Security Resources for Joomla


Like all open source software, the underlying codebase can always be scrutinized by attackers with the will and ability to find exploits. The flip-side of this equation is that popular and active open source software projects like Joomla have been hardened against nearly all of the published exploits and are generally considered quite safe.

Despite this, it is not possible to have a website that is both publicly accessible and 100% secure. Security is a continual process of learning and website hardening that should always be considered a 'work in progress'.

To help you on your journey of website security with Joomla, we've prepared this collection of resources that can be used to keep your Joomla site safe.

Joomla Security Checklist

The Joomla Security Checklist is the perfect place to start when it comes to maintaining a secure Joomla website.

The list includes great advice for choosing a secure web host, managing file permissions, optimal Joomla configuration, what do do if you have been hacked, and more.

Be sure to take some time to read through and understand the basics of each section.

Vulnerable Extension List & Security News

Another great list for keeping your site secure is the Vulnerable Extensions List or (VEL). The VEL is a catalog all of the known exploits in 3rd-party Joomla extensions.

Monitoring this list by signing up for email alerts is a great way to be notified when non-core add-ons report an exploit that may affect your sites.

Joomla also maintains an RSS feed for security issues in the Joomla core, though users of Joomla 3.5 and greater will be notified about these when patches are released for their version of Joomla via the Joomla update notification plugin. Nonetheless, we still recommend that you sign up to be notified via email when security issues arise in the Joomla core.

Security patches for end-of-life versions

Joomla 2.5 and 1.5 have reached end-of-life status, meaning that they are no longer supported. However, a few critical security issues have arisen for these versions that should be patched until the site can be upgraded to the latest version of Joomla.

While you can manually apply the patches using FTP, we recommend that you use these simple Joomla EOL updaters to apply the patches right from the extension installer in the Joomla backend.  

The Joomla Community Magazine

The Joomla Community Magazine can be a great resource for security information and advice. We recommend that you regularly visit out the Administrators Toolkit area for security-related posts such as:

But there are numerous small steps you can take that make the pathway to your data just a bit more difficult.

The Blogosphere

The internet is continually publishing new items on website security and Joomla of course is a common topic. We recommend that you regularly head over to your favorite search engine and search for Joomla security and filter for recent articles. For example, we just found this great Complete 10 Step Guide to Joomla Security.

Trusted security extensions

Joomla has many security softwares listed in the official directory of Joomla software.

We recommend that you review the popular items in this category and see which ones make sense for your particular need.

We recommend choosing a Web Application Firewall such as Akeeba Admin Tools and RSFirewall. You may also try OSE Anti-Virus for Joomla a virus scanning extension that scan Joomla as well as other files on the server, and has the ability to quarantine detected files.

The Official Joomla Security Forums

If you've read this far, and followed the links above, you're well on your way to maintaining a safe and secure Joomla website. But if you still have questions, be sure to pose a question in the security forums at

Separate security boards are maintained for Joomla 1.5, 2.x and 3.x. Be sure to post in the correct place, and never ever post and personal information about your site or server.


Sander Potjer
Thanks to the built in support for the ACL Manager Download Key, users of can update ACL Manager on all their sites with just a single click. Sander Potjer /