Another key ingredient in creating a secure website is adding some important Joomla security extensions. Extensions are additional tools for building Joomla websites. In this article, we will review how to evaluate extensions in the Joomla Extension directory and then how to add several important security extensions.
How to Research Joomla Extensions
Let's begin by going to the home page of the Joomla Extension Directory
https://extensions.joomla.org/
In the top menu, click Browse Extensions, Compatible with Joomla 4. Then in the side menu, scroll down to Type. There are about 2000 extensions compatible with Joomla 4. About 800 have a free version. Check the free box. Then scroll up to Category and check Access and Security, Security Tools, Site Access and Site Security. For tags, select Access and Security, Login Protection, Security Tools and Site Security. 5 pages of extensions will appear. At 10 extensions per page, this means we have about 50 free security extensions to research.
What is the difference between a Component, Module or Plugin?
Joomla offers three kinds of extensions. These are called Plugins, Modules and Components. Below is a description of each type.
Plug Ins are reached and configured via the Plug In Manager. These are very small bits of code typically inserted into articles.
Modules are Joomla boxes of content. After uploading a new module, it can be found in the Module Manager.
Components are large programs which often include plugins and modules. They may add several pages of options and parameters. After uploading a new component, all components are reached from the Top Menu Components Icon.
The final type of extension is a Combination of the Components, Modules and Plugins typically called Packages. These are Components which may also come with associated Modules and/or Plug Ins. It may require more than one download to make these work. While templates are also Extensions, templates are not posted in the Extension Directory.
Seven Factors in Selecting Extensions
There are many websites which rate Joomla Extensions. However, because new extensions are released all the time, it is a wise practice to go directly to the Joomla Extension Directory and read about all of the available options. Some of important criteria to look for include:
One: Written for the latest version of Joomla
While some extensions written for older versions of Joomla might work, the best choice is to look for extensions that have been specifically tested for Joomla 4 as indicated by a J4 box in the Extension Summary
Two: Number of Reviews and Review Ratings
The extensions with the highest ratings and most reviews are listed first. These are usually, but not always, your best choice. It is important to read the actual reviews which are posted just below the extensions in their respective pages.
Three: Free or Commercial?
About half the extensions are free while the other half require a payment to download. Free options are often better than commercial options. All of the extensions we recommend below are free.
Four: Highly Rated, Popular and Editors Pick
Generally, the highest rated extensions are on the first page. It is worthwhile to look over all options however as occasionally there is a new extension near the bottom of the list which is better than anything else on the list. It is only at the bottom because it has not been reviewed and rated yet. Also it is important to read the reviews as you will learn not only which extensions have the fewest problems, but also tips for using the extensions. To get to the Reader Reviews, click on the Extension to reach the page for that Extension.
Five: Are the latest Reader Reviews still positive?
Sometimes recent changes in an extension will make it better. But they can also render the extension unusable! It is important to read the latest comments submitted on several options before making your final choice as these comments may alert you to potential problems. It does not hurt to download an extension and try it out to see if it works. You can always delete an extension later if it doesn’t work out.
Six: Documentation and Support Forum
Extensions which have extensive documentation and support forums available are much easier to work with than those who do not. Forums are also a good place to look for folks having trouble with a given extension. To reach the forum for a given extension, click on the extension website and then click on Support or Forum in the top menu.
Seven: Demo Site
Extensions which have a Demo site allow you to see what the extension is like in action. Be aware however, that the extension may still not work on your website for a variety of reasons including possibly not being compatible with your template, or other extensions on your website. So, you also need to download the extensions you are most interested in and actually try them on your website.
Comments on Security Extensions by Page Number
Page 1 Some extensions have a hidden drawback such as having to register your site with a third party that can then place a hidden back door on your site. Others have extremely limited free versions which are really intended to promote a paid version. What we want instead are extensions that are fully functioning and that we can install directly into our website with the Joomla Extensions Installer.
Security Extension 1 Brute Force Stop
One of the best security extensions is called Brute Force Stop. It is the third option on the first page. Click on it to see this extension. Here is the direct link to this page:
https://extensions.joomla.org/extension/brute-force-stop/
This plugin stops Brute-Force-Attacks on your Joomla website. One of the most common ways to attack a website is by using tools that keep entering passwords until they find yours. This free tool not only stops these attacks, but let's you know who is attacking you.
