Hacker, Researcher and Author.

Secure Joomla From Hackers

Recently we wrote an article on "Wordpress Mass Defacement Tool "and On "Securing Your Wordpress from being Hacked', However I was requested by one of our readers to write an article on securing joomla blog from hackers and preventing it from being hacked, Joomla just like wordpress is a very widely used CMS platform, Joomla itself is quite secure by default, However the extensions are developed by common developers and most of them have no proper knowledge about security.

Now a days, it has been observed by me that most the hackers do not target vulnerable joomla extensions or joomla itself, however they target websites on the same server and use them to extract the configuration file of joomla that contains the database information. This vulnerability is commonly known as Symlink bypass in the black hat community and Server bypass in our white hat community. So in this article i will talk about the common methods to secure a joomla from hackers and preventing it from being hacked.

Secure Joomla From Hackers [Common Methods]

Choose A Secure Password

Joomla uses MD5 for generating password hashes, Though MD5 hashes are prone to some weaknesses, However Joomla makes them secure by adding a salt to it. Here is how a joomla hash looks:


The first part represents the MD5 hash and the part after the colon represents the Salt, This adds up an extra layer of security to joomla passwords, However these hashes can still be cracked with some softwares like PasswordsPro and OCIhashcat plus, Moreover now a days Graphic cards are being used for password cracking that makes the job much easier and take very little amount of time. For a good guide on choosing strong passwords, Kindly refer to my article "How To Create A Strong Password".

Securing Admin Panel

It's not a good idea to leave your admin panel open for the normal users, it should be only accessible by administrators. Imagine if an attacker has managed to extract your database information using SQL Injection, he would surely need the admin panel to log in, If you hide the admin panel, he won't be able to access it.

You can do it either by using changing blocking access to the Public_html/Joomla/Administrator directory and making it accesible by only your IP by modifying the .htaccess with the following commands:

Order Deny,Allow 
Deny from all
Allow from Your IP Address 

Alternatively you can use a extension called Jsecure, It protects your admin panel by generating a Key, which is only known to you, So the administrator panel can only be accessible if you would have the proper key.

Update Update And Update

Most of the time the vulnerabilities are found within Joomla itself and you have very little time to update your blog, or else you end up getting your blog hacked. I recommend you to subscribe to a exploit database 1337day.com and exploit-db.com, Most of the exploits go public there, So when ever you would see a vulnerability inside joomla, You would have plenty of time to update. I keep an eye on Bugtrack and seclist.org so whenever a vulnerability goes public, I am able to get information regarding it.

Scanning For Vulnerable Plugins Extension

As i mentioned at the beginning of the article that webmasters install joomla plugins/extensions without checking it, if they are vulnerable. You should periodically check exploit databases, if the extensions you are using are vulnerable to any of the attacks. It would be a hassle, to check for every extension if they are to any of the attacks. Alternatively, a tool named "joomscan" has made the life easier, It is periodically updated with lots of new vulnerabilities, it checks your website for common vulnerable extensions and report them to you.

Protecting From Shell Uploads

Once an attacker gains access to your administrator panel, He will usually upload a PHP backdoor to maintain access to your website commonly known as "Shells" in the black hat community, All you need to do in order to protect the Shell upload is to protect the change the permissions of the images directory to 400. Which will make the whole directory non writable. This will prevent hackers from uploading the shell and also from penetrating further.

An attacker can alternatively try to upload the shell via your FTP, so you should also make sure that you disable port 21/ Disable FTP access.

Securing From Symlink

Symlink bypass is one of the most commonly used attacks, Even if your joomla website is completely secure, it's still possible for an attacker to extract your configuration files "Configuration.php" which contains database username and password via an attack called Symlink bypass. In order to protect your configuration.php, you need to change the permissions to 400.

You can do it by applying the following command:

CHMOD 400 Configuration.php
Protect From Mass Defacement

Lots of time it happens that hackers manage to gain root access to the server on which your joomla blog is hosted, In these cases the attacker runs a Mass Defacement tool/script, which changes the index files of all the websites running on the server, In order to protect your blog from mass defacement attack, All you need to do is change the permissions of index.php to 400. However, this does not provide complete protection, because the once the hacker has root on the server, he can manually change permissions of your blog, hence defacing your website.

I hope you have liked my post on "Secure Joomla From Hackers". Though there is lot left, but i have highlighted important steps in order to protect your website from being hacked.


  1. nice tips abut joomla. when i will create a joomla website. i will follow your suggestion. :)

  2. Hai rafay,i am ur big fan.By da way iam an indian an i am doing Bsc
    Is degree is required for information security job? i am alread having ceh,ecsa,n+,a+ certifications

    PLZ reply

  3. @anonymous 2

    That's a debatable topic, Try to learn from every where. If you are specifically looking for a job, try to do CEH, SANS GPEN and CISSP, that should help.


© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.