Make Joomla! CMS Security your #1 Priority
We adopt a proactive approach to helping keep Joomla!® CMS websites safe and secure.
This guide is produced as part of this proactive approach.
If you need help and support administering or using a Joomla! CMS website then give us a call.
We provide Joomla! coaching, help and support for business managers and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.
"Security is a moving target, so today's expert might be tomorrow's victim"!
Useful Security Checklist
Look for a web hosting company which complies with the Security and Technical Requirements published by the Joomla! Project.
We also recommend that you pay close attention to PHP, MySQL and server location.
We can offer friendly impartial advice to customers to help them choose the most appropriate hosting solution for their Joomla! website.
Check the server hosting your website is using the latest available release for a given version of PHP and MySQL.
We tell you how to check and consider which versions to use in this guide.
It is essential then that keep your Joomla! CMS and its extensions up to date.
To not do so will leave your website vulnerable to being compromised by hackerists.
This truth means that regular website maintenance by YOU is essential to protect your website.
Always Back Up before performing updates
Updates can and do break websites.
Even better, perform weekly routine backups.
And know how to recover your website should it ever be compromised.
In other words, learn how to restore a backup.
When you visit the Joomla! Extensions Directory (or JED) you will find thousands of great extensions.
Resist the temptation to grab loads and start installing them on your website without taking precautions.
Some extensions will break your website and not all extensions are well supported.
Some are totally insecure.
The fewer extensions your website uses the better, so get rid of those you are not using.
We use fewer than 10 in our own website.
And before using an extension for the first time, browse the Joomla! Vulnerable Extension List (or VEL).
It is worth periodically checking that an extension you have used for a while has been added to the VEL.
Developers sometimes stop supporting their extensions.
And sometimes they break the JED's listing rules.
If you value your Joomla! website then protect it.
Install, configure and maintain a Web Application Firewall (or WAF).
If you value your website then you should install a WAF.
We are Joomla! Specialists offering personal Joomla! CMS Support.
We coach managers who have responsibility for Joomla! CMS websites in businesses and organisations across the UK.
Create unique usernames and complex unique passwords for your website control panel and your hosting control panel.
Never store passwords in unencrypted form or in your browser's cache.
It is easy to forget about the device you use to connect to the web and your website.
Keep your device's Operating System and Web Browser up to date.
The same applies to other applications you use to connect to the web,
When you add an SSL Certificate to your website's domain the URL will change from HTTP to HTTPS.
HTTPS signifies that your website is protected by an SSL Certificate.
And that traffic to and from it is encrypted during transit.
This includes your user credentials, meaning they cannot be read.
Many website hosting companies enable you to add a free Let's Encrypt SSL Certificate to your domain.
Only ever sign into your website's Dashboard using a URL that begins with HTTPS.
If you cannot do this with your website then you need to add an SSL Certificate to your website's domain - see above.
Always sign out using the sign out (or log out) button provided.
The security risk of not clicking a sign out button when you have finished editing your website may be quite low if you are the sole user of a device.
But not when you share access to your device or you are using it in a public place.
Never leave your device unattended whilst you are signed in as a user with special permissions.
Harden your website's security
From time to time the Joomla! Project may recommend that you make changes to harden your website's security.
When they do you will see an Installation Message in your website's dashboard after you update your website's Joomla! CMS.
We recommend that you password-protect the Administrator directory to hide your website's Dashboard from public view and protect it from a brute-force attack.
This can be achieved via the Directory Privacy screen in your Hosting Control Panel.
When Directory Privacy is enabled you will see a Login Panel like the one shown below before you see the Dashbaord Login panel.
You can further restrict access to your website's Dashboard by installing a Web Application Firewall (WAF).
We recommend Akeeba Admin Tools PRO.
Admin Tools PRO enables you to easily password-protect the Administrator directory and enable use of a secret URL to cloak your Dashboard URL.
Enhance User protection by adding an SSL Certificate to your website's domain.
SSL will encrypt user credentials when they sign in.
Ensure that all Users with Special Permissions are not using weak user credentials.
We recommend using a long complex password and a unique unusual username.
You may also wish to consider using Multi-factor Authentication when you choose to publish the Login Module in the Front End. This will help protect your website from brute-force attack.
And change the default Access Level for the System - Debug Plugin from Public to Super User.
This last recommendation is prompted by an interesting article in the November 2022 issue of the Joomla! Community Magazine.
Usernames and Passwords.
Protect your Joomla! CMS from Malware.
Keep Spambots Out.
Beware telephone fraudsters.
Be on the look out for anything unusual.
Review Installation Messages.
Make Joomla! CMS Security your #1 Priority
We offer Joomla! coaching, help and support to businesses and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.