Tips to Protect Your Joomla Site from Hackers

There several ways to make hacker job as difficult as possible. If you run a Joomla 3.5 (or older) website, you should absolutely take at least basic steps to secure it against intruders. Some facts, according to Sophos Labs,  30,000 new sites a day that are hacked! Yes, that’s a shocking number. I guess you want be part of this stats.

Some of them (site owner) may say: “It won’t happen to me. I have small site, shop only.”. But for hackers, criminals or extremist, it doesn’t matter – they will destroy content or add hidden links because they want and can. We want to help you secure your CMS website from the get go – prevention is better than cure, so make sure you action these tips to prevent Joomla hacking.



You would be surprised how many sites have old version of CMS. It wasn’t updates for several reasons: no time (really?), no money (for migration service) and I didn’t know this is important. You should always ensure your Joomla is at the latest version, which has fixes for all known security holes. Update all your  components, modules and plugins and templates continually. Thousands of websites are hacked daily due to them using outdated extensions or even templates installed on them. In past we heard about Rocketheme and Gavick issues in security topic.


Official support for PHP 5.3 is discontinued since August 2014. PHP 5.5 security support ended July 10th 2016. PHP 5.6.0 to 5.6.5 inclusive were released more than two years ago. These old, obsolete, EXTREMELY INSECURE (= you ARE going to get hacked if you use them) versions also have very signifficant bugs in the way they handle code optimisation. These bugs cause our software to fail when trying to read the permissions of certain files. This is NOT an issue with Joomla! and JoomShaper software, it’s an issue with PHP itself. By pure coincidence these PHP bugs were not triggered by previous versions of our software. This version works around this issue by reordering three lines of code. If you are not using the very latest PHP 5.6 version (5.6.25 at the time of this writing) your site WILL get hacked because of KNOWN security issues. We strongly recommend using PHP 5.6 or 7.x.


Sometimes people want to secure sites which have been already hacked (infected) and they do not know about it. Please first make a full analysis of your website to detect and remove common malware. Read more in our past blog post >here<. Second, the issue is that most website owners using Joomla do not change their default configuration. It means for example: rename htaccess.txt into .htaccess, disable registration in User Manager, set short URLs.

Backup all the files of your website and do a full database backup. It’s good idea to have backup component, it doesn’t have to Akeeba Backup there are also others which works pretty well.  Important note! Stores these backup files on your computer / remote drive not on your current website. Why? Because in case if hacker get access somehow we will be able to download it too. Besides deleted or broken files on server means no backup – yes.


Did you know that over 1/4 websites were hacked through server vulnerabilities. Yes, old PHP version, unsecured folder settings…many small things can lead to point when someone will get into your website code with malware. Many sites are hosted on shared servers. Basically, if one site on a shared server gets infected, every other site is at risk, regardless of how secure the site/shop/blog is otherwise. Cheap hosting services cannot guaranty you nothing else besides space on their servers, no built-in firewalls, or even full backups. Remember that not Joomla or any other CMS is first line of defense from hacker, but hosting does.


Most hacking these days is performed as an entirely automated process, with bots searching Google finding vulnerable sites and probing them for exploitation opportunities.  Using short URLs may help. But this is only first step. Second step would be remove Joomla generator metatags. It can be done by using a ByeByeGenerator plugin or RSFirewall which has this option enabled by default. It would be nice also to remove all “power by …” links. Of course we suggest to buy a PRO version if necessery.  The last “fog” technique is based on rules inside .htaccess file. They can ban several hackers/spammers bots from your site. Here is a useful example:


Many bots and your hackers tries to login into admin section using brute force attacks until the password is cracked. They’re helped immensely when the username is known, so there’s a hint not to use that popular old Joomla chestnut, admin. Dictionary attacks , meanwhile, throw A-Z word lists against the password and hybrid attacks  morph brute force and dictionary techniques to crack basic keys such as Tom1980. To prevent it you can use few techniques which increases your Joomla Security with an additional restriction to the administrator url and effectively prevents unauthorised access to the administrator login page.

  •  jSecure Lite – component prevents access to the administration (back end) login page if the user does not use the appropriate access key. Only users who enter the secret key will be able to access your admin area. Pro version have more features like IP or Country Block.
  • AdminExile – very good plugin which allows you add extra security layers to /administrator section by requiring a specific key to be present in the URL. It has White/Black IP lists, you can define a network range, it has brute force detection and protection.
  • Brute-Force Stop– another good free extenstion who stores information on failed login attempts, so that when reaching a configurable number of such failed login attempts the attacker’s IP address can be blocked.
  • RSFirewall – has a option to ban IP of the user/bot if he tried to login too many times.</li> <li style=”text-align: justify;”>pFirewall – it may prevent any automated activity like brute force login or mysql injection. It supports all popular search engines bots, doesn’t block them.
  • Using combination of .htaccess and .htpasswd files you can protect /administrator folder from all attempts also it can stop basics brute force.

Protect Against Brute-force

For the past week, We’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. This kind of login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “qwerty”. Each of these IPs continues to attempt brute-force login attacks, and may be successful blocked with  .htaccess file:

You can block also IP from selected countries as well, use generator from that site:


If you’ve finished all main jobs on yours site check if you really need all installed plugins or components. Delete all unused templates (also core ones), components and plugins. Do not download and install templates/plugins/components that are not from trusted marketplaces. Attacker may target extension that vulnerability issues, so if you do not use it, it is not worth keeping. This will protect you from SQL injection vulnerability.


Prevent Joomla hacking through security plugins or components. There are serveral popular on the market, some developers offers Lite/Free versions as well – if you do not have money right now you can use them, otherwise, strongly recommend the use a PRO / Commercial versions. There are some suggestions:

  • Akeeba Admin Tools Pro
  • RSFirewall
  • Securitycheck Pro
  • DMC Firewall

Note! Above tips are not fool-proof but they do raise your security level over most of the sites! Of course we will update this blog post in near future