How To Harden Default Install of Joomla

If you just installed Joomla or you want to ensure your current version of Joomla is properly secured, this complete Joomla Hardening Checklist will help you manage current and future versions of Joomla installations. The purpose of “hardening” is to pull the rope tighter around a new installation of software. Typically, a default installation of SQL for Microsoft, for example, has a default password, username, localhost pages, ports, and the list goes on – that anyone on the Internet can find out and potentially gain access to. Hardening in essence removes or changes the default values associated with a new install of software.

In this Joomla hardening guide, we also include tips for cleaning up unused files to free space and optimizing a general Joomla site.


1. Enable Search Engine Friendly URL’s

Any new website you build must have SEO Friendly URL’s enabled. By default, Joomla disables this because it requires functionality from your hosting provider (or host software) to work in Apache.

You will need to enable rewrite_mod module in your httpd.conf file in your Apache installation. You’ll then need to modify your Joomla Htaccess file to make the rewrite work.

See this link for more information on accomplishing this and also this link for trouble renaming your htaccess file.


2. Enable 404 Redirects

Whenever someone tries accessing a web page on your website that no longer exists or was recently deleted, by default they are redirected to what’s called a 404 page. It’s basic page informing the user they reached a web page of your site that no longer exists. It looks bad and Google does not like when this happens on a site. You have several options for behavior when a user reaches a 404 site, but most typically send users back to their homepage – so a user never sees a 404 error.

Check out this link for getting 404 pages to redirect to your website homepage.


3. Delete and Remove any Unused Templates

A new installation of Joomla out of box comes with default templates including Atomic, Beeze, Hathor, Bluestork, etc. Joomla encourages the use of their templates to get started quickly with an out of box design. Additionally, the default Joomla templates are extremely optimized and will probably be the fastest of any 3^rd party template you install.

In such cases, the default Joomla templates aren’t really nice looking and almost everyone today uses a custom template. If you aren’t using the default Joomla templates, you can remove them any time.

Login to your Joomla backend and go to Extensions -> Manage. In Type drop down menu, select Templates to reveal all Templates currently installed on your website. From here, you can select the check box for any of the default templates you aren’t using and uninstall them this way.





Be sure to not uninstall the template you’re currently using!


4. Mask Administrator Backend Login

By default, all Joomla backend administrator pages are accessible by /admin directory. If not properly secured, anyone on the Internet can get to your administrator login page and brute force guess username/password combinations to gain access. You never want to give someone an opportunity for this – even if they don’t access your backend, your site can be taken down

You can mask your administrator login with a secret key. This adds an extra layer of security to your website. Check out AdminExhile


5. Disable “Allow User Registration” if Not Needed 

By default, Joomla allows for people to create public login accounts to your website even if you don’t have a link published for them to do so. It is important to disable allow user registrations if your site isn’t going to need this feature.

In your Joomla backend, go to Users -> User Manager. Select Options at the top. Here you can select no for Allow User Registration.





6. Enable Google reCaptcha on Pages Users Will Interact with Such as Contact Form.

Google reCaptcha defends against automated processes on the Internet from interacting with components on your website. It is absolutely critical you use some type of captcha on your website today if you allow the ability for user interaction.

You’ll need to create a Google reCaptcha public and private key using a Google account first. Then, you can enable Captcha - ReCaptcha plugin in Joomla with the Google keys you created. You’ll also want to enable reCaptcha as your Default Captcha in Joomla Site Settings.


7. Review Access and Error Logs Weekly

Depending on your host provider or software, you should review your Apache access log files weekly and study for trends from unwanted visitors. Typically, you’ll be able to quickly see parts of your site certain IP’s are visiting that you aren’t typically allowing access to – or that don’t exist. You can quickly take steps to block unwanted IP addresses this way.

Your Joomla error_log (found in root/error_log) will contain front and backend errors about areas of your site. Most of the log may be informational; however it’s good to know what’s going in your site to help you understand why something else isn’t working. This log will also contain PHP errors you receive.


We hope this guide provides useful information for your future Joomla installations – so we can all make our Joomla sites happy secured!