomla site against hackers, malware and attacks. Practical tips and extension recommendations for maximum security.

10 essential Joomla security tips

Implement these tips to make your Joomla site more secure immediately

1

Keep Joomla up-to-date

Update Joomla, extensions and templates immediately when updates are available. Outdated versions have known vulnerabilities.

2

Use strong passwords

Minimum 14 characters, with uppercase, lowercase, numbers and special characters. Use a password manager.

3

Install an SSL certificate

HTTPS encrypts data between server and visitor. Free via Let's Encrypt, often standard with hosting.

4

Change the default admin URL

The default /administrator is too easy. Change this to something unique via a security extension.

5

Make daily backups

If your site gets hacked, you can return to a clean version. Use Akeeba Backup.

6

Use two-factor authentication (2FA)

Joomla has built-in 2FA. Even if your password leaks, hackers cannot log in.

7

Remove unused extensions

Every extension is a potential security risk. Remove everything you don't use.

8

Limit login attempts

Block IP addresses after multiple failed login attempts. Prevents brute force attacks.

9

Only use trusted extensions

Download extensions only from joomla.org or trusted developers. Check reviews and update frequency.

10

Check file permissions

configuration.php must be 444 (read-only). Folders 755, files 644.

Recommended security extensions

These Joomla extensions help protect your site

Admin Tools

Core + Pro

The most complete security suite for Joomla. Web Application Firewall, change admin URL and much more.

  • Web Application Firewall (WAF)
  • Change admin URL
  • IP blocking and geo-blocking
  • PHP File Change Scanner
View Admin Tools

Akeeba Backup

Core + Pro

The best backup extension for Joomla. Create complete backups and restore your site with one click.

  • Complete site backup (files + database)
  • Automatic backup scheduling
  • Upload to cloud (Dropbox, Google Drive)
  • One-click restore function
View Akeeba Backup

RSFirewall!

Free + Pro

Complete firewall and malware scanner specially for Joomla. Monitors your site 24/7.

  • Realtime threat monitoring
  • Malware scanning
  • System check and hardening
  • Two-factor authentication
View RSFirewall!

Activate built-in Joomla security

Joomla has several security features that are not activated by default

Activate two-factor authentication (2FA)

  1. 1. Log in to your Joomla admin panel
  2. 2. Go to Users → Manage → click on your username
  3. 3. Click on "Two Factor Authentication" tab
  4. 4. Choose "Google Authenticator" or "YubiKey"
  5. 5. Scan the QR code with your authenticator app
  6. 6. Enter the verification code and click "Verify and Save"

Tip: Save the secret key in a safe place, in case you lose your phone.

Force SSL (HTTPS)

  1. 1. Make sure you have an SSL certificate installed
  2. 2. Go to System → Global Configuration
  3. 3. Click on the "Server" tab
  4. 4. Find "Force HTTPS"
  5. 5. Choose "Entire Site" or "Administrator Only"
  6. 6. Save the settings

Important: Test if your site works properly on HTTPS before forcing this!

Disable web services

If you don't use the API, disable it:

  1. 1. Go to System → Global Configuration
  2. 2. Click on "Web Services" tab
  3. 3. Set "Enable Web Services" to "No"
  4. 4. Save the settings

Disable registration (if not needed)

If you don't need new users:

  1. 1. Go to Users → Manage → Options
  2. 2. Find "Allow User Registration"
  3. 3. Set this to "No"
  4. 4. Save the settings

Good hosting = better security

Your hosting provider plays a major role in the security of your Joomla site. Choose a provider with these features:

Free SSL

Automatic installation and renewal of Let's Encrypt certificates

Daily backups

Automatic backups with easy restore via control panel

Malware scanning

Automatic scans and removal of malware at server level

DDoS protection

Firewall and DDoS mitigation to keep your site online

Compare secure Joomla hosting

Is your Joomla site hacked?

Follow these steps to restore your site:

  1. 1. Take your site offline (via Global Configuration → Site Offline)
  2. 2. Change ALL passwords (admin, hosting, database, FTP)
  3. 3. Scan your computer for malware (the hack may come from your PC)
  4. 4. Restore a clean backup (if you have one)
  5. 5. Or: use a malware scanner like RSFirewall! to find and remove infections
  6. 6. Update Joomla and ALL extensions to the latest version
  7. 7. Install a security extension (Admin Tools or RSFirewall!)
  8. 8. Monitor your site extra carefully the first weeks