It was updated just 7 months ago and includes both a component and a plugin. Click on Download and the extension downloads without requiring any registration. We will install this security tool later in this article. Then click on the back arrow on your browser to go back to page 1 of the free security extensions. Scroll down the page and click Page 2. Then click Page 3.
Security Extension 2 Spam Protection Factory
The first option on page 3 is Spam Protection Factory. Click on it to go to this page:
https://extensions.joomla.org/extensions/extension/access-a-security/site-security/spam-protect-factory
While many security tools allow you to block individual IP addresses that are attacking you, major hackers have thousands of IP addresses. This free tool allows you to easily block entire countries from attacking you or even reaching your login page!
Spam Protection Factory allows you to block all IP addresses from particular countries based on their two digit country code. It includes a component and a plugin. Click on Download which takes you to a page that requires registration of your name (not your website). You can then download the extension. We will install this security tool later in this article.
Security Extension 3 Eyesite
The third security tool I recommend is not in the search box. But it is in the Joomla Extensions Directory. It is called Eyesite. Eyesite is a file monitor that will warn you about any changes to any of the files on your website. Here is the direct link: https://extensions.joomla.org/extension/eyesite/
Download the User Guide and Component from this page: https://www.lesarbresdesign.info/extensions/eyesite
The automatic update plugin costs $20 per year. But Eyesite works very well even without the automatic update plugin. We will install Eyesite later in this article.
Security Extension 4 Remove Generator
A fourth simple security tool is called Remove Generator. The Joomla generator tag is added to the source code page of any Joomla website.
Hackers look for this tag to give them a clue as to how to best attack your website. Therefore hiding or renaming this take can help protect your site. This extension allows us to change the generator tag for our website from Joomla to whatever we want – or remove the generator tag completely. Here is the direct link: https://extensions.joomla.org/extension/site-management/seo-a-metadata/remove-generator/
Download this tool. We will install it later in this article.
Security Extension 5 Add Phoca Commander
Installing a File Manager to your Joomla Dashboard allows you to work with files and inspect error logs without going to your Hestia Control Panel User File Manager. The error file is important because it can alert us to security problems in our website core files and extension files. Here is the direct link to download this file: https://www.phoca.cz/download/category/96-phoca-commander-component
Download this tool. We will install it later in this article.
Security Extension 6 SQL Interceptor
Another common way to attack your site is to attempt to insert code into your database. This free tool stops these attacks and let's you know who is attacking. This tool is not yet in the Joomla Extensions Directory. To download it, go to this link: https://createasecurewebsite.com/free-downloads
Download this tool. We will install it later in this article.
Move all of your Extensions to your Website Extensions Folder
When you are done downloading all six Joomla security extensions, transfer them from your downloads folder to your website extensions folder.
We are now ready to install and configure them.
Install and Configure Brute Force Stop
Click on System, Install, Extensions to install this tool. Then click Dashboard, Plugins and scroll down to system plugins. Click on BF Stop to open it. Enable this plugin and lower threshold from 10 to 5. Then lower the duration from 1 day to 1 hour.
Then click Notification and select the Admin. Then lower the blocked messages per day from 5 to 2. Then click Save and Close.
Install and Configure Spam Protection Factory
Click on System, Install, Extensions to install this tool. Then click on Components, Spam Protection Factory Dashboard. Then click Link to enable the plugin. Then go back to the Component and click Options. Then click Filters tab and click the Country Filter. Here is a link to all country two digit codes. https://country-code.cl/
We will block users from Russia and Ukraine. RU and UA
Then click Save and Close.
Install and Configure Eyesite
Click System, Install, Extensions to install this tool. Click Components, Eyesite, Configuration. Add your email. Then click Status.
Click Scan Now. Wait a few minutes for the first scan to complete. It will eventually say Eyesite is monitoring 8901 files. All of them will be new files. Click Scan Now again. Wait a few more minutes. It will reply that there are no new changes. You can now check your files periodically to see if any of them have been changed and when they were changed.
