Joomla! CMS Security

Look for a web hosting company which complies with the Security and Technical Requirements published by the Joomla! Project.

We also recommend that you pay close attention to PHP, MySQL and server location.

We can offer friendly impartial advice to customers to help them choose the most appropriate hosting solution for their Joomla! website.

Read more: Choose a hosting company with care.

Check the server hosting your website is using the latest available release for a given version of PHP and MySQL.

We tell you how to check and consider which versions to use in this guide.

Read more: About PHP & MySQL.

It is essential then that keep your Joomla! CMS and its extensions up to date.

To not do so will leave your website vulnerable to being compromised by hackerists.

This truth means that regular website maintenance by YOU is essential to protect your website.

We offer guidance, support and coaching.

Guidance: How to update your Joomla! CMS.

Support: WYNCHCO Joomla! CMS Support.

Coaching: Learn how to keep your Joomla! CMS safe & secure.

Always Back Up before performing updates

Updates can and do break websites.

Even better, perform weekly routine backups.

And know how to recover your website should it ever be compromised.

In other words, learn how to restore a backup.

Read more: How to back up your Joomla! CMS.

When you visit the Joomla! Extensions Directory (or JED) you will find thousands of great extensions.

Resist the temptation to grab loads and start installing them on your website without taking precautions.

Some extensions will break your website and not all extensions are well supported.

Some are totally insecure.

The fewer extensions your website uses the better, so get rid of those you are not using.

We use fewer than 10 in our own website.

Read more: How to uninstall 3rd party extensions.

And before using an extension for the first time, browse the Joomla! Vulnerable Extension List (or VEL).

It is worth periodically checking that an extension you have used for a while has been added to the VEL.

Developers sometimes stop supporting their extensions.

And sometimes they break the JED's listing rules.

Browse the Vulnerable Extension List.

If you value your Joomla! website then protect it.

Install, configure and maintain a Web Application Firewall (or WAF).

If you value your website then you should install a WAF.

Read more: Web Application Firewall.

Regularly visit the official Joomla! website to check for new releases of the Joomla! CMS.

Read more: www.joomla.org.

Use the Joomla! RSS News Feeds, including:

• Security Announcements,
• Joomla! Announcements, and
• Community Magazine.

Joomla! Project RSS News Feeds.

We are Joomla! Specialists offering personal Joomla! CMS Support.

We coach managers who have responsibility for Joomla! CMS websites in businesses and organisations across the UK.

Read more: Learn how to keep your Joomla! CMS safe and secure.

Create unique usernames and complex unique passwords for your website control panel and your hosting control panel.

Never store passwords in unencrypted form or in your browser's cache.

Read more: Usernames and Passwords.

It is easy to forget about the device you use to connect to the web and your website.

Keep your device's Operating System and Web Browser up to date.

The same applies to other applications you use to connect to the web,

Read more: Protect Your Web Connection.

When you add an SSL Certificate to your website's domain the URL will change from HTTP to HTTPS.

HTTPS signifies that your website is protected by an SSL Certificate.

And that traffic to and from it is encrypted during transit.

This includes your user credentials, meaning they cannot be read.

Many website hosting companies enable you to add a free Let's Encrypt SSL Certificate to your domain.

Read more: Use an SSL Certificate with your website.

Signing In

Only ever sign into your website's Dashboard using a URL that begins with HTTPS.

If you cannot do this with your website then you need to add an SSL Certificate to your website's domain - see above.

Signing Out

Always sign out using the sign out (or log out) button provided.

The security risk of not clicking a sign out button when you have finished editing your website may be quite low if you are the sole user of a device.

But not when you share access to your device or you are using it in a public place.

Never leave your device unattended whilst you are signed in as a user with special permissions.

We recommend that you password-protect the Administrator directory to hide your website's Dashboard from public view and protect it from a brute-force attack.

This can be achieved via the Directory Privacy screen in your Hosting Control Panel.

When Directory Privacy is enabled you will see a Login Panel like the one shown below before you see the Dashbaord Login panel.

Read more: cPanel Dashboard.

You can further restrict access to your website's Dashboard by installing a Web Application Firewall (WAF).

We recommend Akeeba Admin Tools PRO.

Admin Tools PRO enables you to easily password-protect the Administrator directory and enable use of a secret URL to cloak your Dashboard URL.

Read more: Web Application Firewall.

Enhance User protection by adding an SSL Certificate to your website's domain.

SSL will encrypt user credentials when they sign in.

Read more: Use an SSL Certificate with your website.

Ensure that all Users with Special Permissions are not using weak user credentials.

We recommend using a long complex password and a unique unusual username.

Read more: Joomla! CMS Security.

You may also wish to consider using Multi-factor Authentication when you choose to publish the Login Module in the Front End. This will help protect your website from brute-force attack.

Read more: Joomla! CMS Multi-factor Authentication.

And change the default Access Level for the System - Debug Plugin from Public to Super User.

This last recommendation is prompted by an interesting article in the November 2022 issue of the Joomla! Community Magazine.

Read more: How my new Joomla 4 website got hacked.