Joomla is a popular open-source content management system. Joomla is used by 3.4% of all the websites with known content management systems, which makes up 2.1% of all websites worldwide.

Similar to any open-source content management system, hacking attacks pose a threat to Joomla security. This is why it is important to take all possible measures to protect your Joomla site and improve its security.

The Joomla security team is doing a great job encouraging users to keep their sites up to date and follow the best practices to secure their sites. However, due to the variety and complexity of modern web servers, different users, customizations and configurations, security issues cannot be resolved with a simple generalized solution.

Because there will always be risk, Joomla security will remain a continuous process, requiring frequent assessment of possible attack carriers. This article is intended to educate Joomla website owners and administrators on the precautionary and actionable steps in avoiding Joomla security mistakes and the reasons behind them in order to improve the website security and reduce the risk of a compromise.

Unfortunately, there are some mistakes that are repeated by some Joomla owners and administrators which create security issues that can be easily avoided, as mentioned below, in order to protect their Joomla Websites:

1. Choosing Cheap Hosting Providers:

Purchasing a cheap hosting provider might not be an ideal starting point. Typically, cheap hosting providers use shared servers that host hundreds of other sites, some of which are low-quality spammy sites that can be easily hacked. Since all these sites have a common IP address, your site will be impacted, even if it doesn’t get hacked. It will be slower, subject to spam due to a 'bad neighbourhood' of sites with low reputation, and might get compromised if other sites are hacked.

2. Lack of Website Backups:

Backing up your website regularly ensures an improved security. If your website gets hacked or anything happens for any reason, you can restore it to an earlier state or rebuild it from scratch using your website database. We recommend using a combination of hosting based backups with 3rd-party backup extensions available in the Joomla extensions directory.

3. Weak Repeated Passwords:

Using the same username and password for your online bank account, Joomla website account, Amazon account, Facebook account, Gmail account and other sites you may be registered on, is a hazardous mistake. This is risky as it increases the chances of hacking all accounts easily. It is also worthwhile to always make sure the name of the admin account is changed to something other than 'admin', for deviation purposes. Moreover, it is highly advisable to use a security extension that protects your website administrator backend from hacking attempts. You may find such extensions in the Joomla Extensions security list category.

4. Hesitant Follow Up:

Checking your Joomla powered site regularly can ensure nothing goes wrong with it. Always maintain your Joomla website hosting, installations and components as lots of things can go wrong with your site’s PHP, database, extensions, or other website components. Make sure to check your hosting and website logs for further information.

5. Absence of a Development Server:

Testing your upgrades and extensions installations on a development server before taking the step of applying them on the production site will save your time and protect your website. This is necessary to avoid creating problems on your production server and impacting your clients or visitors due to website failure or other issues. All mistakes can be detected on the development server and can be resolved to make sure your live site stays clean. You can easily implement a development local server using applications like XAMPP or MAMP or WAMP.

6. Trusting all 3rd-Party Extensions and Templates:

Using untrusted 3rd-party extensions or templates might pose vulnerabilities and affect your Joomla website performance. We recommend using a minimum number of extensions on your website to get the optimal Joomla security level. Not all 3rd party extensions are free from trouble; if you have the luxury of avoiding a 3rd-party extension, do so! Choose and use professional extensions and templates from reputable companies, and keep them updated to protect your website.

7. Neglecting to Update your Joomla! Website:

Forgetting to upgrade your Joomla website will leave your site exposed to all sorts of Joomla security problems. Making sure to keep Joomla updated with stable and security fixes releases that will protect your website and also fix your Joomla website problems and vulnerabilities. This also applies to any 3rd-party Joomla extensions you install. Stay updated with Joomla security announcements which provide the resolved security issues in Joomla! software releases.

8. Dismissing the Vulnerable Extensions:

Not checking the Vulnerable Extensions List (VEL) website and/or not following its social media pages will leave you out of the loop of latest security risks and possible patches. It’s recommended to uninstall any extension listed in the Vulnerable Extensions List for which no patch is known to exist. Make sure to update your vulnerable extension whenever its patch is available. If your site uses a vulnerable version of an extension which doesn’t have a patch update, then you are recommended to replace it.

9. Ignoring Post-installation Messages:

Hiding all post-installation messages in the middle top section of the Joomla back-end page might put Joomla administrators and owners' websites in trouble. It’s highly recommended to read all post-installation messages since the Joomla Team is providing you with important information that needs your attention after upgrading, or after installing Joomla for the first time. These messages mostly contain Joomla security configurations or file changes that should be made manually and which an upgrade can’t change.

10. Not providing sufficient information when Asking for Help:

Getting all relevant information before reporting your website as compromised could help you restore your website faster. We advise you to browse Joomla security forum and post all the needed information - such as the version of Joomla you are using and what 3rd party extensions and their different versions you have installed. This information will help the Joomla Security team or community to identify what could have caused your website issues or hack, and how to fix and prevent it from happening again.

In the end, I hope you find this article practical and useful. If you need help avoiding the above Joomla website security mistakes, kindly post your questions in the comments section and I will be happy to help you out.