Joomla! is second largest CMS (after WordPress) downloaded over 68 million times and latest research by SUCURI reveals second infected website platform. Joomla! sites, especially ones running older versions of the CMS or it’s extensions are a very popular target for both experienced hackers and script-kiddies alike. In this guide, we’ve taken some time to detail a few measures which can be taken to address Joomla! Security – the basic security checklist for Joomla! (and not only).

Besides the dangers of a data breach itself, there is also the risk of reputation and credibility loss to those who fall prey to an attack on their web site security. There will always be a threat to security whether it be open source or proprietary CMS (closed source). Therefore, precautions should be taken to prevent and secure your site as much as possible. The checklist can be used to plan and control the security of any content management system. This allows you to eliminate (or at least reduce) human error.

Before Joomla! or QuickStart installation

  • Choose hosting company which offers : regular backups, Web Application Firewall, Antivirus scanner,  latest version of PHP and options to change PHP settings
  • Choose PHP in version 7.2 or 7.3
  • Create a new database and user — use strong password
  • Download the latest version of Joomla! (3.9+) or Quickstart from developer site
  • Determine what extensions you'll need, and then make sure they are not on the endangered list
  • Create a account SFTP/FTP — use strong password, password for FTP must be different from this one used to login to hosting panel
  • Scan your PC/Mac with good antivirus and malware tool
  • For files transfer use FTP over SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
  • Check & set all PHP directives according to following recommendations:

Installation and first steps after

  • Enable Offline mode
  • Disable site indexing
  • Do not use "admin", "root" name etc. for a main super administrator account
  • Rename file name from htaccess.txt  to .htaccess
  • Inside .htaccess file put extra security rules, for example use 6G FIREWALL/BLACKLIST (perishablepress.com/6g/)
  • Check and if necessary fix the directory and file permissions
  • Keep only what you need - uninstall those extensions which you do not need
  • Remove all demo users with weak logins/password
  • Disable user registration if you don't need it
  • Enable Search Engine Friendly (SEF) in SEO settings section
  • Turn off (Disable) Showing errors, set to None in Global Configuration

For existing online stores and websites

  • Check PHP version - correct if necessary
  • Check PHP directives settings - correct if necessary
  • Scan your site with firewall and antivirus tool (it can be from component or standalone script like AI-BOLIT)
  • Make a full back-up
  • Uninstall all unused components, modules and plugins
  • Update all extensions  which have updated versions
  • Update Joomla! to latest version
  • Remove FTP settings from Global configuration
  • Check .htaccess file - update it settings
  • Delete all fake, not used and inactive users accounts
  • Rename user logins with too simply names (like "admin" for example)
  • Check /images folder for all kinds .php, .bin files - remove them
  • Disable User registration - if not used
  • Enable ReCaptcha or HiddenCaptcha
  • Create a account on Google Webmaster Tools  and add there URL of current site
  • Install security extension (at least Firewall)
  • Enable SSL for Domain and website (especially for online shop)
  • If site still uses jos_ database table prefix - rename
  • Secure Joomla! Login Admin area
  • Use a custom favicon instead of Joomla's favicon
  • Check content of sitemap XML file
  • Remove all fake or Lorem ipsum content
  • Install a auto backup component - make updates regularly