How to protect your Joomla website from hacking and viruses in 2026

Joomla sites get hacked for two reasons almost every time: outdated software and predictable configurations. This is a practical hardening checklist for 2026 that covers the updates, permissions, authentication, backups, and scanning habits that block the vast majority of successful attacks before they happen.

Keep everything updated. This is not optional.

The single most effective security measure you can take is keeping Joomla core and every extension current. Most Joomla compromises are not sophisticated zero-day attacks. They are automated scripts that probe for known vulnerabilities in outdated extensions and Joomla versions. If you are running Joomla 4.x in 2026, upgrade to Joomla 5.x. If you are running outdated extensions, update or replace them.

Update cadence that works in practice:

• Apply Joomla security releases within 7 days of announcement. Subscribe to Joomla's security announcements at https://developer.joomla.org/security-centre.html so you know when they drop.
• Apply extension updates within 30 days. Check the Extension Update screen in your Joomla admin weekly.
• Always have a tested backup before applying any update. Not a backup you created and never verified; a backup you can actually restore from.

Joomla 5.x's update notifications in the administrator dashboard are reliable. If the Update Notification badge is showing, do not ignore it.

Set correct file permissions

Wrong file permissions are a common attack enabler. If PHP can write to files it has no business writing to, a successful injection attack can persist malware across the entire installation. The correct baseline for a Joomla installation:

• Directories: 755 (owner read/write/execute, group and world read/execute)
• Files: 644 (owner read/write, group and world read only)
• Configuration file: 444 (read only for everyone after initial setup)

# Set permissions recursively from your Joomla root
find /path/to/joomla -type d -exec chmod 755 {} \;
find /path/to/joomla -type f -exec chmod 644 {} \;
chmod 444 /path/to/joomla/configuration.php

Note: the configuration.php needs to be temporarily writable (chmod 644) during Joomla updates that change configuration, then locked down again afterward.

Enable two-factor authentication

Joomla 4.x and 5.x include two-factor authentication (2FA) in core. Enable it for all administrator accounts. There is no excuse not to. Even a simple time-based one-time password (TOTP) via Google Authenticator or Authy eliminates brute-force and credential-stuffing attacks against your admin login.

To enable in Joomla 5.x: go to Users, select the user, and find the Multi-factor Authentication tab. Enable TOTP and scan the QR code with your authenticator app. Apply this to every user with backend access, not just the super administrator account.

Change the default administrator URL

Automated attack bots constantly probe /administrator on known Joomla sites. While security through obscurity is not a substitute for real security, there is no reason to make it easy. The AdminExile extension (free, actively maintained in 2026) lets you add a secret key to the administrator URL so that /administrator returns a 404 while /administrator?yoursecretkey=1 loads the login screen. This stops automated probes cold.

Restrict administrator access by IP if feasible

If your team accesses the Joomla admin from a predictable set of IP addresses (office network, known VPN), restrict access to /administrator at the server level. In Apache, add this to your .htaccess in the /administrator directory:

Options -Indexes
Order Deny,Allow
Deny from All
Allow from YOUR.OFFICE.IP.ADDRESS
Allow from YOUR.HOME.IP.ADDRESS

This is simple, effective, and adds no overhead. Anyone not on the allowed IPs cannot even reach the login form.

Run a reputable security extension

RSFirewall and Akeeba Admin Tools are the two most established Joomla security extensions in 2026. Both provide file integrity checking, malware scanning, automated blocking of suspicious requests, and detailed security audit tools. Akeeba Admin Tools also includes a powerful .htaccess generator that adds security headers, disables PHP execution in upload directories, and blocks common attack vectors.

These are not free (both have paid versions with the full feature set), but for any business site, the cost is trivial relative to the cost of a successful compromise.

Backups: the one security measure people skip until they need it

Akeeba Backup (free core edition, paid professional edition) is the standard for Joomla backups. It creates a complete, portable archive of your Joomla installation including the database. Configure it to:

• Run automated backups daily (or at minimum weekly)
• Retain at least 14 days of backup history
• Store backups offsite, not just on the same server as the site. Use remote storage to S3, Dropbox, Google Drive, or an SFTP destination.
• Test a restore at least once every six months

A backup you have never restored from is a backup you do not know works. Test it before you need it.

Lock down your configuration.php

Your configuration.php contains your database credentials and secret keys. Beyond the permission setting mentioned above, make sure the file is not directly accessible via the web server. Joomla's default .htaccess rules block this, but verify it. Attempting to access https://yoursite.com/configuration.php should return a 403 or 404, not the file contents.

Remove unused extensions

Every installed extension that is not being used is attack surface you are maintaining for no benefit. Unused extensions accumulate: they get installed for a project, the project ends, and they sit dormant but still present. An attacker targeting a vulnerability in an inactive extension does not care that you are not using it. Remove extensions you no longer need. This also applies to templates that are not the active template on the site.

Monitor for indicators of compromise

Know what a clean version of your site looks like so you can identify when something changes. Tools to include in your monitoring:

• Akeeba Admin Tools file integrity check: alerts when any Joomla core file changes unexpectedly
• Sucuri SiteCheck (free): periodic external scan for known malware signatures in your public files
• Log review: your server's error logs and access logs will show unusual patterns (repeated 404s on admin paths, POST requests to non-form files) that indicate probing

For the broader picture of how Joomla fits into a production hosting environment, the server administration checklist covers related issues on the hosting side. And if you want professional help managing Joomla security and updates, the Joomla maintenance services we offer include all of this as part of ongoing care.

The bottom line

Protect your Joomla site with disciplined updates (applied promptly, tested on staging, backed up first), correct file permissions, two-factor authentication on all admin accounts, a security extension like Akeeba Admin Tools or RSFirewall, and daily off-site backups. Most successful attacks on Joomla sites in 2026 are opportunistic and automated; they look for easy targets. Make your site the one they skip and move on from.