Congratulations on installing your Joomla! website! Before you begin working with design and adding content, there are some configuration and security steps we recommend you take in order to make your site as reliable and safe as possible.
After you install Joomla! there are a few things you should do to secure your installation:
- Install the latest version of Joomla!
- Change the default administrator username
- Change the location of logs and temp files
- Delete unnecessary files
Only install the latest stable version available on the official Joomla! download page. Regularly log in to your Joomla! administrator back-end and check for updates. When an update is available, you’ll see a notification in the control panel.
The default administrator username in all Joomla! installations is admin. By changing the default username, you make it significantly more difficult for someone to guess the log in credentials. To change the administrator username, log in to your Joomla! administrator back-end and go to Users > Manage.
In the list of users, click Super User.
Change the Login Name to something that is easy for you to remember but hard for someone else to guess. Click Save & Close.
Another important way to improve site security is to ensure that all writable directories and files, such as image and document repositories, are located outside the public_html directory. This prevents unauthorized access via a web browser. To move the log directory, log in to your Joomla! administrator back-end and go to System > Global Configuration.
On the System tab, change the Path to Log Folder to a location outside the public_html directory. In our example, we’re changing the path to /home/joomla/logs. Click Save.
On the Server tab, change the Path to Temp Folder to a location outside the public_html directory. In our example, we’re changing the path to /home/joomla/tmp. Click Save & Close.
Do not leave unnecessary files anywhere on the web server. Remove installation files and compressed files after they’ve been used and regularly check and clean your temp directory.
Working with extensions
Joomla! extensions are a great way for you to customize the design and functionality of your site, but there are some guidelines to keep in mind to prevent potential problems.
- Back up your site and database
- Check for vulnerabilities
- Test the extension
- Uninstall unnecessary extensions
Before you install an extension, we recommend that you back up your website and database. If the extension causes unexpected problems with your site, you’ll be able to restore it to the most recent working version. You can use a backup extension, such as Akeeba Backup or use the method described in the How to back up your HostPapa website knowledge base article.
A vulnerable extension is one that contains a flaw that makes it a security concern. Joomla! maintains an active list of vulnerable third-party extensions. You should check this list before you install any third-party extensions. For more information, see What is a vulnerable Joomla! extension?
Test all extensions on a test or development site before you install it on your live site.
Uninstall all unnecessary and unused extensions. After the uninstallation, check that the extension’s files and folders were deleted and any associated user accounts are disabled.
Security tips and resources
The following additional tips will help you secure your Joomla! website:
- Use SSL – SSL adds an extra layer of security by encrypting all data that passes between the web server and web browser. For more information, see How to enable SSL for Joomla!
- Use .htaccess for password protection – Protect important and administrative directories with .htaccess password protection. For more information, see What is .htaccess?
- Visit the Joomla! security forum – The Joomla! security forum is an active community of Joomla! users and developers. You’ll find answers to common and not so common security concerns and all the latest Joomla! security news.
If you have any questions or need help, you can always contact HostPapa Support by opening a support ticket. Details about how to open a support ticket are here.