Would you like to know how to improve the security of Joomla? We have gathered some valuable tips you can follow to protect your site.
In this guide, you will find tips you can put into practice right away in order to improve the security of Joomla.
Bear in mind that the basis of a secure site requires a reliable Joomla server which is why you should carefully choose the hosting provider you trust.
Table of Contents
How to improve the security of a Joomla site
There are several steps you can take to improve the security of a website. What steps should one take and how should those steps be implemented? The answer depends on the platform your site is built with. That's why in this guide we will show you targeted Joomla security tips.
Keep Joomla and all components update
When it comes to keeping a Joomla site secure, updates should be one of your priorities.
When an update to the core (the set of files that make up the central core of Joomla) or an extension is released, it can often happen that there are also security fixes included in that update.
Updating Joomla is in fact not only a way to access the latest features, but also the best way to ensure the security of your website.
Warning: this does not mean that you should always update to the latest version. In fact, keep in mind that sometimes updating creates major problems due to incompatibility issues.
What you need to do is read the notes that accompany the release of new versions and update when patches that fix Joomla vulnerabilities are included in the update.
Beware of extensions with known vulnerabilities
Joomla periodically updates the list of extensions with vulnerabilities. You can check it out from Joomla.org in the "Vulnerable Extensions" section.
If one or more extensions you have on the site are on this list, it is highly recommended that you uninstall it/them.
After that, you can look for an extension with the same functions.
When the problem with the extension is fixed, you will find it in the list of extensions that have been patched and you can use it again on your site.
Only use reliable extensions and templates
Another danger to the security of a Joomla site is third-party extensions and templates.
To play it safe, in addition to consulting the list of extensions with known problems (as we have just seen), there is another important thing one must do.
Always check the source and make sure that the extensions and templates you install are developed by credible companies and developers.
Update version of PHP
Joomla vulnerabilities can also depend on the PHP version you are using.
To make the site more secure, it is best to check the current version of PHP.
Depending on the provider, you can check which one it is by the hosting control panel. For example, from cPanel you can check with one click.
To do this check directly from the Joomla platform, you can go to System > System Information.
From here you can check the PHP version in use, as shown in this screenshot:
You can then check PHP.net to see if the version you are using is still supported and is receiving security updates. If it is not, it means it is time to update it.
Keep in mind that in some cases, you may see a warning message when you access the administration area of your Joomla site, as shown in this example.
The procedure for upgrading depends on your provider. With SupportHost, you will always have the option to set the version you prefer and you can do it independently.
Use HTTPS connection
Make sure that an SSL certificate is installed on your site. This certificate is essential to activate the HTTPS protocol on your Joomla site.
Compared with HTTP, HTTPS is a secure protocol to protect the information flowing to the website.
If you choose reliable hosting, the provider will provide you with all the tools to secure the site.
With our CMS hosting, such as plans for Joomla, WooCommerce hosting and those designed for resellers including LiteSpeed reseller hosting, you will have the free SSL certificate from Let's Encrypt already installed and active.
This means you can use the HTTPS protocol on your site without having to install the certificate yourself.
What about with the other plans?
If you choose an unmanaged plan like our unManaged VPS cloud, you’ll have to install the SSL certificate yourself.
Joomla security: how to protect the administration area
In this section, we are going to look at tips and tricks to make a Joomla site more secure.
We’ll take a look at the following points specifically:
- The importance of using effective and complex credentials;
- How to restrict access to the back end of the site using two different methods;
- How to enable an additional layer of protection with multi-factor authentication;
- why it is important to check the permissions of users who have access to the site.
Use secure passwords
Often the solutions that seem the most obvious to us are the most effective.
When people think of site security they think of using firewalls or plugins. In reality, there are better practices that you can use from the moment you install Joomla. These are tips that we all know and end up underestimating.
One of these is precisely the choice of password.
Or rather, to be more precise, the combination of the username and password.
Avoid by any means using common usernames such as "admin" and simple passwords. The best thing to do is to create a complex and long password and not reuse the same password for several sites.
Hide access to the administration panel
The reason you should not use passwords and usernames that are easy to guess is that hackers who want to gain access to your site can exploit a type of attack called brute force.
Brute force attacks consist of trying to enter common credential combinations to try to "force" access. As the complexity and length of the password increase, these attacks become less and less effective.
In addition to using complex passwords, there is one more step you can take to increase site security and protect Joomla from brute force attacks.
You can change the login address on the site administration page.
By default, the back end of the site is accessed by logging into the following address:
Using an extension like "AdminExile" we can change the back end login URL by adding a secret key. This way, only those who know the correct complete address with the key can reach the login page of our Joomla site.
