5 Issues with Joomla Security that Leads to Sites Hacking

Hemendra Singh
Hemendra Singh, Managing Director at The NineHertz
Published on May 14, 2019 in Web Developers Resources
5 Issues with Joomla Security that Leads to Sites Hacking

Joomla is the 2nd most widely used free open source content management system (CMS). It is built on an MVC framework. About 2.6% of all websites on the internet is powered by Joomla. The numbers might not sound like a lot, but it still translates into millions of blogs powered by Joomla.

Using Joomla for website development not only cuts down a significant amount of development time but it is also good from support perspective since it is quite popular among the development community. Normally any development company that is providing App development services, Mobile app development or Angularjs web development, should also be experienced in setting up Joomla based website for you.

Internet is not particularly a very safe place, especially if it’s a popular platform. Just as the case with any major platform, some security concerns are always there. Joomla is a major platform. Scores of people use Joomla on a daily basis. Therefore the risk of attack is greater. In fact, vulnerabilities are discovered or exploited all the time.

We will show you 5 ultimate Joomla security issues that can get your website hacked if you are not careful. If you follow the complete guide below, you are on your way to harden your Joomla security. This will help prevent your website from hackers or become a victim of the next brute-force attack.

1. Keep Joomla and its extensions up to date

Joomla’s core is highly secure. But there are pitfalls users can fall into when configuring the system if they are not careful enough to appropriately configure all system components. Joomla has comprehensive documentation on that to help a user improve their system security, instead of just relying on the system itself. You should also make sure to keep your version of Joomla up to date and also all of your extensions. As and when new security threats or vulnerabilities are discovered, new patches are released to plug these security gaps.

To ensure the safety of your website, you should keep the version of Joomla and associated extensions up to date. This is one common reason why hackers generally target older versions. For example, one such vulnerability was discovered in 2015 which had the potential to affect millions of Joomla installations. Users were able to protect their websites and servers by downloading the latest version of Joomla from joomla.org.

Whenever there is an update for Joomla available, you can view it in the administrator dashboard. From there you can choose to update your Joomla installation. However, if you don’t have substantial knowledge about Joomla, we recommend that you hire a Joomla development company to take a backup of the entire website and update your Joomla installation. If things go haywire during any major update, expert Joomla development company will handle things professionally and ensure minimum or no downtime.

If you plan to update your Joomla package on your own, take a backup of your Joomla website. You should also set a system in place to regularly take backups of your Joomla website. This will allow you to quickly rollback and restore your CMS in case of an attack or if a Joomla update fails. If you have advanced knowledge of web servers, we recommend that you test your updates locally using software like XAMPP or MAMP and push the changes to your production site only when things are right. This additional step will ensure there is no downtime if the update fails for any reason.

In most cases, the Joomla update takes no more than a few minutes. You should update your Joomla installations periodically. You should also periodically update your extensions and templates.

We recommend that you only use trusted Joomla extensions and templates. The best approach is to get your extensions and templates only from reputed and well-known companies.

2. Careful selection of username and passwords

About 76% of attacks on corporate networks involved weak passwords. Insecure username and passwords make up for the biggest reason for website hacks. Many people keep their passwords something like “1234567” or “welcome12345”. The silly reason they give is that they can remember it easily. Get smart with the username and password you choose for your Joomla. Never use the username as “admin”. Both username and password should be complex enough.

A strong username and password combinations are one of the best ways to harden your Joomla security. In other words, they are also the easiest way for hackers to break through the system if they are not strong enough. Unlike WordPress where you can only change your administrator’s username from the database, in Joomla, you can update your administrator’s username from the dashboard itself.

3. Rely only on secure Connections

Whether you are connecting to your Joomla Website from your home or office, you should always try to ensure the connections you are using are secure. The best way to connect to your Joomla server is through SFTP encryption or SSH. If you are making the connection using an FTP client then the default port for SFTP will usually be 22. Be aware of the fact that some FTP clients store passwords in plain text or may be in an encoded form on your computer. Whatever be the case, it’s easy for malicious codes to retrieve the original passwords. So you should never let your FTP client save password. As a second layer of protection, you should set up firewall rules properly on your home router.

When you work from a public place like an internet cafe or public transport, the available wifi-networks for the internet are not very trusted networks. Avoid using public wifi-internet to connect to your Joomla website. Another most important thing that any individuals or small business underestimate are the importance of taking the service from trusted hosting providers. Avoid getting hosting from cheap hosting providers. These are commonplace for high traffic porn websites, overcrowding servers and makes for the bad neighborhood. Even if your Joomla website is highly secure but if your shared hosting gets hacked, you are in trouble. Before you hire Joomla developer, your Joomla website should be up to date with supported versions of PHP, MySQL, account isolation and web application firewalls, etc.

4. File Permissions

This is an important aspect that is crucial for protecting your Joomla website. You should make sure that only correct file permissions are used. Each directory and file has different permissions by default which allows people to read, write and modify them. You should manually review them to make sure they are correct file permissions applied to directories and files. Write and modify permission should only be applied to those files and directories where it's required for proper functioning.

If the permissions are too loose this could open up a door for an intruder. But if they are too restrictive your Joomla installs and some extensions may not function properly. That’s because some Joomla installation need permission to be able to write to certain directories. Usually files or folders should be set to CHMOD of 777, however, 707 is only necessary when a script needs to write to that file or directory. Here is a recommended configuration for Joomla on default installs:

  • PHP files: 644
  • Config files: 644
  • Other folders: 755

If you get even more restrictive than the above recommendations, you will risk locking down your installation.

5. SSL Certificate

Google has started rewarding websites with HTTPS with better rankings. It’s for a reason. Google cares for the security of their users and wants to encourage more and more webmasters to migrate their websites to HTTPS. A few years back SSL certificate was deemed essential only for eCommerce sites, or other websites that were processing sensitive data in some forms. But today, SSL certificate is considered important for all kinds of websites big or small. Your Joomla website needs an SSL certificate for the login page because it handles user authentication details.

If your Joomla website is not using HTTPS connection, then your username and password are sent in clear text over the internet. You can control your activities of not connecting to Joomla websites from public or other risky internet connections. But you cannot force all your website visitors to only connect through highly secure connections such as their home connections. Take an example of a Joomla website with multiple authors logging in from all sorts of different networks. It only makes sense to run your Joomla website over a secure connection to add an extra layer of security.


The huge popularity of Joomla makes it a common target for attackers. Highly popular open source content management systems are a goldmine for hackers because they provide the building blocks for the great majority of all the world-wide-web. The good news is that over the time the systems have been developed to be extremely secure. But the availability of a wide variety of extensions makes things easier for attackers if you are not careful.

In most cases of a security breach, extensions play a big role. So you need to use them very carefully and only when they are needed. If you follow all the above 5 ways in which you can plug security holes in your Joomla project, you are almost good. Most of these recommendations are such that can be implemented within a few minutes and you can rest assured that your Joomla site is a little more secure from intruders and hackers.

Find more top mobile app developers worldwide on AppFutura.

Looking for an app or software development company?

You can post a project on AppFutura for free and explain your needs for app or software development. You will receive quotes from qualified companies and will be able to hire the best candidate through a safe payment system.

Post a project

About the author
Hemendra SinghManaging Director at The NineHertz

Hemendra Singh is Managing Director and co-founder of The NineHertz, a Mobile App Development Company. Hemendra has a keen interest in the latest trends and technologies that are emerging in different domains. Being an entrepreneur in the field of IT...

You might also like