Joomla! based website security is main concern for every website owner and it will turn into a big headache if you got hacked. There are lots of Joomla! website getting hacked every year. Not only Joomla! but every website whether it was build with Joomla!, WordPress, Custom developed or any other CMS.

There is no software can provide you 100% security, but of course you can make it 99.9% secure and strong for preventing any unauthorized access or hacking activity. Before making your website live for public I recommend to check every checklist described below.


  1. Choose a good Hosting

    Your web server (where your website is hosted) is comes first on security questions for your website. Some cheap hosting company won't provide enough server security. Before purchasing a hosting, read their product/hosting package description carefully and choose a best hosting company. Read more about How to choose a best hosting for Joomla!.

  2. Secure your web hosting cPanel Login

    You have setup very high tight security on your website, added firewall software. But they are no use if you're using normal password for your web hosting cPanel login. Most website's hosting cPanel can be accessible by or something else and normal password can be easily hackable by Brute-force attack. If someone can access to your cPanel then they have full control over your database and files. Use password combined with Letters(Uppercase and Lowercase) + Numbers + Special characters(~!@#$%^&*-_+) and minimum length 14 characters. Another good practice is update your password every 1/2 months.

  3. Use secure Database Name, Database Username, Database Password and Table Prefix

    Another common attack on your Joomla website is SQL Injection.

    1. Database Name: Use a hard database name combined with Letters(Uppercase and Lowercase) + Numbers and minimum length 14 characters (Some control panel have limitation over database name character length, check the limitation and set high length possible).
    2. Database Username: Use a hard database username combined with Letters(Uppercase and Lowercase) + Numbers.  Check username character length limitation on your control panel and and set high length possible.
    3. Database Username's Password: Set a hard database password combined with Letters(Uppercase and Lowercase) + Numbers + Special characters(~!@#$%^&*-_+) and minimum length 14 characters.
    4. Table Prefix: Use a hard reading table prefix during Joomla Installation. Table prefix should be combined with Letters(only Lowercase) + Numbers and maximum character length is 14 including last "_".
    5. If you already have setup non-secure Database, then you can change them using cPanel database tools and PhpMyAdmin. After you change your Database information then update them on Joomla's default configuration.php file.
  4. Remove unnecessary FTP accounts

    Check FTP accounts on your web hosting cPanel and delete unnecessary FTP accounts or change password with a secure password.

  5. Use secure Username and Password for Joomla! Super Administrator login

    All hackers first target is to Access to your Joomla Administrator by Brute-force attack

    1. Joomla Administrator Username: Don't use admin as username. Use a hard reading username combined with Letters(Uppercase and Lowercase) + Numbers.
    2. Joomla Administrator Password: Set a hard password for Joomla Super User combined with Letters(Uppercase and Lowercase) + Numbers + Special characters(~!@#$%^&*-_+) and minimum length 14 characters.
  6. Rename htaccess.txt file to .htaccess

    1. Go to your Joomla root folder (where you installed Joomla!) using cPanel File Manager or an FTP client like FileZilla.
    2. Now locate Joomla! default htaccess.txt file and rename it to .htaccess
  7. Enable Search Engine Friendly URLs

    All non-SEF URLs in Joomla will show information about the component. If a hacker or spammer can get your extensions information from your frontend URLs, they will target the extension to hack your website. It's strongly recommended to Enable Search Engine Friendly URLs from Joomla's default Global configuration.

    1. Login to your Joomla! Administrator
    2. Go to System(from top left corner of the Joomla Administrator menu) > Global Configuration > Site tab
    3. From the SEO Settings section, set Search Engine Friendly URLs option to Yes
    4. Now Save
  8. Change configuration.php file permission

    1. From the root folder, locate Joomla! default configuration.php file
    2. Click right button on your mouse over configuration.php
    3. Now change its permission to 444
  9. Change index.php file permission

    1. From the root folder, locate Joomla! default index.php file
    2. Click right button on your mouse over index.php
    3. Now change its permission to 444
    4. Go to [root]/templates/YourDefaultTemplate folder and locate template's default index.php file
    5. Click right button on your mouse over index.php
    6. Now change its permission to 444
    7. Do it for all other available templates under [root]/templates/ folder.
  10. All other Folder and File permission

    1. Make sure all other folder permission is 755
    2. Make sure all other file permission is 644
    3. You can use Third party extension to check and fix, see below.
  11. Use a Security Extension

    Install a security extension like Admin Tools or RSFirewall and follow their security checklist for your website.

  12. Change Joomla Administrator login URL

    By changing Joomla's default administrator login URL your website will have extra security and will be safe from lots of common attacks. Some security extension provide this feature by default, if not use jSecure Lite free extension to change your Joomla Administrator login URL.

  13. Keep up to date your Joomla! CMS and its Extensions

    Always use/update to latest version of the Joomla! CMS and all its third party extensions you're using.

  14. Never use Pro extensions and templates shared by others

    Always download and use pro extensions and templates from original developer website. Never use any pro extensions or templates shared by others or public forums or any third party websites. Before sharing pro extensions or templates for free, may be they have added virus which will send your website and server information to hacker during the installation.