Tips to prevent and secure Joomla 3 from being hacked

Here follow a list of tips to keep your site secure and prevent the most common attacks that use know exploits in Joomla websites.

Security tips

Prevent script execution in .htaccess 


There is something easy that can save your site from being hacked and used as source for spam senders. In some hacked sites I found lot of malicious php files inside sub-sub-subfoders of media, images or tmp joomla default folders. Why there? Because when your site has been hacked you start to search for vulnerabilities among third-party plugins or components and you don’t care about images. You can solve this problem preventing the execution of php/sh file inside specific folders using these few lines in your htaccess file immediatly after “Rewrite engine on”:

This code works great but I found some problems with the media folder. Using such extensions like JCH Optimize or JReviews could cause unwanted errors due to php scripts used by these extensions inside the media folder. So if you experience some of issues just delete or comment the second line.

Prevent SQL injection

This is one of the common ways used to take information about data stored in your DB. For this reason is very important to change your tables prefix and keep it secret within yout configuration file (we will see soon how). This hacking joke works sending sql queries inside a url request. To prevent SQL injection in Joomla sites you can install a free plugin, Marco’s SQL Injection, it will protect you blocking and sending email alerts when an hacking attempt is detected. Another useful option of this plugin will give you possibility to temporary block IP addresses where attacks are coming from.

Hide configuration file

As mentioned before, you should keep secret all informations inside your configuration.php file. This is not a “must to do” security tip, but if you want to avoid problems you should give it a try. Joomla has two files where paths are defined. These file, define.php, are inside the include folder of the root and administrator root:

  • administrator/includes/defines.php
  • includes/defines.php

Here you have the following line:

Simply change this line with:

where conf is a folder outside your public_html (or www). This way also if someone can have access to your files, he will not be able to go up the root directory of your website.

Be careful: I already said that this solution is good but can give some problems. In fact, if you update your Joomla, the defines.php file will be restored to the original version and Joomla will not be able to find the configuration.php and throwing an error.

File and folder permissions

This should be the first and most clear advise to follow for every website. I’m not going to explain here the importance of file permissions in Linux machines, just remember that you are the owner of your file and no one should have chance to write or delete inside your website’s file list. How to change permissions for Joomla files and directories?

  • Folders permissions 755
  • File permissions 644

Don’t you know how to do that? No problem, install Admin tools, free version is enough. Once installed you will find a panel with some usefull functionality, one of these is “Fix permissions”. It’s done!

But if you don’t want to install one more component (yeah do not full your joomla, it could get mad!) and you have an SSH access to your server you can easily change permissions and owner of your files with these simple commands:

and to change file permissions: