Tips to Avoid Website Hacking

Websites are always a work in progress…

The Internet is an environment that changes daily, and a website needs to adapt to survive in this evolving world.  There is one guarantee with your website… it will need to have changes made.  It will need regular updates to keep it secure and avoid potential hacks.  Failure to keep your website updated will increase your cost and increase the difficulty of making changes later.

My website doesn’t have anything sensitive, why would somebody want to hack it? 

Hackers aren't just looking to steal information.  Here are some of the reasons for and results of a website being hacked…

  • A website being hacked for the purpose of routing spam.
  • Websites redirecting users to spam websites
  • A hacked website that visually displays spam content
  • Links added to the website to boost search rankings of other websites.
  • Delivering and expanding malware to install viruses on the website visitor’s computers.
  • A hacked website can get delisted from Google searches, or search results may contain a warning to visitors NOT to visit your website.


Any of these things could have a devastating affect on your business and its credibility.

What can you do?

Get your website up to date

The main reason that Joomla websites get hacked is because the website owners failed to keep their Joomla core installation or extension (component, module, or plugin) up to date.  Don’t ignore the notifications in your administrator control panel when it notifies you of an available update for Joomla or an extension.  Most updates can be as simple as a click of a button, as long as you don’t let it go too long.

Think about making it a point to check available updates once a month.  And, here are some other things that you should do at the same time...

Be sure you have a strong administrator username and password

Simple passwords are easily cracked and are a common hole in a website’s security.  A technique known as brute force is often used by hackers, using a computer script to guess password combinations to gain access to your administration panel, or hosting control panel.  Don’t use a username like “admin” and create passwords that include lower and uppercase letters as well as numbers and symbols.

Clean up old admin users.
If your Joomla website has been around for any length of time it’s common accumulate super administrators, people that may have left the company, but still have access to the administration panel. These old accounts are a Joomla security risk because they provide another avenue for brute force password guessing. Later, a hacker is able to successfully guess it and use that password to install malware on your site.

Create regular backups of your website.

SoftaculousIn case your website does get hacked, a recent backup is a great thing to have.  Delete the infected files and restore from your backup.  If you’re using SiteGround or another host with cPanel hosting, see if you see an icon for Softaculous.  A great tool for creating backups, removing the infected installation and replacing it with your backup.

Think about making a point to create a new backup once a month.

Check and fix your file permissions

Joomla! Toolkit

The files in your Joomla website contain files and folders that have permissions which indicate whether they can be changed and by who. This helps to prevent unauthorized changes from occurring.  SiteGround and many other cPanel hosting companies offer a Joomla Toolkit in a Joomla! Tools section.  In this toolkit there is a place to fix file permissions.  Simple to use, but I would go back and change the configuration file back to “444”.

Check your PHP version to make sure it is current.

PHP is the programming language which powers Joomla (and many other website platforms) and, just like Joomla, security vulnerabilities can be discovered in it. To check whether you're running a secure version of PHP, in your Joomla backend, go to the "System" menu item and at the bottom open "System Information". In the system information tab, it will tell you your PHP version.PHP Version Manager

Currently, you should be running version 7.0+, and very soon should be running version 7.1+.  Just like operating systems on your computer, phone, or website, you need to make sure your running a system with active support, or at least security fixes.  If you’re running on an old version of PHP, you’re opening your site up to vulnerabilities to being hacked.

On your hosting cPanel, see if you have an icon for PHP Version Manager.  A simple tool that allows you to go in and change your PHP version with just a click.  After making any changes, go back and check your website functionality to make sure everything is still working properly.  If not, you may want to replace some extensions or call your web developer.

Check to make sure error reporting is disabled.
In your global configuration, under the server tab, check to make sure that error reporting is set to none. The reason why is simply information disclosure.  When hackers attack your website, they attempt to disrupt the operation of your site in order to gain information about how the site is running and the file paths being used. By disabling error reporting, you provide them no information about most errors they can generate.

Secure your website with SSL
Let's EncryptSSL is a protocol that encrypts a message between a sender and a receiver to avoid third-party snooping. It is an industry-standard cryptographic technology required to secure a connection between a web server and a remote browser. To communicate over an SSL connection, a website requires SSL certificates.  This will prevent the information being read in transit and accesses without the proper authority.

SiteGround (and some other website hosts) offer a free program in the cPanel called “Let’s Encrypt”.  Make sure your domain is set up in the program, then go to your website administration panel, navigate to “System > Global Configuration > and click on the Server tab.  There’s a line for Force HTTPS.  Choose “Entire Site”.

Secure HTTPS

Make sure you don’t have images that are coming from other websites, either in your articles, or extensions, as this will trigger an “Not Secure” notice in the address bar in your browser.

Unsecure HTTP 

Use a reputable host.
There are many budget web hosts on the Internet where you can host your website for next to nothing.  I wouldn't recommend this.  Hosting requires technical skill and it costs money to hire skilled engineers and invest in solid architecture.  Many hosts don't build those costs into their pricing. The risk you run is that you don't have the tools you need and your host doesn't have the server correctly configured for Joomla security, making it easier for hackers to crawl, probe, compromise, and spread the effects of their hacks across several accounts.  As you can probably tell, I recommend SiteGround.