Secure Your Joomla Sites Against Attacks

Keeping hackers and force attacks at bay has got to be one of the major obstacles web owners and developers face. Hackers are diverting their attention now to Joomla as it gains popularity because entrepreneurs and businesses prefer it as their CMS platform.

A web security firm, Sucuri recorded an all time high in attacks at almost 270,000 a few months back on Joomla sites. Even us at SCI had a fair share of these attacks a few years ago and since then we have kept our site security more intact by using the simplest methods recommended by seasoned developers and by employing third party extensions like Akeeba.

Until now we use these methods to protect our client’s precious data.

Keep Joomla versions up to date

This is always the first item in every developers list. You need to check for updates and install it because most issues are resolved in the latest version of Joomla.

On your admin page navigate to Components and check Joomla updates. To check if update was successful, clear your browser cache and see if site is working properly.

Before installing an update though, make sure you have a current backup of your site.

Keep your extensions up to date

Some extensions can cause and lead attacks to your site. So apart from making sure you only install extensions that you really need, these extensions also need to be updated to their latest versions to avoid issues and minimize risks.

The most convenient way for us to keep track of updates is through email notifications. To check it manually, look for the Extension Manager under Extensions in your Joomla admin. Click on the Update link from the left. A list of all extensions with new version will then be generated. From the list, choose the plugin name you wish to update and click on Update button at the top left.

Remember to do a backup before updating.

Use strong login details

Yes, you really have to pay attention to this because not only beginners commit this common mistake. Sucuri gathered the top five user names hackers use to attempt login and the results were: admin, test, administrator, Admin, and root combined with numbers 123456, 666666, 111111, and 12345678.

So we advise you avoid using personal information in passwords like your name. Some password generators can also do you harm contrary to what most think it does. An attacker can sometimes compromise these applications since the passwords they provide are automatically generated.

Instead, use special characters in your password and combine this with alphanumeric. You can also keep a file of all your passwords and encrypt it.

Folder and File Settings

Here are the most recommended permission settings for your Joomla files and folders:

  • Folders to 755
  • Files to 644
  • Configuration.php file to 444


Setting file permissions to 777 is discouraged and is only necessary when a script needs to write to that file or directory.

Hide your admin portal

Anybody who wants to access your site will first try the default address If it works, then you make it easier for hackers to get across the first few layers of your security. What you can do is hide this by adding another “keyword” to the URL.

For example:

This way, only you and others who know this term can access the site.

Password protect directories

Keep away users who are not supposed to access your files by setting a password to your site’s administrator folder. Here’s how:

Login to your cPanel and select the Password Protect Directories icon. From the list, select the directory that you wish to limit access to.


Enter a username and password for your user and select a name that will appear in the login screen. Save to activate.


Change the default database prefix (jos_)

Chances are, a hacker who will try to access your site know that by default all Joomla tables have the prefix “jos_”. You should know that username and password could be retrieved from the jos_users table thus exposing your site to threats. Change this prefix by following the instructions below:

Login to your Joomla admin, navigate to Site > Global Configuration and click on Server.


Locate Database Tables Prefix and copy the prefix shown.


Now locate and open your dump.sql file from Sources folder and search and replace all “jos_” with the copied prefix.


Save the changes and import the file to your database.


Restrict access to directories only to a specific IP address/es

Limit access to your directories by setting permission to certain IP address/es. But take note that this is useful only if you have a static IP address. Here’s how:

In your .htaccess file add the following lines at the bottom:

Deny from ALL
Allow from x.x.x.x

Replace x.x.x. with your actual IP address. Copy and repeat the line for multiple IP addresses.

Akeeba Remote Backup on Dropbox

All of our Joomla sites use Akeeba backup system. Akeeba conveniently stores our backup files to a connected Dropbox account eliminating the need to download the files locally.

Assuming that you have already purchased the extension here’s a how-to guide to configure Akeeba in your Joomla site.

Login to your Joomla admin and navigate to Components > Configuration > Advanced Configuration. Locate Archiver Engine and click on Configure button. Then select Custom for Part size for split archives and enter a value in the text box that appears. By default, we input 20. The value will be the standard and maximum size of each file in your backup archive.

To configure Akeeba with Dropbox follow these steps:

Login to your Joomla admin and navigate to Configuration.


Locate Data processing engine and choose Dropbox from the options.


Proceed by clicking on configure and complete the two-step authentication. When you have completed the first step Once the first step is complete close the pop-up window.


Proceed with the second step. When done the Token and Secret Key fields will be generated automatically.


Select a directory to store your files in Dropbox then Save and close.

Using one Dropbox account for multiple sites is possible. When you add a site, remember that you won’t need to go over the authentication again. Go back or take note of the Token and Token Secret Key and simply paste those when you configure on other sites.

How to do your first site backup:

Login to Joomla admin and navigate to Menu > Extensions > Akeeba backup. Select on Backup Now button.


A successful backup notification will show once backup is complete. To proceed, click on Manage Backups.


In Manage Backups tab you will see status in Remote. When you click on Managed Remotely Stored Files you will be redirected to where your files are stored.


How to automate your backups:

Login to Joomla admin and go to Components > Akeeba Backup. On Akeeba Backup panel select Yes next to Enable front-end ans remote backup.

A secret word is optional but encoding one will come in handy when for some reason you get blocked out of your site. Select Yes on Email on backup completion then enter a valid email address where you prefer to receive the notification. Input a short message then hit Save.


Go back to Akeeba backup panel and click on Scheduling information. The schedule options will include three options using CRON



The CRON option we use is cURL because it is the recommended option for websites hosted by SiteGround.

When you open cURL panel you will see a code in red. Copy this code and go back to cPanel. Under Advanced options select CRON jobs and supply the information settings based on your preference.

When done, paste the code in Command field and click on Add New CRON Job.


If you wish to check status of your backed up files you can do so by going to Component > Akeeba Backup > Administer Backup files.