Joomla Security Issues that Get Sites Hacked

As Joomla site recovery specialists, we’re regularly approached for help and see the same Joomla vulnerabilities come up time and again. What’s sad is that they are incredibly easy to correct, but once a Joomla site is hacked it comes at considerable cost to get it fixed and secure again.

The Security Issues

#Issue 1: Build it and Forget It
The number one cause of hacked sites is lack of maintenance. It is incredibly simple and doesn’t require much investment in time, but most sites get hacked simply because they do not stay up-to-date with the security releases for the Joomla core or its extensions.


The problem stems from the fact that hackers are more and more aggressive and use automated tools to execute attacks at scale. 10 years ago you could leave a site as it was for several years, but these days any open source software, including Joomla, requires maintenance and security patch application.
The web is a wild west and your website needs to stay up-to-date if you’re going to keep the desperadoes out.

The fix:

  • Create a schedule for checking for and applying updates.
  • Sign up for notifications from the Joomla vulnerability database and the Joomla core security notification list.

If you’re the site builder: make sure and offer your clients some form of maintenance service. Include it on any estimates or proposals you provide them along with the rationale for why it is important.

#Issue 2: Lazy Passwords

If you don’t take password security seriously, your site will be hacked. Password guessing is an incredibly common attack because of how often it’s successful. No one likes to have to remember difficult passwords but it is essential to security.
Passwords that are simple words with numbers or relatively short are quickly guessed using automated “brute force” attacks.


The fix:

Use long passwords that are nonsensical and use a few special characters, but that you can remember. This works because password length creates complexity which makes using a computer script to guess them difficult so long as there is some variation.
For example: president!Tokyo!furious!zebra
If you’re the site builder: make sure and explain to your clients why this is important and provide them with these longer passwords.

#Issue 3: Self Hosting (or Bottom Barrel Hosts)

It’s not difficult to get a virtual private server, dedicated server, or even in-house box set up. For some agencies and freelancers its attractive because you can host many sites at a cost savings compared to shared or reseller hosting. However, it’s critical that the server environment is set up with the security packages and configured correctly. Additionally, just like for any Joomla website, servers require maintenance in order for the security to remain effective.
Even if your Joomla site is in good shape, if your server is vulnerable, you’re going to end up hacked. We get many requests for help from agencies and individuals that have self hosted or chosen bottom barrel hosting providers and ended up in trouble.

The fix:

Either use some form of a managed server or hire a system administrator to regularly audit your server security.

#Issue 4: Poorly Chosen Extensions & Templates

Poorly chosen extensions and templates often create flaws in Joomla security (more on this below.) Here are a couple common scenarios:

  • A site builder needs functionality which is more esoteric and has a hard time finding a solution. They find an extension which fits the need fairly well, but doesn’t appear to be of high quality or well-maintained. They install the extension anyways and trust that everything will work out.
  • A site builder tries to save some money by downloading a commercial extension or template from a free scripts website and not the developer (it’s not quite pirating because it’s open-source, but still unethical because they are sticking the developer by not supporting their work.)

These are scenarios in which not only may holes be being created in the Joomla security, but that the site builder may actively be incorporating malware and other malicious code without realizing it.

The fix:

Use extensions and templates from reputable sources. If you can’t find one, either hire a Joomla developer or Joomla development company to create it bespoke or find another solution for the need if you can’t afford custom work.
Sometimes it’s better to do without then to do with!

#Issue 5: Legacy Directories/Code

For any site that’s been on the web for more than a couple years, it’s likely that it has accumulated some legacy code. If this code isn’t cleaned up, it significantly increases the chances that the site will be compromised. This is because over time more and more vulnerabilities are discovered by hackers.

The 3 most common scenarios:

  • The webmaster or site builder installs an extension, doesn’t end up using it, and forgets about it.
  • A Joomla developer working on the site creates a staging or backup directory to test some updates in and once the updates are incorporated in the live site forgets to remove the staging directory from the server.
  • The website uses multiple applications and while one is actively updated the others are neglected. For example, a Joomla site with a WordPress blog that is not updated.

The fix:

  • Once or twice a year audit your Joomla extensions for anything that you’re no longer using and uninstall it.
  • Check for and remove any staging or backup directories. Whenever you’re finished using a staging directory, make sure you clean it up as a final step.
  • Remember that vulnerabilities can be exposed by any code on your server, so make sure and keep all applications updated with the latest security patches.

What About Joomla Security Holes?

Joomla is developed by veteran developers who are highly aware of the security environment of the Internet and the risks involved. Joomla has a built-in security model to combat common vulnerabilities in web applications. Because of these factors, even though the core application is under an incredibly high level of scrutiny by hackers it rarely has significant security issues and when they are discovered they are patched very quickly.

Security holes are more likely to appear in poorly coded extensions that don’t use the Joomla security model due to the inexperience or laziness of the developer. This is why it’s critical to be particular when choosing extensions and not haphazardly installing everything that might work.