10 tips to improve Joomla's security

Most Joomla attacks are possible because of 3rd party plugin/components vulnerabilities, weak passwords, and outdated software. But don't worry, the following tips will help you increase your Joomla website security in no time.

Note: We have not included any security extensions in the tips we listed below. As rule of thumb, anything you install in Joomla could be potentially vulnerable code, even if it’s an extension focused on security.

Use strong login details

After installing your website, don’t keep the default admin username and password. Make sure to set up a strong password so that a hacker can’t guess his or her way in using a list of most commonly used passwords.

Create a long, complicated password and store it safely in a password manager such as 1Password or KeePass.

Don’t install too many extensions

Joomla is such a powerful platform because it’s so easy to extend its functionality in a few clicks. But with great power, comes great responsibility! Most Joomla hacks happen because of third party extensions that fail to follow best practices.

Test new extensions in a staging or local environment first to assess their value and stability. You can test your Joomla site on your local machine using the Joomlatools Vagrant box.

Make sure to uninstall extensions that you don’t need any longer. More code in your website only increases the number of potential vulnerabilities.

Alternatively you can build your application using Joomlatools Platform. This is a modern Joomla stack with a slimmed down Joomla codebase and improved directory structure. Only public assets are exposed by the webserver while the core PHP files and extensions are moved outside of your document root.

And finally, regularly review the official Vulnerable Extensions List.

Restrict file and directory permissions

An all too common problem is incorrect file permissions. You should only grant write access to those directories and files that actually require it, such as upload and cache directories. Everything else should be locked down once your extensions and templates have been installed.

The required permission model is very different for each site and depends heavily on your setup. We usually start with these permissions and evolve it from there:

  • Directories set to 0755: only the owner of the file can write to it, the rest can read and execute them.
  • Files set to 0644: only the owner can write, the rest can read.
  • configuration.php set to 0444: only read is allowed.

And finally, never ever use 777 permissions. It allows your files to be viewed and modified by anyone! This is especially important if you are on shared hosting. Any other user will have full access to your files.

Protect administrator login

You can require a password in the admin login area to further improve security. You can do this manually by creating a .htaccess file in the administrator directory as described in the Joomla documentation.

Use a web application firewall

A web application firewall (WAF) acts as a filter and monitor for HTTP applications. You can either install one on your own server yourself, such as ModSecurity, or use a cloud-based solution. Using a web application firewall will give you the following features:

  • Spambot protection
  • Brute-force attack protection
  • Backdoor protection
  • DDoS protection
  • SQL injection protection
  • and more..

Install an SSL Certificate

To protect the communication between your visitors and your website, you need to encrypt it using SSL. Even if you are not running e-commerce sites or payment gateways, running on HTTPS and having an SSL certificate adds to your site security by protecting your username and password when you or your colleagues log into your website. Otherwise these login details are sent over the internet in plain text.

Obtaining and installing a certificate has become free and easy to do thanks to Let’s Encrypt. Once installed, you can test and improve your SSL configuration using the SSL Server Test.

Monitor your website

How do you know your site is still up and running? You need to monitor your website continuously to make sure it has not been hacked. If a problem occurs, you will get an email or SMS.

There are many tools to choose from that can help you keep an eye on things, like updown.io or Pingdom. There are plenty more if you look for them.

Keep Joomla and its extensions updated

The most important part of managing a Joomla website is applying regular updates. Most Joomla and extension releases contain security fixes, so it’s never a good idea to skip them.

Luckily, Joomla has a built-in version checker and will notify you when a core update is available. A lot of extensions now support the Joomla Update System which will also notify you of new extension releases.

Be sure to make a backup before you update!

Harden your PHP configuration

PHP is the language Joomla is written in. To improve your Joomla security, we recommend you change the following PHP directives in your php.ini file:

Don't expose PHP version

expose_php = 0

Hide the PHP version to your response headers so attackers don’t know which known vulnerabilities might be hiding in your version.

Whitelist given directories

open_basedir = "/var/www/yoursite.com:/tmp/"

Tell PHP to whitelist the given directories. This prevents attackers from accessing any other part of your file system. Note that you must include every directory PHP needs access too, including the temporary file upload directory and session storage location.

Never display errors

display_errors = 0

Errors should never be displayed to the end-user as they might give away important information about your setup to attackers.

Disables dangerous PHP methods

disable_functions = exec,passthru,shell_exec,system,
proc_open,proc_close,proc_terminate,popen,curl_exec,curl_multi_exec,
show_source,posix_kill,posix_getpwuid,posix_mkfifo,posix_setpgid,
posix_setsid,posix_setuid,posix_setuid,posix_uname,php_uname,syslog

Disable dangerous PHP methods so that attackers cannot use them to compromise your system.

Disable remote URLs

You might also want to consider disabling the following options:

  • allow_url_fopen = 0
  • allow_url_include = 0: Don’t allow PHP to open remote URLs because remote content cannot always be trusted.
  • file_uploads = 0: Disable file uploads if your website does not need them.

However, if you do need file uploads for a document manager such as DOCman or a file and media manager like FILEman, you should leave these options untouched.

Choose a reliable hosting company

Finally, the same rules apply to your PHP installation and web server as your Joomla and extensions: make sure to keep your PHP version up to date or choose a hosting company that proactively does this for you.

You can find a list of PHP versions that are out of date here: php.net/eol.php. If you are running any of the versions in this list your Joomla site is very likely at risk.