While the Joomla program is free, it doesn’t mean that it comes at no cost. While you can access Joomla at no expense, the hordes of hacker’s plan to exploit Joomla for their own benefit are likewise. They can also download the code, deconstruct it and learn exactly how to make use of it for their own profit.

How can you then protect yourself from such behaviour?

Here are a variety of tips that could help you avoid hacking your account, and if you do, get you back online quickly.

1. Activate Joomla’s .htaccess file

When you install Joomla, it comes with a .htacess file loaded with code to protect you from some of the more obvious exploits. Ensure that you activate this file and do not use a blank.txt file to write over it. Change the .htaccess.txt name to the.htaccess.

2. Use a strong password and change your admin name

The Joomla system calls individuals who run “Super Administrators” Joomla sites and issues a “Administrator” username to which you add a password. Unfortunately, the bulk of hacks are done by “brute force”-meaning that somebody sits down and only guesses passwords until the right one comes up.

By issuing “Administrator” as the admin name of a Super Administrator, that simplifies hacker stuff. They only must guess the password when they know your admin name, and how often is this “myjoomlawebsite123” or something similarly simple?

Joomla names do not require symbols, but if you change the name of your admin to something like “3TChVEVWxBYM2PM” and your password to “mSXfCaXcwvo7cWk,” you will make their lives easier. To make things safer, use a random password generator such as the Secure Password Generator.

3. Use Search Engine Friendly URLs

People use Search Engine Friendly (SEF) URLs because it allows Google to notice your site more easily. However, SEF URLs have the added advantage of hiding your site structure. Knowing a site’s structure can make it easier for hackers to add exploits. Just click the button on your control panel:

4. Use SiteLock and Codeguard

Use SiteLock and Codeguard, if you can afford to. SiteLock provides “comprehensive, cloud-based website security solutions” that will automatically fix some issues when your site is compromised and will inform you by email about others. Codeguard simply backs up your website to the cloud, and you can roll back to a previous working version if there are any problems.

5. Invest in an SSL Certificate

Originally, SSL certificates were intended to encrypt sites containing sensitive data such as credit card numbers but these days they are becoming the norm, especially for OS sites. Your website URL will switch from http:/www.test12.com to https:/www.test12.com, meaning your username and password will be encrypted before it is sent over the internet. Clearly if they are encrypted, someone who intercepts the data won’t be able to use them.

6. Initiate File Permissions

You can add permissions to files and folders in Joomla so that only your account can access them. Adding such permissions can prevent outsiders from attempting to access your Joomla key files and folders, especially your Joomla configuration files. You can find details on permissions here but if you’re a novice, it might be best to get a programmer or someone with some experience to do that.

7. Disable FTP

FTP is used to move files from website to servers. Joomla has its own tool for uploading files (photographs, etc.) so disabling FTP is yet another way to stop possible intrusion – again, you might have to ask your web host how to do this for your Joomla site.

8. Restrict access to your Joomla Admin Panel

The most likely use of your web hosting is cPanel or Plesk as your control panel. Both will allow you to secure your Joomla administration tab, so that you can only access it. You can even set up your panel, so it can only be accessed through your own IP address. For details on how to do this, contact your web host using your current Hosting Control Panel. This may not be possible using shared hosting accounts because your IP address is likely to be dynamic and will change a lot.

9. Keep everything current

Fortunately, the Joomla community is up to the fight against hackers. They regularly update Joomla with security fixes and inform website owners when an update is required. Click on ‘Update Now’ and Joomla smoothly transitions to the latest version. Unfortunately, upgrading the modules is not done automatically. For every automatic update you need to manually download and update the latest version of the modules and plugins you are using. If you don’t, you potentially open your website up for exploits.

10. Keep an eye on the extensions you are using

The core of Joomla’s popularity is its extensions (modules, plugins, templates) but of course not all developers are equal. Some unknowingly leave your site open for exploits, so you must do your research. Look at the Joomla! Extensions Directory (JED) and make sure the module or plugin you are interest in has a good reputation. Likewise, just to be on the safe side, remove modules and plugins you are not using. This has the added benefit of speeding up your site.

11. Set up Two-Factor Authentication

Sites using version 3 of Joomla can use two-factor authentication. This means that someone logging in must provide a username, a password and a One-time Password (OTP) automatically generated to protect sites from intrusion.

12. Turn Off User Registration

Joomla is design for communities owne websites. People can sign up for membership, and you can send members a newsletter directly from your back-end. This is appealing if you have a community website, but it obviously leaves your website vulnerable. If you’re going to need a newsletter use something like YMLP. Better still, drive visitors to Facebook or other social media and let them manage your community.

13. Restrict editor access

In line with this ‘community’ ethos, Joomla has a genuine collaborative feel about it as far as content is concerned. Super Administrators can make certain users ‘Editors’ and they have the ability to change certain Joomla content without them having to access the back-end of the system. In an ideal world this would be a dream. A website where people can have access to certain pages and update them at will. And  keeping your site current with nominal effort. But of course, this access is open to exploitation and even if people start off friendly, they can turn to the dark side. Limit and strictly monitor who you make ‘Editors’. Or if you take our advice, do everything yourself and don’t give anyone “Editor” privileges.