Select your language

Joomla 4 site security

How to start SEO website promotion? - That's right, with protection! All your efforts in content creation and website development may be in vain if your Joomls-site gets hacked.

As we know, Joomla 4 is a powerful content management system that provides reliable website protection. However, regardless of the CMS, much depends on the website owner. Failure to comply with security rules can lead to website blockage, or even worse - loss of control and all content.

Below, we provide important Joomla 4 security tips that every website owner should follow.

1. Use strong passwords

This is perhaps the simplest, but most important rule. Hackers may try to guess your site password using simple combinations of login and password, such as admin (login) and 123456 (password).

1.1 Administrative panel

Joomla, like any other CMS, provides an administrative panel for managing the website. By the way, the admin panel in Joomla 4 is quite convenient and functional.

The first thing you need to do is set a strong password and a non-standard login (no "admin" as the login).

Criteria for a reliable password:

  • Length. The minimum length of a reliable password should be 12 characters. Make your password even more secure by creating a combination of 16 or even 20 characters.
  • Use a combination of numbers, special characters, and of course, upper and lower case letters in your password.
  • Avoid using common words or phrases. Yes, they are easy to remember, but also easy to guess.
  • Take care of a reliable and convenient place to store your password.
  • Do not use the same password for your website, email, and banking account... If a hacker somehow gains access to your email and learns your password, be sure that they will try to access everything else with that password.
  • Change your password from time to time. This well-known rule applies to all passwords, not just the password for your website's admin panel.

1.2 Your hosting and domain

Hosting service is necessary regardless of CMS. Even if you have just an HTML webpage, you will need hosting to make it available online.

Hosting and domain are different services that can be ordered from different companies, but usually, people buy a domain and host their website with the same hosting provider.

Access to your hosting account also requires a login and password. The password for your hosting should be as secure as the password for the admin panel (section 1.1).

2. Regularly update Joomla 4

Updating your website to Joomla 4 is one of the basics of security. However, many Joomla site owners neglect this basic step: they fear encountering difficulties during the update process, or simply underestimate the importance of updating. After all, even if you don't install the latest update on time, your site will continue to work. "So, what's the point?"

Joomla regularly releases security updates and fixes any vulnerabilities that hackers can exploit. Updating your site to the latest version ensures that you have the latest fixes and reduces the risk of your site being hacked.

How do I know when a Joomla update is available?

Every time an update is released, a notification appears in the admin panel of your website. It's hard not to notice it. In addition, administrator notifications are set up by default to be sent to their email (notifications can be turned off).

Before updating, it is strongly recommended to make a backup of your website. You can make a backup directly in your admin panel at any time you want.

How to backup a Joomla4 site using Akeeba Backup in 4 easy steps.

3. Regularly back up your website

Regular backup of your Joomla website is a must for every website owner. In case of a security breach or any other unforeseen circumstances, having a recent backup will help you restore your website to its previous state.

A Joomla website backup is a copy of all the website files and the database (DB). The files and the DB are what every Joomla website consists of. You should keep a copy of them in a secure location.

You can download the website files directly from your hosting and export the database. However, it is much faster and more convenient to do this through the admin panel of your Joomla website. For this purpose, there is a wonderful free tool that creates a single archive with the files and the DB, which can be easily deployed and used to restore the website if needed.

Step-by-step guide ?

How to Backup a Joomla4 Website: Akeeba Backup in 4 Easy Steps.

4. Do not provide access to your website to third parties

This advice applies not only to Joomla CMS but also to any website. However, adhering to it is an important guarantee of your website's security.

Providing access to the admin panel, website files (via hosting or FTP manager), or database usually happens when you ask someone to help you with your website or hire a freelancer for this purpose.

To avoid problems, it is better to provide a copy of your website to a third party for work and transfer only the result to the working address. This way, you can control all changes made to your website.

If you have decided to grant someone access, especially a freelancer you are collaborating with for the first time, be sure to create a backup of the website and store it in a secure location (see point 3).

If it was a one-time collaboration with a freelancer, don't forget to change your passwords to new ones. In practice, there are often cases where even former employees can use the passwords they know for their own benefit.

5. Use secure hosting

If the hosting provider doesn't take enough measures to protect the websites hosted on it, it means that your website can be at risk, including from other websites hosted on the same server.

Usually, such problems don't occur because hosting providers have security features to protect their servers. And typically, they simply block a website in case of malicious code.

Choose a hosting provider based on its features, ratings, and reviews, rather than its cheap price, and then you shouldn't have any problems.

What criteria can be used to choose a reliable hosting provider:

  • Regular automatic backups;
  • Support for new versions of PHP;
  • Use of the latest security protocols, such as SSL encryption, to protect your website and data;
  • Security scanning and monitoring for viruses and other threats;
  • Protection against spam bots;
  • Protection against DDoS attacks;
  • Uptime - 99.9% (this is not related to security, but it is a very important criterion when choosing a hosting provider).

6. Use the HTTPS protocol (instead of HTTP) with an SSL certificate

By default, when you order a domain service, you have the HTTP protocol, which is no longer considered reliable by modern standards.

To obtain the HTTPS protocol for your domain, you need to order an additional service - an SSL certificate.

HTTPS encrypts data between your website and its users, preventing hackers from intercepting confidential information. In addition, HTTPS also has a positive impact on your website's SEO and can help you rank higher in search results.

An SSL certificate, like a domain, is paid for once a year and renewed once a year.

Usually, when purchasing a domain from a hosting provider, they offer you to buy an SSL certificate at the same time. Also, most hosting providers easily place SSL certificate files on your site and configure your domain. To do this, simply contact the hosting support.

7. Use only safe extensions and templates from official providers. No pirates.

Extensions refer to modules, plugins, and components that are not included in the default Joomla package and can be installed on your website. With extensions, you can add the necessary functionality to your Joomla 4 website. Examples of extensions include a slideshow module, an online store component, and a comments plugin.

Templates are website theme designs. Templates have different designs and layouts of position.

Extensions and templates can be both paid and free. They are provided by different developers. However, there is a difference in the sources which these extensions can be downloaded from.

Where to find safe extensions?

https://extensions.joomla.org/

The official Joomla website provides a large list of extensions. If not all, then most of them are collected here. Therefore, with the help of this source, you can surely satisfy your needs and find the necessary extension.

In addition to the extension description, there are ratings and reviews that you can use to compare similar extensions. For convenience, the extensions on the page:

  • are categorized based on their purpose;
  • have a convenient search with filters;
  • are marked with Joomla version compatibility;
  • are marked as PAID / FREE;
  • have DEMO pages (not all).

Where to download safe templates?

Download and purchase templates from reputable developer companies directly from their websites.

On the template page, in addition to the description, there are "DEMO" or "Live Preview" buttons, by clicking on which you can see what the template looks like "live".

Most templates are paid, but developers usually also offer a couple of free templates (look for FREE in the template filter and on badges).

Some developers set separate prices for each template, while others offer a paid subscription that includes templates and their other products. Because of this difference, prices may vary.

https://rockettheme.com/joomla/templates

https://joomla-monster.com/joomla-templates

https://www.gavick.com/joomla-templates

https://www.smartaddons.com/joomla-4-templates

https://www.joomshaper.com/joomla-templates

https://www.themexpert.com/joomla-templates

https://yootheme.com/joomla-templates

https://www.joomlart.com/joomla/templates/tag/joomla-4

The above list is by no means exhaustive. There are many more developers of Joomla 4 templates. We have only provided a few companies that we consider worthy, in no particular order.

You can also use the search for Joomla 4 templates on marketplaces that offer the purchase of individual templates (rather than a subscription to all products) from various developers.

https://themeforest.net/category/cms-themes/joomla 

https://www.templatemonster.com/products/types/joomla-templates/joomla-compatibility/4-0-x/4-1-x/4-2-x/

What to consider when choosing a template?

First, let's note the basic Cassiopeia template that comes with Joomla 4 by default. This template has few settings, but its strength lies in its minimalism. Cassiopeia does not have anything extra, which ensures fast website loading. In the hands of a skilled programmer, the Cassiopeia design can be modified to meet virtually any requirement. The website you are currently on also operates on the Cassiopeia template.

As a rule of thumb, the simpler the template, the faster its loading speed. The more functional the template, the slower it is. This means that if you want to start a blog, you shouldn't buy a complex template with an online store. A heavy template will have features that you will not use, but even in passive mode, they can affect the website's loading speed. Choose a template with only the necessary functionality.

Before purchasing, make sure that the template is compatible with the latest Joomla 4 version (or any other version you need), as there may be templates alongside those for Joomla 4 that are only suitable for earlier versions.

Where is it not recommended to download extensions and templates from?

It is not recommended to download extensions and templates from pirate websites offering paid products at significantly reduced prices or for free. Templates and extensions downloaded from pirate sources may contain embedded links to other websites, malware that sends spam from your server, and other viruses.

We also do not recommend downloading templates and extensions from so-called "group buys", where participants share purchased extensions. Group buys may have a paid subscription, usually at a lower cost than official sources. However, this is also an illegal source similar to the black market. Extensions and themes downloaded/purchased from a group buy will not have technical support from the developer. No one can guarantee your safety in this case.

8. Limit access rights to files and directories

Limiting access rights to files and directories is another important step in ensuring the security of your Joomla website. Setting appropriate permissions can prevent unauthorized access and modification of important data.

The general recommendations for directories on your website are to set permissions to "755", and for files - "644". By default, the permissions for folders and files will be set to these values. However, it would not hurt to check their settings. There are also some exceptions, which we will discuss below.

What do these mysterious access rights numbers mean?

Changing permissions on files and folders Joomla 4

Go to the file manager on your hosting. Open the root directory, which will be named public_html or match the address of your website. In the root directory, you will see a list of files and folders, similar to the list in the screenshot. In the Joomla site's root directory, there will be, for example, a configuration.php file, administrator, templates, plugins, modules folders, and so on.

To change the permissions of a directory or file, right-click on it and click "Change Permissions." If your file manager does not have a similar context menu, this option should be activated in the top file manager menu when selecting a file/directory.

After clicking "Change Permissions" on the selected folder or file, a window will appear, similar to the one in the screenshot, with 3 columns of checkboxes and a field with numbers below.

The 3 columns (1. User, 2. Group, 3. World) with checkboxes and 3 digits in the field below (755 in the screenshot) are interrelated.

The first number from the left pertains to the "User" column, the second to the "Group," and the third digit to the "World."

Naturally, the user should have the broadest permissions, which means that the first digit in the field below will be larger than the others, and there will be more checkboxes checked in the "User" column, i.e., more permissions granted. This is what we see in the screenshot above.

7 - means the ability to write, read, and execute. In other words, in the example above, the user has been given the broadest possible rights.
5 - means the ability to read and execute
4 - only "Read".

When you check or uncheck the boxes next to each value (Read, Write, Execute), you will see how the number changes accordingly in the "Value" field below. This way, you can change the access rights to files or directories on the website.

Examples of setting permissions for folders and files in Joomla 4:

Directories:

/cache: 755
/logs: 755
/administrator/cache: 755
/administrator/logs: 755
/tmp: 755
/images: 755
/templates: 755

The root directory of Joomla 4 website has a standard list of directories and files. By default, all of them are set to 755 permissions.

Files:

There are several critical files located in the root directory of the website, the permission settings of which require special attention.

