Actionable Security Tips for Joomla

Actionable Security Tips for Joomla

A secured website is a myth. This has been proven over and over again with the breaches the biggest corporations face every next year.

But does that mean you shouldn't invest in security? 

Absolutely not!

Keep in mind, Hackers are going to hack anyway. Your job is to prevent invasion for as long as possible.

The process is called server-hardening. It is achieved by incrementally increasing the security of your server or web application, like WordPress or Joomla. 

The following Joomla Security Guide focuses strongly on system administrators and assumes you've already implemented the following security practices on your Joomla instance:

  1. Updated Joomla and PHP
  2. Applied User access control
  3. Enabled regular backups
  4. Installed security extensions
  5. Enabled strong login-password
  6. Disabled FTP access
  7. Applied robots.txt 

Make sure you have a good understanding of Linux systems and are comfortable with editing server config files. or hire a Joomla Security Consultant

Let's get started:

1.Configure Joomla Web-application Firewall

Almost every web application is, at some stage, found vulnerable to serious aVacks like XSS (cross-site scripting) or SQLi (SQL Injection).

If there's a vulnerability in PHP discovered recently, you can expect bots to exploit and drop malware on your server.

At the server level, you can prevent XSS aVacks.

Open you nginx configuration file:

sudo nano /etc/nginx/sites-enabled/yoursite.conf

and add the following lines inside your server{} block

1.1 Reduce XSS Risks (Content-Security-Policy)

add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';" always;

1.2 Prevent categories of XSS attacks

add_header X-XSS-Protection "1; mode=block" always;

1.3 Enable Rate Limiting

Enabling rate limiting on the server level is the best way to prevent brute-force aVacks whilst keeping your website performant. 

Our server experts always enable Nginx rate limit feature during server hardening.

Most importantly, we tweak the limit_req_zone parameter in the Nginx configuration file “/etc/nginx/ nginx.conf“, to rate limit the requests.

For instance, you can add the below code to your nginx.conf:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

This adds a zone called one, that can hold up to 160,000(as 1m =16,000 IPs) unique IP addresses, at a rate of 1 request/second. 

But that's not enough. There's still SQLi, malware prevention, SSH brute-force, and signup spam is leb to tackle. Which continuous monitoring of the application and cannot be solely handled on server-level.

We offer premium Joomla security consultation and services. Request a free demo and one of our brightest minds will get on a call with you to show how we can help prevent breaches.

2. Enable Site-Wide SSL Encryption 

Enabling encryption prevents you from insider aVacks too. Hackers can easily eavesdrop on your network conversation, which can lead to admin credential compromise in the worst case. Enable SSL on your site to prevent eavesdropping.

Step 1. Install certbot on your Linux instance and request a free SSL certificate.

sudo add-apt-repository ppa:certbot/certbot

Hit [ENTER] to continue

Step 2. Now, Install Certbot’s Nginx package with apt:

sudo apt install python-certbot-nginx

Step 3. Request a free SSL certificate from LetsEncrypt 

sudo certbot --nginx -d -d

Upon running the above command you'll see the following:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.



  1. No redirect - Make no further changes to the webserver configuration.
  2. Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.




Select the appropriate number [1-2] then [enter] (press 'c' to cancel):


Step 4. Enter "1" and continue.

Your certificates should be installed and enabled now.

Optionally, you can request for stronger encryption keys from LetsEncrypt. We recommend you to use only

4096-bit key pair. To do that, run the following command instead:

sudo certbot --nginx -d -d --rsa-key-size 4096

Enable HSTS Strict Transport Security

Enabling SSL is not enough these days. It's very easy for hackers to strip down the encrypted connection down and listen to the conversation. Enable HSTS (HTTP Strict Transport Security) on your server.

Enabling it will let the telling browser save the security standard of the website. That means the site MUST be loaded under SSL always and not HTTP.

To enable HSTS headers, go to your nginx server config: /etc/nginx/sites-enabled/yoursite.conf and add the following code inside the server{} block

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;


3.Enable Multi-factor Authentication

Joomla 3.2 and higher ships with native support for Multi/Two-factor authentication.

To set up the Two-Factor Authentication, go to the User Manager, edit a User and go to the Two-Factor Authentication Tab:

Select your desired authenticator app, we recommend Google Authenticator and proceed with the instructions shown.

4.Protect Admin Login

Block all access to Joomla's administrator login page. Add these lines to the Nginx site configuration.

Disable Joomla Admin Access:

location ~* /administrator.* {

deny all; 


As a fallback, add a new user beforehand with a manager/editor role.


Hope you found the guide useful.


Share this article

Leave your comments

Post comment as a guest

terms and condition.
  • Dave Harknett

    Respect to you Vasilii

  • Michael Davis

    Thank you for the actionable tips

  • Robert Jones

    I don't recommend Joomla for a big website.

  • Victor

    Thanks for the great post :). The getastra guide is awesome

Share this article

Vasilii Chekalov

Tech Expert

Vasilii Chekalov is a computer geek with great affinity for healthy lifestyle and weights. While not at the gym, his inquisitive mind devours information about digital marketing, outreach strategies and growth hacks. Master organizer, he knows the Α and the Ω of potent and enticing virtual presence.

Cookies user prefences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Read more
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics