Joomla Hardening 1



1. Overview

2. Methods and Techniques

    A. Implement Strong Access Control Measures

        1. Secure the administrator’s login with a strong password

        2. Maintain a proper Access Control System

                Handling User Accounts

                Handling User Groups 

                Handling User Access Levels

                Handling Permissions

        3. Enable Two Factor Authentication

        4. Limit the login attempts

        5. Enable CAPTCHA for the website.

        6. Restrict access to administrator’s login only from whitelisted URLs



There will always be a risk of attack on websites, security will always remain a continuous process which requires a frequent assessment of possible attack vectors. This documentation is a completely comprehensive guide on techniques and steps that joomla users can undertake, in order to better secure their website from frequent attacks.

Methods and Techniques


1. Secure the administrator’s login with a strong password

Do not leave the administrator’s login password as the default password (‘admin’). This makes the site more vulnerable to attacks.

Change the admin password frequently. And set up a strong password which includes at least 1 uppercase character , 1 lowercase character , 1 digit , 1 special character.

The password should be at least 10 characters long, with no more than two identical characters.

Method 1: Changing the Administrator’s Password

Step 1 : Login using the administrator’s login.

                                      Figure 1: Joomla Admin Login Page
Step 2 : Click on the user tab   and select the first option >> Manage Users

Step 3 : Select the User’s profile
                                                         Figure 3: Manage Users Page
Step 4 : Type and Retype the password and then click the button >> Save & Close

                                                Figure 4: Edit Profile Page - User
The password to the intended account will be changed. Sign out of the administrator’s login and Sign
in using the new password.

Method 2: Changing administrator's password

Step 1: Navigate to PhpMyAdmin tool of your server Login and select your Joomla database.

                                                Figure 5: PHP My Admin backend

Step 2 : Browse and find the table with “_user” phrase after the table's prefix, for example,

                                                    Figure 6: Tables of Joomla Database

Step 3 : Find the user whose password you want to change, in the prefixtable_user table and click
the Edit button or the yellow pen.

                                                Figure 7: User table - Joomla Database

Step 4 : The Joomla password is MD5 encrypted before being stored in the database. Therefore type
your password and remember to select the field type from varchar to MD5 before saving changes.
Then press “Go” to save settings.

                                  Figure 8: Edit user data - Joomla Database: User table

Password lists are often used by attackers to brute force Joomla websites. This is why you should
always use strong, unique passwords for all of your accounts.

2. Maintain a proper Access Control System

In order to maintain a strong secured website, the website should have a strong access
control system. Weak Access Control Systems would provide an easy opportunity for
attackers to crash the website using loopholes.

Handling User Accounts

    Create new user accounts with the lowest level of permission.

    Grant temporary permissions and revoke access when they are no longer needed.

    Delete accounts that are no longer being used.

    Ensure that the default user role is set to Public.

    If you have existing usernames, make sure the least privilege applies to all non-admins.

Accessing User Accounts :

Step 1 : Login to the back end of Joomla
Step 2 : Navigate to User >> Manage
Step 3 : Click on the user tab at the left side of the page

                                                Figure 9: Users page : Joomla Admin Backend

User permissions can be edited and new users can be added here.

Handling User Groups :

                    Delete unnecessary user groups in the system.
                    Create new user groups with a minimum access level.
                    Select the appropriate parent group, since the permissions of a parent is inherited by the child

Accessing User Groups :

                Step 1 : Login to the back end of Joomla
                Step 2 : Navigate to User >> Manage
                Step 3 : Click on the User Groups tab at the left side of the page

User groups can be created and deleted here

                                                    Figure 13: Create a new user group

Handling User Access Levels :

                            Keep track of the access levels a user has access to
                            Keep track of the permissions allowed, inherited, and denied by an access level defined
Assign appropriate access level to a user group

Accessing User Access levels :

                        Step 1 : Login to the back end of Joomla
                        Step 2 : Navigate to User >> Manage
                        Step 3 : Click on the Viewing Access Levels tab at the left side of the page

                                                Figure 14: Joomla Access levels defined

These access levels can be manipulated to decide the groups having viewing access to a
particular resource handling

                                            Figure 15: Modify user groups of an access level

Permissions :

Part 1 : Changing the default permissions for each action and group :

        Step 1 : Navigate to the System >> Global Configuration
        Step 2 : Configure the Global Configuration in the Permission Tab

                                            Figure 16: Global Configuration: Permission tab

Part 2 : Changing the Component Options Permissions :

        Step 1 : Navigate to the System >> Global Configuration
        Step 2 : Configure the Components Permission in the Permission Tab

Component Permission can override the default permissions for this component(for example,
Articles, Menus, Users, Banners, and so on).

Figure 17: Components Permission

Part 3: Changing the Category Permissions :

        Step 1 : Navigate to the Content >> Categories
        Step 2 : Select the category you need to be changed and click the edit button
        Step 3 : Navigate to the Permissions tab and configure the permission

Category Permission can override the default permissions for objects in one or more categories. This
applies to all components with categories, including Articles, Banners, Contacts, Newsfeeds, and

                                                Figure 18: Category Permission

Part 4 : Changing Article Permissions :

        Step 1 : Navigate to the Content >> Articles
        Step 2 : Select the article to be changed and click the edit button
        Step 3 : Navigate to the Permissions tab and configure the permission

Article permission can override the permissions for a specific article. This level only applies to
articles. Other components only allow the first three levels.

                                                Figure 19: Article Permission Tab
3. Enable Two Factor Authentication

Two factor authentication adds an extra level of security to your site. This procedure adds a singleuse
code, received on your smartphone or a Yubikey, to your existing passwords. Usually when you want to log in to a website, you have to provide your username and your password. The biggest problem with this approach is that the username and password can be stolen, intercepted or guessed by attackers. If the username and password is compromised, the site can be hacked.

Two-Factor Authentication system secures your site login with a secondary, single use secret code
along with the username and password. This is called Two-Factor Authentication or shortened to
2FA. Method : Enabling Two-Factor Authentication

        Step 1 : Login to the administrators login
        Step 2 : Click on the Extension tab >> Plugins

                           Step 3 : Search for the plugin “two factor” in the plugin search box

                                                Figure 21: Plugins page

Step 4 : In the results generated select the type of two factor authentication you want :

                        Yubikey or Google Authenticator
                                            Figure 22: Two factor authentication plugins

Step 5 : Now navigate to the user’s profile (shown in changing password technique).

Step 6 : Click on the Two Factor Authentication tab

                                            Figure 23: Edit profile page : Manage Users

Step 7 : Select your authentication method from the drop down box

                                            Figure 24: Two factor authentication tab : Edit Profile page

Step 8 : Now follow the detailed instructions given in the administrator's page, in configuring the
two factor authentication method you selected. : Yubikey or Google Authentication

Google Authentication Setup Instructions :

                                        Figure 25: Google Authenticator setup instructions

Yubikey Setup Instructions:

                                                 Figure 26: Yubikey Setup Instructions
Step 9 : After completing the configuration save and close the user profile.

The Two Factor Authentication will be activated. Sign out of the administrator’s login and Sign in
using the Username, Password, and the Secret Key.

                                            Figure 27: Joomla Admin Backend with Secret Key

4. Limit the login attempts

Unlimited login attempts is a default setting in Joomla. This leaves your site vulnerable to brute force
attacks as hackers try different password combinations to enumerate the actual password.

We recommend adding an extra layer of protection by limiting the number of login attempts against
an account through an extension, installed from Joomla's extension directory, or by using a Web
Application Firewall (WAF).

Some popular plugins that provide you with this feature are AdminExile, and Brute Force Stop

5. Enable CAPTCHA for the website.

Native CAPTCHA or RECAPTCHA can be used for this purpose. RECAPTCHA, introduced by
Google, is a plugin, which protects your contact and registration forms against spam. This feature is

extremely useful for stopping automated bots from accessing your Joomla dashboard, as well as a
precaution from users or attackers submitting unwanted spam through front-end forms.

Method :
        Step 1 : Log in to your administrator back-end
        Step 2 : Click on the Extension tab >> Plugins
        Step 3 : Search for the “ReCaptcha” plugin in the search box

                                                Figure 28: Recaptcha plugin : Plugin page

Step 4 : Edit the Plugin Captcha - ReCaptcha, Set Status to Enabled, and Copy and paste the
Public and Private keys in their appropriate fields.

You can get the Public and Private keys by signing in with your Google account (create it if you
don't have one). Once you have registered your website domain, Google will provide your

                                                Figure 29: Recaptcha configuration page

Link to create reCAPTCHA key with google: Create a reCAPTCHA key

Step 5 : Click Save & Close

Enabling ReCaptcha for the Contact and Registration Forms

        Step 1 : Go to System >> Global Configuration in the menu.

                                            Figure 30: Joomla Admin Backend : System tab

Step 2 : Select the Site tab and Choose Captcha - ReCaptcha in the Default Captcha field.

                                        Figure 31: Site Settings : Global Configuration

Step 3 : Click Save & Close.

Native CAPTCHA can also be used to protect the Joomla website. This feature can be added to the site,
in the form of an extension. Popular extensions that add a CAPTCHA to your Joomla login page are
SecurImages Captcha Plugin, Antispam by CleanTank, Custom reCaptcha, or OSOLCaptcha.

6. Restrict access to administrator’s login only from whitelisted URLs

Limiting the access to your login page from authorized IP’s will only prevent unauthorized entries.

This can be done by two ways :

Modifying the .htaccess file is done through the FTP or file manager.

Method :
            Step 1 : Connect to your server using FTP credentials to where your site files are, using FTP
client of your choice. [Credentials can be obtained from the hosting provider]
            Step 2 : Navigate to your admin folder
            Step 3 : Create a new file there with the name .htaccess. If such file exists already, simply open it
for edit.
            Step 4 : Add the following code to this .htaccess file, by replacing
from the code below with your IP address [The IP address from which the Joomla
back end will be accessed].
            You can allow multiple IP addresses by adding a new Allow from lines keyword followed by the other IPs.
            Order Deny,Allow
            Deny from all
            Allow from

            Step 5 : Then save, and upload the file.

2. Through third party security extensions

Here the .htaccess file need not be modified. The same functionality can be achieved with 
a more user-friendly interface from the Joomla admin back end by using third party extensions.
Eg : RSFirewall, AdminTools, Joomsecure

We will discuss more secure hardening steps in future posts.