Joomla! is a very popular Content Management System (CMS) on the Internet today. Joomla security should be at the forefront of anyone running a Joomla! site, especially ones running older versions of the CMS or it’s extensions, since these are a ripe target for attackers.

In this post, we’ve taken some time to detail a few measures which can be taken to address Joomla Security – the basic security holes or malpractices that are commonly present in thousands of Joomla! sites.

Running the latest version of Joomla!

Running the latest version of any software is probably the most obvious first security measure that should be taken. However, with millions of sites still running old and vulnerable versions of the CMS, this point is still one that needs to be stressed.

Updates of Joomla! not only bring with them new features, but more importantly, bugfixes and security fixes are made available. Updates help your site remain safe against common, easy-to-exploit vulnerabilities.
Joomla! updates screen

Running the latest versions of extensions

Running the latest version of Joomla! alone is not enough to secure your site. Extensions you install on your Joomla! site that contain vulnerabilities will undoubtedly increase your site’s attack surface.

Therefore, making sure that your Joomla! extensions are up-to-date is essential. In doing so, you can make sure your site is covered with the latest security updates by the extension’s author.


Joomla! Extension Update Screen

Be selective when choosing extensions

Joomla! allows you to extend and customize your site with thousands of extensions. Extending your site’s capabilities and customizing it to your requirements is important, however, it should never come at the price of your website’s security.

Even if your Joomla! installation and extensions are all up to date, it does not mean that a site is not vulnerable to attack. Attackers can try to enumerate installed extensions to discover what extensions you have installed on your Joomla! site. By avoiding the installation of unnecessary extensions, you would automatically be reducing your site’s attack surface.

When choosing extensions to install, be selective. Before installing an extension, read about it (ideally read reviews from other users on websites other than the extension developer’s site). This prevents you from installing malware or extensions that do not fit your purpose.

Check how many downloads the extension has and when it was last updated by its authors. The more downloads and recent updates the extension has, the more likely it is for a vulnerability found, to be fixed quicker.

Remove inactive users

Keeping inactive users on your Joomla! site increases your attack surface. Users, especially Administrators and others who have the ability to modify content, are possibly one of the weakest points of any site because unfortunately, most users tend to choose weak passwords.

If you absolutely need to keep inactive users in your Joomla! database, change their role to ‘Registered’ in order to limit any actions that could be performed.

Enable two-factor authentication

A great security feature to take advantage of in Joomla! is it’s in-built support for Two-Factor Authentication (TFA). To enable TFA, navigate to Users > Manage in the main administrative panel. Select the user to enable TFA to, and click on the Two Factor Authentication section.

You can change the authentication method to use Google Authenticator (the same mobile app that you use for TFA on your Google account).


Joomla! Two Factor Authentication


Part 1

Basic security measures to secure your Joomla! installation

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.