3 Joomla security tips to protect against brute force attacks

There has been a lot of talk lately regarding Joomla Security and attacks on Joomla sites.

Yesterday the website security company Sucuri posted a blog entitled "Big Increase in Distributed Brute Force Attacks Against Joomla Websites" in which they summarize some very worrying statistics:

"We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere."

The following image shows the alarming increase in attacks over the past few weeks:


This got us thinking how such attacks could easily be thwarted. The attacks they cited were login attempts on the Joomla Administrator folders which are relatively easy to protect.

Step 1 - Use HTPASSWD protection

HTPASSWD is a common utility in Unix- and linux-based web servers that adds basic user authentication to a set of files and folders. Blocking HTTP requests to the Joomla Administrator folder is widely regarded as one of the easiest and most effective deterrents to intruders.

There are 3 ways to add HTPASSWD protection to your Joomla administrator folder. All these methods effectively do the same thing, which is to add the .HTPASSWD protection through an encrypted password. For the hacker this makes the Administrator completely invisible, since there is no need for anyone in the public to be able to see it why not protect it completely?

A. Manually creating a .HTPASSWD file

A .HTPASSWD file is simply a file that includes usernames and encrypted passwords, a .HTACCESS file can include directives to ensure the username and password need to be enter to access the folder. This method can be used without adding any extensions to your Joomla installation and relies on your server instead. It is recommended that the .HTPASSWD file is saved outside the public_html folder.

1. Create the .HTPASSWD file

The .HTPASSWD file contains the usernames and password and should NOT be found in the folder that needs to be protected. In order to ensure it is most secure it should be found outside the public_html folder.


The above creates a username "mysecretusername" with an ancrypted password "mysecretpassword"

  • Using your FTP client or cPanel file management utility, navigate to the folder in which public_html is found, the path is likely something like /home/myaccount
  • Create a simple text file name .HTPASSWD
  • Generate usernames and encrypted passwords on http://tools.dynamicdrive.com/password/
  • Copy the usernames with password into the .HTPASSWD file

2. Create the .HTACCESS file

The .HTACCESS file is found in the folder that needs to be protected and includes directives that enforce the username and password and the full path to the .HTPASSWD file
  • Navigate to the Administrator folder, the path is likely something like /home/myaccount/public_html/administrator
  • Create a simple text file name .HTACCESS (or open the one that already exist here)
  • Copy the appropriate directives at the top of the HTACCESS file
AuthName "Secured Area"
AuthType Basic
AuthUserFile /home/myaccount/.HTPASSWD
require valid-user

B. Using the CPanel password protection tool

Most hosting control panels provide some method to easily add password protection to your directories.

cpanel password_tool

In this case there is a simple tool which makes it easy to help secure and password protect the Administrator folder.
  • Log into your hosting Control Panel
  • Click Password Protect Directories
  • Navigate until you see the /home/myaccount/public_html/administrator folder listed (Note that in many case clicking the folder icon opens the folder, while clicking on the folder name selects it to be protected)
  • Select the Adminsitrator folder
  • Fill in the Folder Name (It will display as part of the password Prompt), username and password

C. Use a Joomla Security Extension

There are extensions that help secure the Joomla Adminsitrator folder, one popular such extension is Admin Tools.

Admin Tools (the Pro and free editions) includes a tool to password protect the Joomla Adminsitrator folder. The tools creates the .HTPASSWD and appropriate .HTACCESS file in the easiest way

  • Log into Joomla Administrator
  • Select Components - Admin Tool - Password-Protect Administrator
  • Enter a Username and Password

Step 2 - Change the admin Super User

Especially in Joomla 1.5 and older, the default username for the Super Administrator is admin. Newer versions of Joomla make it easy to change this, but many people still use admin when creating their first user account.

Intruders rely on this during a brute force attack since knowing the username means the difficulty of intruding is at least 50% less than on a site with a custom username. In fact, as the Sucuri blog described, the most recent brute force attacks are using this method.

Simply changing the name of the super user will provide protection from attacks that guess usernames and passwords. There are other attacks that may use other defaults such as the user ID in order to break the Super user account to gain access to the site.

The easiest way fix this is to recreate the Super User. Admin Tools has a simple utility for this (see image below). However, you could also simply create a new Super User account with a unique username and strong password. Afterwards, log into your Joomla backend as this new user, rename and remove the Super Administrator/Super User privileges for the admin account, and then disable the account entirely. 


Step 3 - Update core and add-ons to improve Joomla security 

Since the most common successful attacks are due to known vulnerabilities in outdated Joomla versions and add-ons, one of the most important tasks for anyone responsible for Joomla security is to ensure that all the software remains up to date.

Thus, one of the most important features that has been added to Joomla is the new Joomla Update Manager which can be used to easily update many extensions, as well as the Joomla Update component to update Joomla itself. 

A. Update Joomla!

  • Log into Joomla Administrator
  • Select Components - Joomla! Update
  • Click to Update

A special note for Joomla 1.5 users - A few weeks ago a critical vulnerability was discovered affecting all Joomla versions including Joomla 1.5. Patched files were posted for Joomla 1.5 but had to be installed manually via FTP.

Here at Anything Digital, we thought it would be alot easier if we created a simple installer for this specific purpose. Please read our previous post Joomla Security Patch Made Easy to Install to learn how to patch Joomla 1.5 for this very serious security issue.

B. Update Extensions

  • Select Extensions - Extension Manager
  • Select the Update tab
  • Select Purge Cache, the Find Updates (ensure latest available supported updates are found)
  • Select the Extensions (and languages) to update and click Update

Before updating Joomla or any extensions make sure to back up your site, a backup extension such as Akeeba Backup.

C. Monitor all your site updates in one location

The ability to install updates from within Joomla has also made it possible to create remote update services such as Watchful, the award winning backup, update and Joomla security monitoring service.

Watchful will notify you if updates are available for extensions and allow you to apply many of them all from one convenient Dashboard. 

Last modified on Sep172014
blog comments powered by Disqus

Get the latest updates on our extensions