Before taking extra steps to secure Joomla, you should make sure its core code and any additional components / modules are up to date. Then you can
take advantage of the next extra security measures:
1. Secure your administrator's area. This will prevent simple
brute-force attacks. Along with that, all components and modules code
inside this directory will be safe. For this purpose:
- Place an .htaccess inside Joomla's 'administrator' directory. It should contain:
Deny from all
Allow from YourIP*
* You can find your IP* by going to sites such as http://whatismyip.org
- In case your IP changes, you should try securing the directory with Password Protection
2. Change the default database prefix jos_. This will trick all MySQL injection attempts. For this purpose you can use the following third party component. You should back up your database before changing its prefix.
3. Make sure your host does not allow remote code inclusion in PHP by
default. For this purpose log in your Joomla Administrator's panel and
navigate to System, System info from the top panel. There go to the PHP
- If you are using PHP 5.2, make sure that the directive 'allow_url_include' is set to off;
- If you are using PHP version below 5.2, make sure that the directive 'allow_url_fopen' is set to off.