Secure Joomla Files and Directories (Best Practices)
Even if your Joomla core and plugins are secure, weak file permissions or exposed folders can leave your website vulnerable. In this guide, we’ll cover how to secure Joomla’s file system, prevent unauthorized access, and strengthen your website’s defense against malware injections.
1. Use Correct File and Folder Permissions
Improper permissions are one of the most common reasons for hacked Joomla sites. Here’s the recommended setup:
- 📁 Directories:
755 - 📄 Files:
644 - 🚫 Never use:
777(full access)
To apply correct permissions:
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
2. Protect the Configuration File
Your configuration.php file contains sensitive data like database credentials and paths. Restrict its access immediately:
<Files configuration.php>
Order allow,deny
Deny from all
</Files>
Add this snippet inside your root .htaccess file.
3. Disable Directory Browsing
If directory browsing is enabled, attackers can view your site’s folder structure. Disable it by adding this line to your .htaccess:
Options -Indexes
4. Restrict Access to Sensitive Folders
Some folders like /administrator, /includes, and /logs should not be publicly accessible. Add this rule to block them:
<Directory /path/to/joomla/includes>
Order deny,allow
Deny from all
</Directory>
Replace /path/to/joomla/ with your actual site path.
5. Move the Logs and Temp Folders
By default, Joomla stores logs and temporary files inside web-accessible directories. You can move them outside the web root for better security.
- Create new folders outside
public_html. - Update their paths under
System → Global Configuration → Server.
6. Secure the .htaccess File
Your .htaccess is the gatekeeper of your Joomla site. Protect it from modification or exposure:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
7. Block Access to PHP Execution in Upload Folders
Many hacks happen through file uploads. Prevent any PHP execution in folders like /images or /media by creating a .htaccess inside them with this rule:
<FilesMatch "\.php$">
Order deny,allow
Deny from all
</FilesMatch>
8. Regularly Scan File Integrity
Use Joomla security extensions to monitor file changes:
- SecurityCheck Pro – detects modified or new files.
- RSFirewall – scans file hashes against Joomla core.
- Admin Tools Pro – includes integrity check tools.
9. Remove Unused Files and Installations
Unused templates, backup archives, or old installations (like /joomla_old) are common hacker entry points. Delete them immediately.
10. Use Secure File Transfer Methods
Always use SFTP or SSH instead of plain FTP. Plain FTP sends credentials unencrypted and can be intercepted easily.
Conclusion
Securing Joomla’s files and directories is crucial for preventing unauthorized access and malware infections. With proper permissions, restricted folder access, and consistent file integrity checks, your Joomla site will be far more resilient against attacks.
Next step: Learn how to Enable HTTPS and SSL in Joomla for complete data encryption and trust.