/configuration.php: 444 (or 400 if the server supports it)
/htaccess.txt (or .htaccess): 444 (or 400 if the server supports it)
/web.config.txt (if present): 444 (or 400 if the server supports it)

9. Two-factor (2FA) or multi-factor (MFA) authentication

Previously, two-factor authentication (2FA) was used, but starting from Joomla version 4.2, multi-factor authentication (MFA) is guarding the entrance to the website's admin panel.
Authentication means confirming one's identity. That is, knowing the correct login and password is not enough; you must confirm the legitimacy of the login (authorization) using an additional method, which is called authentication.

Joomla 4 has several ways of providing additional confirmation for logging into the admin panel, and you can configure them all. Therefore, authentication is called multi-factor. With multi-factor authentication, your website will become even more secure.

With MFA enabled, in addition to the login and password, the user needs to enter a one-time code in an additional form. The one-time code is sent to your email or smartphone (depending on the selected method) and usually has a limited short lifespan.

Authentication methods in Joomla 4 include:

  • Code sent to email.
  • Code generated by systems such as Google Authenticator, Authy, and similar ones.
  • W3C Web authentication through the browser using a password or biometric data (fingerprint, facial recognition, etc.).
  • YubiKey token (for Yubico company clients).
  • Backup codes, which are several one-time use codes. You can generate a new list of codes if they have been used.

In addition to the default authentication methods in Joomla 4, there are additional methods that can be configured using extensions.

You can enable one method or configure them all. If you enable all authentication methods, it does not mean that you will need to fill out all the forms for the activated methods. It is sufficient to fill out one form for any of the selected methods.

If you have configured multiple authentication methods, you can set a preferred method as "default" (in user settings). Joomla will suggest this default method to you when you log in, but you can switch to any other method that has been previously configured for the specific user.

How to set up multi-factor authentication?

Multi-factor authentication is turned off by default, but you can configure it yourself.

Step 1. The first thing you need to do is go to the plugins and enable at least one authentication method. To easily find authentication plugins, use the search ("Multi-factor Authentication"). You can activate all plugins except "Multi-factor Authentication - Fixed Code".

Step 2. After activating one or more authentication plugins, a "Multi-factor Authentication" tab will appear in the user settings.

Go to the user list through the main menu and select a specific user. You will have at least one user, Super User (that's you). In the Multi-factor Authentication tab, all previously activated authentication plugins will be available (a backup code method will also appear). Choose an authentication method and configure it.

Thus, if you have multiple users, you can set up different authentication methods for them.

If you want to learn more about setting up multi-factor authentication, see our step-by-step instructions.

10. Install reliable security extensions

Installing reliable security extensions is an additional measure that will take the protection of your website to a new level. But what do we mean by "reliable" security extensions? you may ask.
First of all, it should be noted again that security extensions (like any other extensions) should only be downloaded from official sources. Downloading a security component for a Joomla site from a pirate source is a very bad idea. However, for a beginner launching their first website, this truth may not be so obvious. We explained in detail why and how this is a bad idea in item 7 above.

Secondly, it is worth explaining that security extensions can be paid or free. This applies to all extensions for CMS Joomla. Often, free extensions are not inferior to their commercial counterparts. But when it comes to Joomla 4 site protection extensions, paid extensions are more functional and therefore more reliable.

Wide functionality is another factor in the reliability of a security extension. If you want to choose one extension, you should give preference to the one that provides a wide range of protection and reflects common security threats, such as malware, SQL injections, and brute-force attacks.

Below, we will briefly review some of the most popular security extensions compatible with Joomla 4. And we'll start with free ones.

Free Security Extensions:

  1. Admin Tools

https://extensions.joomla.org/extension/access-a-security/site-security/admin-tools/

This extension provides a set of basic functions that help manage file access permissions, links, and databases. It also has a paid version with a wide range of advanced security features.

  1. Brute Force Stop

https://extensions.joomla.org/extension/access-a-security/site-security/brute-force-stop/

This extension package provides tools to prevent brute-force attacks on your Joomla site.

