Joomla community powered logo

Site Slogan


Joomla hardening - configuration adaptations

  1. Joomla core

    This is quite an easy one: make sure you always use the latest Joomla version. Joomla 3.x upgrades can be done quite easily by looking in your configuration screen and following the guidelines about what you need to update both for the core and for the extensions.

  2. Joomla files in root directory after installation

    A couple of files which are part of the Java distribution stay in the root directory of your Joomla site. Although they don't hurt your site, it's best to remove them as they don't add any value to it either. So you can remove the following files:
    • LICENSE.txt
    • README.txt
    • robots.txt.dis
    • web.config.txt

    PLEASE MAKE SURE you don't remove these files as they are the heart of your Joomla site:

    • index.html
    • .htaccess
    • robots.txt
    • index.php
    • configuration.php

    Other files may be present in your root directory, it's up to you to know if you have to keep them or if you can delete them.

  3. Joomla configuration file

    As this is the core configuration file of your site, it is of utmost importance to protect this file as much as possible. There seems to be some discussion about the usefullness of this trick, but nevertheless I add it to my overview to make it complete. As it is otherwise almost impossible to protect your files in an incrackable way, there is a real efficient trick to protect your configuration.php file: move the original file outside your public site part, rename it to joomla.conf and then replace the original file by a file which contains a rerouting to the joomla.conf file.

    E.g. copy the configuration.php file to ../www.private/conf/joomla.conf, and create the new configuration.php file containing only the following code:

    require( dirname( __FILE__ ) . '/../www.private/conf/joomla.conf' );

    Please not that this trick is only useful if your configuration is ready and frozen, because every time you change your configuration using the administrator interface, the configuration.php file is overwritten and so your original redirect is gone.

  4. Remove the generator tag from all of your website pages

    Joomla automatically adds the metatag

    <meta name="generator" content="Joomla Open Source Content Management" />

    to each of your pages. This is of course a very simple way to check what system a site is running on. Now, to remove this tedious tag from all of your pages, you can just add 1 simple line of code to the index.php file from the template you use for your website. Right at the start from that file (but after the first line that normally is something like <?php defined('_JEXEC') or die;), add this command:

  5. Rename your Joomla Super User

    By renaming the default "admin" user to another name, you already double the first efforts a hacker can do on your site: (s)he has to guess the password but now (s)he also has to guess the username as well. So this is real no-brainer as it is very easy to do and it increases the security level of your site dramatically.

  6. Joomla log files

    You should move the log files to a directory where they cannot be viewed easily by everyone who would like to as these log files can contain a lot of very useful information for possible attackers of your site. All the server responses and especially error messages are stored in the log files, which is a real pletora of information for everybody trying to figure out how your site is configured. If they cannot access the contents of the logfiles, it will be far more difficult to find out the configuration of your site, hence the effort to hack your site will grow exponentially and maybe a hacker doesn't find it feasible anymore to go on trying to get your site hacked for his or her purposes.

  7. Unused templates and extensions

    For unused templates and extensions in Joomla - and also in all possible other systems - there is one simple rule to apply: REMOVE THEM. It will help you in both hardening your system as you will close possible backdoors, as well as in speed of your site as these templates and extensions will not be loaded anymore when somebody accesses your site.

    A couple of extensions and templates are loaded when they are present on your site, even if they are not used or even activated. To avoid having problems with this, simply remove them as they don't have any function to stay on your server.

NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand


To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link