Make Joomla! CMS Security YOUR #1 Priority

joomla support cheshire manchester merseyside north west ukWe adopt a proactive approach to helping Joomlers keep their Joomla!® CMS websites safe and secure.

This guide is produced as part of this proactive approach.

If you need help and support using a Joomla! website then give us a call.

We provide Joomla! coaching, help and support for business managers and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.

Contact Customer Support on 0161 818 8228.


Today's website security threat landscape

"Security is a moving target, so today's expert might be tomorrow's victim"!

Source: The Official Joomla!® Security Checklist.

Watch this great webinar recorded by Tony Perez, CEO of SUCURI, in November 2016.

In it he covers:

  1. some of the latest tactics, techniques and procedures being used by cyber criminals,
  2. the reasons why attackers hack a website,
  3. some of the various ways you can protect your website.

Watch: Today's website security threat landscape.

A Useful Security Checklist


View Official Joomla! DocumentationSecurity Checklist


Play VideoGetting started with Joomla! CMS Security


Make Joomla! CMS Security YOUR #1 Priority

joomla support cheshire manchester merseyside north west uk

We offer Joomla! coaching, help and support to businesses and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.

Learn how to manage Joomla! website security.

Usernames & Passwords

UNIQUE Usernames

Are you using the username ADMIN when logging into your Joomla! control panel?

If YES CHANGE IT to something totally unconnected with you and your interests.

Are you using your name?

If YES then DON'T.

Use something UNIQUE and which is totally unconnected with you and your interests.

Are you using your email address?

If YES, then is it one that includes your name and which is publicly available on the web?

Oops, create a new email account using a word that is totally unconnected with you and your interests.

By now you have probably got the message!



If you want to protect your Joomla! CMS from a brute force attack then you MUST use a UNIQUE COMPLEX password for every application and website you use, including:

  1. Joomla! CMS Control Panel login,
  2. Hosting Control Panel login,
  3. FTP login (when separate credentials are supported by your hosting company),
  4. email account, and
  5. every other application you can think of.

By COMPLEX we mean:

  1. 16 + characters.
  2. no repetition, usernames, dictionary words, letter or number sequences,
  3. not using relative or pet names, likes, dislikes, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates) - or anything you publish in your social media profile!
  4. numbers and special characters as well as letters (Exampl: . - _ ! " £ $ % ).
  5. upper-case and lower-case letters,
  6. random, and
  7. unmemorable.

Some Password Tips

NEVER let your web browser or FTP client remember your usernames or passwords when you are logging in.

DO NOT store passwords in an unencrypted file, for example, a TXT file.

USE a Random Password Generator to create genuinely unique random passwords - see below.

USE a Password Manager application to securely store passwords on your computer or mobile storage device (example: pen drive) in encrypted form - see below.

DO NOT share your username and password for any of these resources with anyone.

IF a website offers two-factor authentication, use it.

Read more: Two Factor Authentication.

Should you change your password often?

This is often recommended.

However, some experts say there is no need to keep changing your passwords providing you:

  • create complex unique passwords, and
  • store them in a secure place i.e. using a Password Manager.

Of course if you suspect a password has been compromised then you should change it immediately.


Protect your Joomla! CMS from Malware 

Malware is any software that is intended to damage or disable a computer or computer system, web server or website.

If your website is infected by malware, then it is likely that your computer has also been infected.

Assume the worst and fix both.

What are the first signs of compromise by malware?

A classic indicator is when you can no longer log into your website as administrator.

Reason: malware infection resulting in password change without your consent.

However, malware will often leave administrator credentials unchanged to avoid you reaching for the bleach!

Another indicator might be that a new Super User account has been added or a new template or some other website content.

How well do you know your website?

If you treat it almost like a pet which you would groom on a regular basis then you will spot when things don't look right.

How to reduce the risk of compromise

  1. Keep your Joomla! CMS and 3rd party extensions up to date.
  2. Use only the latest release of Joomla! CMS and 3rd party extensions.
  3. Change Joomla! CMS and hosting control panel passwords frequently.
  4. Use complex passwords to reduce the risk of brute force attack.
  5. Never visit your hosting control panel except by secure connection (https).
  6. Avoid using FTP unless absolutely necessary.
  7. Never let your browser or FTP client remember your user credentials.
  8. Install, configure and maintain a Web Application Firewall.
  9. Follow the Joomla! Project's advice regarding your website's Global Configuration.

Read more: Review Global Configuration settings to harden website security.

Back up your website frequently

Backing up your website will not prevent malware infection.

It will however make recovering from an infection easier and less problematic.

Read more: How to back up your Joomla! CMS.


Periodically scan your website for malware?

By all means subscribe to a malware scanning service.

These do not however come cheap.

It is preferable to keep the hackers out by locking the stable door before the horse bolts.

And, depending upon circumstances, might be cheaper to get a new horse rather than try and mend the old one!

So if you are going to scan you would do well to start with a scan of your website's Security Headers.

Scan your website for missing Security Headers

See whether Security Headers are missing from your own website.

You will want to add these to your website to improve security.

This can be achieved by customising your website's HTACCESS file.

Not for the faint-hearted but tools exist that will perform this task for you. Read on.

Need help? Just ask.

Install, configure & maintain a Web Application Firewall

We recommend that you actively use the Web Application Firewall (or WAF) to:

  • customise your website's HTACCESS file to improve website security.
  • monitor for and temporarily or permanently block IP addresses which trigger persistent security exceptions.

We recommend Akeeba Admin Tools.

