Securing a Joomla installation

The following are some points to help secure a Joomla installation.


Rename the admin username

Depending on the scale of your website, you might want to rename the admin (super administrator) account so  the name is made of random characters and numbers, like you would with a password. An easier to use username could be used for editing content and not have access to the Joomla system level settings.

To change the username log into the control panel, select user management, select the administrator account, edit the username field to your new username, click save to finish. Don’t forget to document the change.


Make sure the configuration.php file is not writable

File which everyone has edit access is open to hackers. When you’re finished configuring the Joomla installation make the configuration.php file has a CHMOD permission of 444.


Use .htaccess to password protect the /administrator folder

Use the htaccess generator to generate a .htaccess and .htpasswd file. This will make it so each time you go to access the admin console you will be prompted for a password as defined in .htpasswd, this will be in addition to the Joomla admin username.

Please note, these passwords will be passed as plain text (basic authentication), allowing anyone with a packet-sniffer to clearly read your password. To avoid this you will need to install an SSL certificate and access the page using .

Also, the .htaccess file requires the server side path to the folder, e.g. /home/www/joomla/administrator


Keep the installation up to date

Each update to the Joomla core files includes more security and stability, regularly check the Joomla website for updates.


Keep current backups

Even when you take extreme steps for securing an installation the worst case can still happen, vulnerabilities and exploits might exist waiting to be exploited. Ensure you have a backup to roll back to so your site can be back online as quick as possible, the backup needs to be both the files and the database.