Joomla! is an award-winning open source CMS for building powerful websites.
Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications.
Read more...
Joomla! is a extremely customizable and adaptable for Enterprise, SMBs, NPOs and beyond. Read more...
No matter what level of experience you hold, Joomla! has strengths to match; programmers, designers and end users alike!Read more...
Joomla is an open source project and contributions from the community are essential to its growth and success. Anyone can contribute on any level, even newcomers can contribute to Joomla. Read more...
The harsh reality is that no system is ever going to be 100% secure. It doesn't matter what that system is, be it Joomla or the mainframe system that runs your bank account. It's important to keep your system up to date and to defend against hackers, but at the same time keeping your site up and running means defending against several other factors that include hardware failures, failed business relationships, and security issues beyond your control. For example, if your hosting company doesn't keep their control panel software up to date there's nothing you can do — short of switching hosts.
There's no big secret to this: the two most important things you can do to secure your Joomla site are to make good backups and use strong passwords.
The problem is that almost everyone knows this but not many do it. The Joomla security mailbox ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) has a depressing number of reports from people who have a well maintained system but got hacked anyway. Sometimes they send in their admin login details and the problem is obvious: weak passwords (by the way, never mail your admin password unless someone you trust asks you for it explicitly).
Start with a hosting company with a good backup plan. A lot of hosts will cut corners here by relying on RAID disks and skipping backups. Backups aren't cheap. They increase server load, drive up disk space requirements, require ongoing monitoring, and in the event that there's a problem with a site, usually need manual intervention to do a restore. If your hosting provider promises cut rate prices, fast servers, and reliable backups all at the same time, odds are they don't have a sustainable business and one or more of those variables will change sooner or later.
Which brings me to the second key point: even if you have a reliable host, don't rely on them for backups! Host backups are essential for a quick recovery of your site, but what happens if your host has a crisis? You may find yourself in a situation where you need to get your site up on another host, and that's not possible if all your backups are located on a server that's crashed. Akeeba Backup is a must have Joomla extension. It lets you schedule backups, and you should transfer copies of the backup files to a safe location on a regular basis. Akeeba Pro will do this for you automatically, pushing backups to another server, or to cloud storage services such as Amazon.
If your site isn't being backed up on a regular basis, get a backup plan in place. You can't do this after your site goes down, so do it now. Please.
Leaving the administrator account as "admin" and bad passwords are possibly the biggest security risk in Joomla. Every site is under attack by automated scripts that try "dictionary attacks" on passwords, and the simpler the password is, the more quickly the site is compromised. If you leave the default administrator account as "admin", you're doing half the hacker's job for them.
I had a client who insisted on making his password "Apple". After his site was hacked I urged him to pick a more secure password, but he chose to blame Joomla and refused. After his site was hacked a second time, I convinced him to make his password more complex, but he insisted on "Apple1976". The third time I convinced him to add more memorable words to his password and he hasn't been hacked since. Good passwords are important.
I use a password manager to generate long, complex password strings. The password manager lets me paste passwords into login forms so I don't have to struggle with getting 32 invisible random characters right. But you don't have to go that far to be secure. The key to a good password is length. So if your daughter's name is Carol and she was born in 2003, don't just use "Carol2003". Add some other details. For example "CarolAnnSmithJan52003" is just as easy to remember and a little harder to type, but several billion times harder to crack.
I'll say it again: No site is ever 100% secure. But if you follow these two simple steps, the chances that you'll be hacked drop dramatically, and the chances that you'll be able to recover from a hack quickly are far higher. The worst calls I get are from people who have had their sites flagged as dangerous by Google and who have no easy way to recover. Take these simple steps now and the odds you'll ever have to make that phone call go way down. It's worth the trouble.
Toronto based developer, Open Source Advocate, deeply committed to the Joomla project. Founding menber of Joomla Security Team, former develeopment team and JBS member, etc., etc.
Great info Alan!
The very first thing I do after I create my base site is install Akeeba and start with the backups.
If you never pay a dime for your apps consider pushing a few bucks to the folks at Akeeba - they have saved my sorry butt more times then I can say.
Cheers, Alison
Good advice Alan. The password manager program on my computer has been one of the best investments in software I've made. It creates very robust passwords that are unique for every login need and makes them easy to deal with.
I hope anyone reading this article actually takes the advice given here. It's not enough to know that you need to do backups and have strong passwords. You must be doing these things.
As far as I'm developing website with Joomla, there are 5 times the website that I've developed being struck by hacker.
Thank god they mainly only change the index.php and administrator/index.php, so I only upload the fresh installation of Joomla to restore the hacked one.
But above all. It's really really important to have a strong and secure administrator account.
