Another key ingredient in creating a secure website is adding some important Joomla security extensions. Extensions are additional tools for building Joomla websites. In this article, we will review how to evaluate extensions in the Joomla Extension directory and then how to add six important security extensions.
How to Research Joomla Extensions
Let's begin by going to the home page of the Joomla Extension Directory
https://extensions.joomla.org/
In the top menu, click Browse Extensions, Compatible with Joomla 4. Then in the side menu, scroll down to Type. There are about 2000 extensions compatible with Joomla 4. About 800 have a free version. Check the free box. Then scroll up to Category and check Access and Security, Security Tools, Site Access and Site Security. For tags, select Access and Security, Login Protection, Security Tools and Site Security.
5 pages of extensions will appear. At 10 extensions per page, this means we have about 50 free security extensions to research.
What is the difference between a Component, Module or Plugin?
Joomla offers three kinds of extensions. These are called Plugins, Modules and Components. Below is a description of each type.
Plug Ins are reached and configured via the Plug In Manager. These are very small bits of code typically inserted into articles.
Modules are larger programs controlling Joomla boxes or modules on your website. After uploading a new module, it can be found in the Module Manager.
Components are often very large programs which often include plugins and modules. They may in fact be sub-directories of Joomla adding several pages of options and parameters. After uploading a new component, all components are reached from the Top Menu Components Icon.
The final type of extension is a Combination of the Components, Modules and Plugins typically called Packages. These are Components which may also come with associated Modules and/or Plug Ins. It may require more than one download to make these work. While templates are also Extensions, templates are not posted in the Extension Directory.
Seven Factors in Selecting Extensions
There are many websites which rate Joomla Extensions. However, because new extensions are released all the time, it is a wise practice to go directly to the Joomla Extension Directory and read about all of the available options. Some of important criteria to look for include:
One: Written for the latest version of Joomla
While some extensions written for older versions of Joomla might work, the best choice is to look for extensions that have been specifically tested for Joomla 4 as indicated by a J4 box in the Extension Summary
Two: Number of Reviews and Review Ratings
The extensions with the highest ratings and most reviews are listed first. These are usually, but not always, your best choice. It is important to read the actual reviews which are posted just below the extensions in their respective pages.
Three: Free or Commercial?
About half the extensions are free while the other half require a payment to download. Free options are often better than commercial options. All of the extensions we recommend below are free.
Four: Highly Rated, Popular and Editors Pick
Generally, the highest rated extensions are on the first page. It is worthwhile to look over all options however as occasionally there is a new extension near the bottom of the list which is better than anything else on the list. It is only at the bottom because it has not been reviewed and rated yet. Also it is important to read the reviews as you will learn not only which extensions have the fewest problems, but also tips for using the extensions. To get to the Reader Reviews, click on the Extension to reach the page for that Extension.
Five: Are the latest Reader Reviews still positive?
Sometimes recent changes in an extension will make it better. But they can also render the extension unusable! It is important to read the latest comments submitted on several options before making your final choice as these comments may alert you to potential problems. It does not hurt to download an extension and try it out to see if it works. You can always delete an extension later if it doesn’t work out.
Six: Documentation and Support Forum
Extensions which have extensive documentation and support forums available are much easier to work with than those who do not. Forums are also a good place to look for folks having trouble with a given extension. To reach the forum for a given extension, click on the extension website and then click on Support or Forum in the top menu.
Seven: Demo Site
Extensions which have a Demo site allow you to see what the extension is like in action. Be aware however, that the extension may still not work on your website for a variety of reasons including possibly not being compatible with your template, or other extensions on your website. So, you also need to download the extensions you are most interested in and actually try them on your website.
Comments on Security Extensions by Page Number
Page 1 Some extensions have a hidden drawback such as having to register your site with a third party that can then place a hidden back door on your site. Others have extremely limited free versions which are really intended to promote a paid version. What we want instead are extensions that are fully functioning and that we can install directly into our website with the Joomla Extensions Installer.
Security Extension 1 Brute Force Stop
One of the best security extensions is called Brute Force Stop. It is the third option on the first page. Click on it to see this extension. Here is the direct link to this page:
https://extensions.joomla.org/extension/brute-force-stop/
This plugin stops Brute-Force-Attacks on your Joomla website. One of the most common ways to attack a website is by using tools that keep entering passwords until they find yours. This free tool not only stops these attacks, but let's you know who is attacking you.
It was updated just 7 months ago and includes both a component and a plugin. Click on Download and the extension downloads without requiring any registration. We will install this security tool later in this article. Then click on the back arrow on your browser to go back to page 1 of the free security extensions. Scroll down the page and click Page 2. Then click Page 3.
Security Extension 2 Spam Protection Factory
The first option on page 3 is Spam Protection Factory. Click on it to go to this page:
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/spam-protect-factory
While many security tools allow you to block individual IP addresses that are attacking you, major hackers have thousands of IP addresses. This free tool allows you to easily block entire countries from attacking you or even reaching your login page!