Need help? Just ask.

Keep your computer's OS up to date

OS = Operating System.

We recommend using Linux.

But if you use Windows, Apple or another propriertary operating system, pay close attention to:

  1. User Account Control (UAC) - Turn it ON and set it to ALWAYS notify you when system changes requiring administrator level permission are about to be made.
  2. Ensure that Automatic Updates are set to notify you OR automatically download and install updates.

Some tips when using your computer

NEVER trust email:

  1. NEVER click on links from sources you neither know or trust.
  2. NEVER assume a known source is the person you think it is!
  3. ALWAYS use caution when clicking on email links, especially shortened URLs. Hover before you click. Use a link expander, for example:
  4. NEVER open attached files without scanning for viruses and malware.

ALWAYS turn ON Browser Security Features.

ALWAYS use the latest available release of any applications (example, web browsers, FTP client, Adobe readrer etc).

REGULARLY SCAN your computer for malware. We recommend malwarebytes to users of the Windows operating system.

COACH & MONITOR your colleagues (employees, organisation members etc) to ensure they follow security protocols.


Matthew 7:3

"Why do you look at the speck of sawdust in your brother's eye and pay no attention to the plank in your own eye?" Source: Matthew 7:3

It is easy to blame anyone and everyone else when your website security is compromised by malware.

But actually, the most likely cause of website vulnerability is YOU the website administrator.


Ask yourself these questions

Do you:

  1. log into your website control panel in a public area?
  2. leave your screen unattended whilst logged in?
  3. browse the web in another window whilst logged into your website control panel? 1
  4. use insecure passwords and usernames?
  5. never update your Joomla! CMS and its 3rd party extensions?
  6. never scan your computer for viruses and malware?
  7. not use a computer firewall and keep it up to date?
  8. let your web browser remember your login credentials?
  9. use an out of date operating system on your computer?
  10. never bother to update software installed on your computer?
  11. click on links in emails without thinking? 2
  12. open downloaded files without first scanning them for virus and malware?

If you answer YES to any of the above then there is a plank in your eye!


1. Improvements were made with the lauch of Joomla! 2.5 to reduce the risk of CSRF (cross site request forgery) when someone logged into Joomla! browsed the web in another tab. We still advise caution.

2. Hover before you click. Use a link expander like:


Be proactive

Install and configure a Web Application Firewall?

Customise the Joomla! CMS .htaccess file to further tighten website security.

Periodically scan your Joomla! CMS for malware.

Provide training for members of your team to instill best practice.

Challenge your own behaviour!


Keep Spambots Out!

The Joomla! 3 CMS will by default protect by javascript any email address which you publish using the Contact component.

This will stop your email addresses from being harvested by web scourers.

There are however 2 additional steps you can take to stop spambots from abusing your hospitality:

  • Disable user registration.
  • Disable your website's contact form.

We disable both by default in our WYNCHCO website designs.

You can of course enable both and we tell you how at the following links:

Read more: Manage Users.

Read more Manage Contacts.


Implement a simple user policy

Use it to screen out spambots at the point of entry.

By all means enable user registration but configure user registration settings to ensure that you as Administrator have to confirm registration before new users can log into your website.

If you do then you can screening new users using the website.

If the user name or email is listed, delete the new user account. End of!

Read more: Manage Users.



A great free to use online database of usernames, email and IP addresses of known spambots.

Search the BotScout database.


If you choose to enable:

  • user registration, or
  • your website's contact form

then we recommend that you install and configure the folowing 3rd party extension: ECC+.

Find out more about ECC+ in the Joomla! Extensions Directory.

Read more: Joomla! Extensions Directory.


Beware telephone scammers & fraudsters

We occasionally receive communications from Cheshire Police warning of telephone scams involving fraudsters posing as internet service providers or similar service providers.

These communications remind residents to be vigilant and include useful advice for how to deal with suspected telephone scammers and fraudsters.

Here is our slightly amended version:

  • Put the phone down on someone if you suspect they are a fraudster.
  • Be aware that banks never call and ask for your account or card details or ask you to withdraw money or transfer money to another account.
  • Never assume a caller is genuine just because they hold some information about you.
  • Always be wary of cold callers who suggest you hang up the phone and call them back.
  • Never call a suspected fraudster back.
  • Remember that it takes two people to terminate a phone call.
  • Check that the suspected fraudster is not still on the line before sharing sensitive information with anyone over the phone.
  • Ensure the telephone line is clear by using the same phone to call a relative or friend.
  • If you can speak to a relative or friend using the same phone then you can be certain that a suspected fraudster is not still on the line.

What if you think you have been conned by a fraudster?

If you think you have been a victim of a scam, contact your bank or card company immediately.

Also report the incident to Action Fraud and the Police using the non-emergency number: 101.

Contact: Action Fraud.

Contact the Police: call 101.


Be on the look out for anything unusual 

If you administer a website on behalf of a business or organisation then we recommend that you constantly monitor for:

  • unusual website behaviour,
  • unexpected website content,
  • unexplained files in the File Manager of your hosting control panel.

If you observe anything unusual, get a second opinion.

This could be a friend but if technical in nature then we recommend that you contact your website developer or web hosting company.

Review Post Installation Messages

ALWAYS review Post-installation Messages immediately after updating your website's Joomla! CMS.

If there are any NEW messages then a NOTICE will be displayed at the top of the screen when you sign into your website's Control Panel.

components post installation messages header

Messages which impact on security should NOT be ignored.

Read more: Post Installation Messages.