The Two Most Important Things You Can do to Secure Your Joomla Site

Maintaining a secure web site is a top concern for many people. Everyone is looking for the one way to make sure their site is always running, safe, and secure. When someone expresses concern about the security of their site, I usually ask them how old their most recent backup is. Most don't know, or don't have any backup at all.  

The harsh reality is that no system is ever going to be 100% secure. It doesn't matter what that system is, be it Joomla or the mainframe system that runs your bank account. It's important to keep your system up to date and to defend against hackers, but at the same time keeping your site up and running means defending against several other factors that include hardware failures, failed business relationships, and security issues beyond your control. For example, if your hosting company doesn't keep their control panel software up to date there's nothing you can do — short of switching hosts.
There's no big secret to this: the two most important things you can do to secure your Joomla site are to make good backups and use strong passwords.
The problem is that almost everyone knows this but not many do it. The Joomla security mailbox ( has a depressing number of reports from people who have a well maintained system but got hacked anyway. Sometimes they send in their admin login details and the problem is obvious: weak passwords (by the way, never mail your admin password unless someone you trust asks you for it explicitly).

Making a Good Joomla Backup

Start with a hosting company with a good backup plan. A lot of hosts will cut corners here by relying on RAID disks and skipping backups. Backups aren't cheap. They increase server load, drive up disk space requirements, require ongoing monitoring, and in the event that there's a problem with a site, usually need manual intervention to do a restore. If your hosting provider promises cut rate prices, fast servers, and reliable backups all at the same time, odds are they don't have a sustainable business and one or more of those variables will change sooner or later.
Which brings me to the second key point: even if you have a reliable host, don't rely on them for backups! Host backups are essential for a quick recovery of your site, but what happens if your host has a crisis? You may find yourself in a situation where you need to get your site up on another host, and that's not possible if all your backups are located on a server that's crashed. Akeeba Backup is a must have Joomla extension. It lets you schedule backups, and you should transfer copies of the backup files to a safe location on a regular basis. Akeeba Pro will do this for you automatically, pushing backups to another server, or to cloud storage services such as Amazon.
If your site isn't being backed up on a regular basis, get a backup plan in place. You can't do this after your site goes down, so do it now. Please.

Picking a Secure Administrator Login

Leaving the administrator account as "admin" and bad passwords are possibly the biggest security risk in Joomla. Every site is under attack by automated scripts that try "dictionary attacks" on passwords, and the simpler the password is, the more quickly the site is compromised. If you leave the default administrator account as "admin", you're doing half the hacker's job for them.
I had a client who insisted on making his password "Apple". After his site was hacked I urged him to pick a more secure password, but he chose to blame Joomla and refused. After his site was hacked a second time, I convinced him to make his password more complex, but he insisted on "Apple1976". The third time I convinced him to add more memorable words to his password and he hasn't been hacked since. Good passwords are important.
I use a password manager to generate long, complex password strings. The password manager lets me paste passwords into login forms so I don't have to struggle with getting 32 invisible random characters right. But you don't have to go that far to be secure. The key to a good password is length. So if your daughter's name is Carol and she was born in 2003, don't just use "Carol2003". Add some other details. For example "CarolAnnSmithJan52003" is just as easy to remember and a little harder to type, but several billion times harder to crack.

Now You're Safe

I'll say it again: No site is ever 100% secure. But if you follow these two simple steps, the chances that you'll be hacked drop dramatically, and the chances that you'll be able to recover from a hack quickly are far higher. The worst calls I get are from people who have had their sites flagged as dangerous by Google and who have no easy way to recover. Take these simple steps now and the odds you'll ever have to make that phone call go way down. It's worth the trouble.