Spam Protection Factory allows you to block all IP addresses from particular countries based on their two digit country code. It includes a component and a plugin. Click on Download which takes you to a page that requires registration of your name (not your website). You can then download the extension. We will install this security tool later in this article.
Security Extension 3 Eyesite
The third security tool I recommend is not in the search box. But it is in the Joomla Extensions Directory. It is called Eyesite. Eyesite is a file monitor that will warn you about any changes to any of the files on your website. Here is the direct link: https://extensions.joomla.org/extension/eyesite/
Download the User Guide and Component from this page: https://www.lesarbresdesign.info/extensions/eyesite
The automatic update plugin costs $20 per year. But Eyesite works very well even without the automatic update plugin. We will install Eyesite later in this article.
Security Extension 4 Remove Generator
A fourth simple security tool is called Remove Generator. The Joomla generator tag is added to the source code page of any Joomla website.
Hackers look for this tag to give them a clue as to how to best attack your website. Therefore hiding or renaming this take can help protect your site. This extension allows us to change the generator tag for our website from Joomla to whatever we want – or remove the generator tag completely. Here is the direct link: https://extensions.joomla.org/extension/site-management/seo-a-metadata/remove-generator/
Download this tool. We will install it later in this article.
Security Extension 5 Add Phoca Commander
Installing a File Manager to your Joomla Dashboard allows you to work with files and inspect error logs without going to your Hestia Control Panel User File Manager. The error file is important because it can alert us to security problems in our website core files and extension files. Here is the direct link to download this file: https://www.phoca.cz/download/category/96-phoca-commander-component
Download this tool. We will install it later in this article.
Security Extension 6 SQL Interceptor
Another common way to attack your site is to attempt to insert code into your database. This free tool stops these attacks and let's you know who is attacking. This tool is not yet in the Joomla Extensions Directory. To download it, go to this link: https://createasecurewebsite.com/free-downloads
Download this tool. We will install it later in this article.
Move all of your Extensions to your Website Extensions Folder
When you are done downloading all six Joomla security extensions, transfer them from your downloads folder to your website extensions folder.
We are now ready to install and configure them.
Install and Configure Brute Force Stop
Click on System, Install, Extensions to install this tool. Then click Dashboard, Plugins and scroll down to system plugins. Click on BF Stop to open it. Enable this plugin and lower threshold from 10 to 5. Then lower the duration from 1 day to 1 hour.
Then click Notification and select the Admin. Then lower the blocked messages per day from 5 to 2. Then click Save and Close.
Install and Configure Spam Protection Factory
Click on System, Install, Extensions to install this tool. Then click on Components, Spam Protection Factory Dashboard. Then click Link to enable the plugin. Then go back to the Component and click Options. Then click Filters tab and click the Country Filter. Here is a link to all country two digit codes.
We will block users from Russia and Ukraine. RU and UA
Then click Save and Close.
Install and Configure Eyesite
Click System, Install, Extensions to install this tool. Click Components, Eyesite, Configuration. Add your email. Then click Status.
Click Scan Now. Wait a few minutes for the first scan to complete. It will eventually say Eyesite is monitoring 8901 files. All of them will be new files. Click Scan Now again. Wait a few more minutes. It will reply that there are no new changes. You can now check your files periodically to see if any of them have been changed and when they were changed.
Install and Configure Remove Generator
Click on System, Install, Extensions to install this tool. Then click on Dashboard Plugins and scroll down to Systems. Click on Remove Generator to edit it. Change Disabled to Enabled and click Save and Close. Then click on the front end of your website. Clear the browser cache. Then right click and click View Source. Check that the generator is now gone.
Install and Configure Phoca Commander
Click on System, Install, Extensions to install this tool. After installing, click on Configure Phoca Commander which will bring up a warning screen. Click OK to bring up the File Manager screen:
On either column, scroll down and note that there is no error file. You should periodically check to see if an error file ever appears.
Rename the HT access file
Also, if the htaccess file is still named htaccess.txt, rename it to .htaccess (note that there is a dot in front of the word htaccess).
Select the file named htaccess dot txt. Then click F2 Rename. Name it dot htaccess(.htaccess). Then select it and click F4 Edit. Scroll down to Line 83 and delete the hash sign to the left of the word RewriteBase. Then click Save and Close.
Next, click on Images. Then check Sample Data and click Delete. Then click banners and headers folders and click Delete. Then click the Info icon to exit the file manager.
Install the SQL Interceptor Plugin
Go to System, Install Extensions to install the plugin. Then go to Plugins and scroll down to System plugins. Click on the SQL Interceptor Plugin to edit it. Then click Enable.
Then scroll down the screen and change send Alert Email from No to Yes. Then type your email address in the Mail to Notify box. Then scroll down to Enable temporary IP blocking and change it from No to Yes. Then click Save and Close.
What’s Next
This completes our review of Joomla Security Extensions. During this course, we will review how to install and use more than a dozen additional free Joomla extensions. In the next section, we will add and configure the first of these free extensions, a very important web building tool called the JCE Editor.