  1. Securitycheck

https://extensions.joomla.org/extension/access-a-security/site-security/securitycheck/

Despite being a free extension, Securitycheck offers a wide range of security features, such as a web application firewall to protect against SQL, LFI, and XSS attacks. It also includes a .htaccess protection tool for internal links and vulnerability scanning for all installed extensions on the site. There is also a more advanced commercial version called Securitycheck Pro.

  1. SpambotCheck

https://extensions.joomla.org/extension/access-a-security/site-security/spambotcheck/

This extension package provides real-time protection against authorization attacks and spam.

  1. OSpam-a-not

https://extensions.joomla.org/extension/access-a-security/site-security/ospam-a-not/

This plugin provides protection against spam on website forms without using visible CAPTCHAs or additional user-visible fields.

Paid security extensions:

  1. Admin Tools Professional

https://extensions.joomla.org/extension/access-a-security/site-security/admin-tools-professional/

Compared to its free version, Admin Tools Professional is a serious tool that provides comprehensive website protection, including active server protection through its .htaccess, NginX Conf, and Web.Config Maker; active application protection with its web application firewall; and passive security with its PHP file change scanner, which detects new, modified, and deleted files on your website and assesses them for signs of malicious intent.

  1. RSFirewall!

https://extensions.joomla.org/extension/access-a-security/site-security/rsfirewall/

RSFirewall! is an advanced comprehensive Joomla 4 security extension that combines active and passive protection as well as a range of useful tools. It protects the site from SQL injection (SQLi), detects and removes dangerous files, optimizes and restores the database, prevents unauthorized administrator changes, and much more.

  1. Securitycheck Pro

https://extensions.joomla.org/extension/securitycheck-pro/

Another comprehensive website protection extension that, according to the developer, does not affect site loading speed. The Securitycheck Pro web firewall protects against SQL injection, cross-site scripting, LFI and RFI, header modifications, CSRF, clickjacking, brute force attacks, and dictionary attacks. Securitycheck Pro also has a range of other advanced website protection tools.

And don't forget about backups. Backups themselves will not protect your site from malicious code. However, regular site backups will allow you to quickly deploy the site at your address from the freshest secure copy and not lose the results of your work.

Free Backup Components for Joomla 4:

  1. Akeeba Backup

https://extensions.joomla.org/extension/access-a-security/site-security/akeeba-backup/

A popular, powerful, and easy-to-use website backup component. With just a few clicks, it allows you to create a backup of your website by placing all its files and database into a single archive file.

Protect your Joomla 4 website: backup with Akeeba Backup in 4 simple steps.

  1. Watchful Client

https://extensions.joomla.org/extension/access-a-security/site-security/watchful-client/

A monitoring and backup component. It is a comprehensive tool that allows you to set up automatic backups of your site. Additionally, the component performs scanning for signs of intrusion and potential security threats.

Conclusion:

If you launched your new website today, it's unlikely that anyone will try to hack it tomorrow. Because it's unlikely that anyone will know about it tomorrow. However, it's never too early to start taking care of your website's security. As the website traffic grows, so does its visibility in search engines and social networks.

Points 1 through 7 are mandatory. These are simple but important rules that you need to follow from the first day of your website launch. Compliance with them forms the basis of web resource security. No paid components for Joomla 4 can replace this foundation.

Points 8 through 10 can be considered additional, as they provide an additional level of protection. But these tips are definitely not redundant. You can use them at your discretion, after mastering the first seven tips. It's also desirable to follow them if your website has active traffic.

If, despite following the first seven rules, you notice security issues, then points 8, 9, and 10 are also mandatory for you.

It is recommended to take all possible steps to ensure security if your website stores users' personal data or other important and/or confidential information.

It's noteworthy that all 10 tips do not require any additional investment from you. The only expenses may be paid security extensions. But they are worth it. All three paid security extensions listed in point 10 are powerful tools that have proven themselves well since earlier versions of Joomla. You can also use free options.

Keep these 10 tips in mind. Following them guarantees a high level of protection for your Joomla 4 CMS website.