Basically the admin panel access area will be available at an address like this:
Allowing access only to certain IP addresses.
We can apply an additional security measure on our Joomla site. In fact, we can allow only certain IP addresses to access the administration area of the site.
To do this, we have several methods:
- we can use an extension that allows us to enter permitted IPs and prevent others from getting access;
- we can put a rule in the .htaccess file of the site.
Keep in mind that not all providers will allow you to edit the configuration file. With all SupportHost plans, you will always be able to edit the .htaccess file even directly from the cPanel file manager we provide.
As for the .htaccess file you can use the Deny and Allow directives. Here’s how you do it:
Allow access to only one IP address:
Order Deny,Allow Deny from all Allow from 184.108.40.206
Allow access to multiple IP addresses:
Order Deny,Allow Deny from all Allow from 220.127.116.11, 18.104.22.168
You can enter multiple IP addresses by separating them with commas, or by writing them one per line as shown here:
Order Deny,Allow Deny from all Allow from 22.214.171.124 Allow from 126.96.36.199
In both cases, you will have to replace "188.8.131.52" with the correct IP addresses.
Keep in mind that you must have a static IP to use this system.
Activate two-factor authentication.
Another method of increasing the security of Joomla is to use two-factor authentication, also known as "Multi-Factor Authentication."
In the newer versions of Joomla 3.2.0, multi-factor authentication has been introduced and can be activated directly from the administration panel.
If you haven't enabled it yet, just go to Post-install Messages and then click on "Enable new plugins for multi-factor authentication."
You will then be able to choose which authentication method to use, such as sending a code via email or using an authentication application such as Google Authenticator.
Limiting Joomla user access and permissions.
Joomla has rules that allow you to improve the security level of your site. As for user management, there are three distinct types, each with specific permissions.
Knowing them helps us assign roles correctly.
Tip: From the "Global Configuration" settings you can open the "Permissions" tab to see what the current settings are for each role.
Remember that it's best to give minimal access. For example, if one of your staff members doesn't need to log in and change the site configuration, it doesn't make sense to assign them the Super User role.
In this table, you can see the default permissions based on the user roles. Remember that you can change the permissions from the administration area.
|Role name||Back end access||Create, edit and delete content (articles and media)||Installation/removal of extensions||Changing the global configuration||Adding / Removing Super Users|
As you can see, the user who has all the permissions and complete control of the site is the "Super user," so this is the role you need to assign most carefully.
I recommend that you periodically check the roles assigned by user management. That way you can know if you had created a temporary account with certain administrative permissions, thereby identifying those that are no longer needed and change the permissions or disable that account.
As stated at the beginning, common sense and the actions of users themselves can make all the difference when it comes to website security.
Create frequent backups
Although this is not a real security measure, doing regular site backups could definitely go a long way.
If your site were hacked or tampered with, you would risk losing data and content, and that's where backups come in.
Moreover, relying on a solid and secure hosting service makes all the difference.
At SupportHost, security is our priority and we provide you with the tools to keep your data safe. In order to do that, all of our solutions include automatic daily backups.
For VPS cloud and dedicated server plans, we maintain backups of the last 7 days.
With all other plans, including tailored solutions for Joomla, you will have access to backups for the past 30 days.
Automatic backups are an excellent basis for securing your data. In addition, it is highly recommended to do backups on your own. You can use several tools including easy-to-use extensions such as "Akeeba Backup."
Choosing a reliable hosting solution
Remember that your choice of hosting is crucial to protecting your site.
What can a great hosting service do as opposed to a poor one? A good hosting service can:
- Implement strict security measures to isolate accounts in a shared environment;
- Adopt rules to protect the site from common attacks such as DDoS and brute force;
- Guarantee you automatic backups of your site and database;
- Constantly update the PHP version to make the most secure version available to you at all times;
- Allow you to access the site with a secure connection via SFTP or SSH access.
If you are looking for all these features in a hosting, with SupportHost your site will be one hundred percent safe. We provide you with all the tools necessary to defend your Joomla site and have great performance.
If you want to improve the security of a Joomla site, start by implementing the tips we looked at in this article.
Remember that as a site administrator, you have a crucial role in keeping your site secure. Good practices such as adopting complex passwords and proper management of permissions to users who have access to your site are essential.
In addition to these, there are extra defensive measures you can take as shown in this article.
Finally, don’t underestimate the choice of hosting, the basis of your site must be a secure infrastructure or whatever you do will be useless.
Have you ever had attacks on your Joomla site? Which of these security measures do you take to avoid problems? Let me know in the comments below.