Joomla is a PHP CMS with extension-driven architecture. Hardening priorities are extension patching, admin protection, and file permission controls.
¶ 1) Protect secrets and administrative access
- Enable MFA (two-factor authentication) for all administrator accounts
- Protect administrator backend with reverse-proxy rate limiting
- Enforce strong role-based backend permissions (ACL system)
- Set unique secret key in
configuration.php
- Consider renaming
/administrator directory for security
¶ 2) Control extensions and update cadence
- Patch Joomla core and extensions immediately after security releases
- Remove disabled or unsupported extensions and templates
- Only download extensions from Joomla Extensions Directory (JED)
- Review extension security ratings before installation
- Enable automatic updates for security releases
¶ 3) Harden runtime and deployment perimeter
- Keep
configuration.php read-only (444 permissions)
- Enforce HTTPS and hardened PHP settings
- Set correct file permissions:
- Directories: 755
- Files: 644
- configuration.php: 444
- Block PHP execution in uploads directory
# Set directory permissions
find /var/www/joomla -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/joomla -type f -exec chmod 644 {} \;
# Secure configuration.php
chmod 444 /var/www/joomla/configuration.php
# Set ownership
sudo chown -R www-data:www-data /var/www/joomla
Apache (.htaccess in images/ directory):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /images/.*\.php$ {
deny all;
}
Consider installing these security extensions:
- Admin Tools: Security suite with .htaccess maker, file permissions checker
- Akeeba Backup: Secure backup solution
- RSFirewall: Web application firewall for Joomla
- Two Factor Authentication: TFA for admin accounts
- Regular updates: Apply security updates within 24-48 hours
- Extension audit: Regularly review installed extensions
- User permissions: Follow principle of least privilege
- Backup strategy: Regular backups with off-site storage
- Error handling: Disable error display in production
- HTTPS: Always use HTTPS for admin access
- Rename administrator: Consider renaming /administrator directory
- Joomla Security Center: https://developer.joomla.org/security-centre.html
- Joomla Security Checklist: https://docs.joomla.org/Security_Checklist
- Joomla Docs: https://docs.joomla.org/
- Joomla Vulnerable Extensions: https://developer.joomla.org/security-centre/vulnerable-extensions.html