In addition to backups it is also vitally important to update the Joomla core and all plugins frequently.
I've had many Joomla customers recently with hacked sites - and they are all on v1.5.x and either afraid / unable to upgrade or as you mention for backups - just didn't think it was important!
Excellent suggestions. I think Akeeba Backup is the first thing I install on any new site I create. It's so easy to use that it's often the reason I choose Joomla over WordPress when either one would be a good choice for the project at hand.
Which password generation tool do you use? I've tried a few but haven't found one that I like yet.
This is definitely one of the most important messages i have received from Joomla. I think we the developers has to do just What Alan said, but as for me, any one who thinks he is a professional hacker should try my site and he will find himself hanging there on the trap till i return. Thank you for that message.
Great read Alan. In my opinion the problem of hackers seeking vulnerability and cybercrime is on the rise. This is becoming a constant battle. Hackers do not discriminate; hitting large corporations to the small business sites.
After initial site development a very small number of our clients choose to manage their own site, which we highly discourage. This can be due to many factors such as; economic reasons, uninformed decisions or the illusion of "wow, I can do this, this is easy". They do not understand the absolute necessity of proper maintenance and blindly move forward with limited to no knowledge, until it is too late, and the site has been hacked.
Your business web site is an investment not only in money, but time. Your web site is the first impression to the searcher and potential client of your service, product or message you want to convey to the world.
Hacking can take on many forms, from Malware, defaced sites, porno and more. If this does happen your site can be blacklisted and flagged in search results as potentially harmful. What type of impression, if not liability would this cause for your business, service or product? Your businesses reputation?
Information and knowledge by far, is the best defense. If you are a novice with plenty of time on their hands, and want to manage your site correctly my advice is to educate yourself. If you are a professional business owner and most revenue and leads are brought in from the internet, my advice would be to have a professional company specializing in Joomla manage your Joomla web site for you. Either way you choose, you must educate yourself to make sound decisions if doing business on the internet.
Both things mentioned are essential.
Normally the provider DOES backups, for sure. But: do it additionally on your own. In this case, I adore AKEEBA. With it's backups you might have your site up & running within an hour.
And second: almost since the beginning I delete/modify the Admin-User to a Username according to the user. Mostly name a/o function with dashes and/or dots.
You'll feel relieved by doing so. :-)
Thank you Alan for the two simple suggestions. When I setup a Joomla site for clients and insist on strong passwords I get some interesting responses. One of which is that I am pulling some kind of power trip on them because I don't make it easy for them to get backend access. They probably change their passwords to something simple afterwards anyways 
The last couple of site I have installed Akeeba Admin Tools Professional and believe that it helps tremendously. From the Web Application Firewall, admin folder protection and htaccess adjustments I feel more secure. And I believe it ties into Akeeba Backup too.
I would recommend that anyone with a Joomla website make the minimal investment into a security plugin.
As a webhost i have to comment a third, which in my opinion happens quite a lot more as the password guessing and that is (you never guess it) UPDATE, update Joomla, and do not forget (and that is really the most common issue) update all additional features you have added to your site, from editors, to banners extensions and everything between. You can have an as strong as possible password but if you keep the backdoor open they do not need the key to enter.
I do agree with backups, even though a good host does make offsite backups even in a different datacenter not all will do this, but there are several more factors to consider when you decide to move hosts in a crisis, because even though your host could be down, and you have a local backup, you could restore it at another host, it could cost you a lot of time to change the DNS, in most cases a good host would have already restored the server and site before the DNS is propagated. But Backups are ALWAYS a good thing to have locally as well.
I think there could more things to make your joomla site more secure. Like everyone know that joomla backend url is http://xyz.com/administrator/, we need to make this administrator word go dynamic.
The only time a site of mine has been hacked was when they did not update. It was not Joomla's fault it was the fault of a "Guestbook" extension(I can't remember the name) and JCE editor. In the plugins defense it was 3 year old version.
I am more interested in finding out if we can change the mysite.com/administrator
If we could change that it would save us from a lot of "kiddies".
I put up a new site and around the 3rd month I got 20000 hits on mysite.com/administrator and /administrator/index.php
A tip to see if anyone has been trying to hack your website is to look up your 404 stats. I could see them trying to access some known vulnerable plugins and directly trying to access some files in joomla which did not exist as I always keep my joomla and extensions updated.
"CarolAnnSmithJan52003" is a very weak password if Social Engineering is used to recover it.
And one other thing to answer another comment...use a plugin like Jsecure to hide your administrator backend behind an URL like www.myjoomla.com/administrator/?mypassphrase
And mypassphrase is encrypted in the base.
And when the plugin is activated, if you simply hit www.myjoomla.com/administrator then it's a 405 error that you receive.