Install and Configure Remove Generator
Click on System, Install, Extensions to install this tool. Then click on Dashboard Plugins and scroll down to Systems. Click on Remove Generator to edit it. Change Disabled to Enabled and click Save and Close. Then click on the front end of your website. Clear the browser cache. Then right click and click View Source. Check that the generator is now gone.
Install and Configure Phoca Commander
Click on System, Install, Extensions to install this tool. After installing, click on Configure Phoca Commander which will bring up a warning screen. Click OK to bring up the File Manager screen. On either column, scroll down and note that there is no error file. You should periodically check to see if an error file ever appears.
Rename the HT access file
Also, if the htaccess file is still named htaccess.txt, rename it to .htaccess (note that there is a dot in front of the word htaccess).
Select the file named htaccess dot txt. Then click F2 Rename. Name it dot htaccess(.htaccess). Then select it and click F4 Edit. Scroll down to Line 83 and delete the hash sign to the left of the word RewriteBase. Then click Save and Close.
Next, click on Images. Then check Sample Data and click Delete. Then click banners and headers folders and click Delete. Then click the Info icon to exit the file manager.
Install the SQL Interceptor Plugin
Go to System, Install Extensions to install the plugin. Then go to Plugins and scroll down to System plugins. Click on the SQL Interceptor Plugin to edit it. Then click Enable.
Then scroll down the screen and change send Alert Email from No to Yes. Then type your email address in the Mail to Notify box. Then scroll down to Enable temporary IP blocking and change it from No to Yes. Then click Save and Close.
Install and Configure the JCE Editor
The JCE Editor makes it much easier to load and resize images compared to the standard Joomla editor. To download the JCE editor, go to this page:
https://www.joomlacontenteditor.net/downloads/editor/core
Then click on Download for the latest version. Then transfer the extension from your Downloads folder to your website Extensions folder. Then log into the Joomla Dashboard and click System, Install, Extensions. Then click Browse for File. Then select the JCE zipped folder. It will install automatically.
To Configure the JCE Editor, go to Components, JCE Editor. Then go to Editor Profiles, Default, Features & Layout Tab and reduce the number of tools from four rows to two rows by dragging unused icons to the lower area. When we are done, this is what the Editor Tool Bar will look like:
Click Save. Then click on the Plugin Parameters tab. Then click on the Image Manager tab and set alignment to Center. Then click Links, and set Target to Open in a New Window. Finally, click Media Support and change Allow Iframes to Yes. Then click Save and Close. We now have the JCE Editor set up. Then, go to Users, Manager. Then click on your name to open your profile. In the Basic settings tab, set the JCE Editor as your new default editor. To finish setting up, in System, Global Configurations, change the Default Editor to JCE Editor. Then click Save and Close.
Use Libre Writer to Create a Header Image
Before we create our Welcome Article, we should first create our own header image using Libre Draw and Flameshot. A header is a full width image at the top of your Home web page. It is like the cover of a book. It helps website visitors understand what your website is about in a matter of seconds. A website header typically consists of a background image with one line of text in the foreground with the name of your website and perhaps a second line of text below it that has a slogan. Here is an example:
So that the header does not take up too much vertical space, seek out a background image that is much wider than it is tall. Then open a new Libre Writer document and save it in your website images folder as Header Creator. Click Format, Page Style, Page tab and change the format from Letter to Legal. Then change the Orientation from Portrait to Landscape. Then change all four margins to 0.5 inches.
Then click on the Area tab and click the Color option. Then use the Pick button to change the color to 2222aa Dark Blue
Then click OK. Then use Flameshot to capture an image and paste it into the Writer document:
To make things more interesting, you can add a second image:
Then add a text box for the title line and another for the slogan line:
Use Flameshot to select an area including a border and copy it. Then on a second page of the Header Creator document, paste the image.
Compress and Save your Header Image
Right click on the image and click Compress to bring up this screen:
Change the resolution to 150 DPI. Then click OK. Right click on your image again. Then click Save. Navigate in your File Manager to your website images folder and save the image as header.jpg. Then save and close your Writer Header Creator document.
Use Gthumb to Resize and Crop your Header Image
Click on the Debian Cinnamon Start button. Then in the Graphics category, click on Gthumb to open it. If you do not already have this program installed, you can download it from the Debian Software Manager. Navigate to and click on your header image to open it.
Then click the Format Resize button in the lower right corner.
Initially, the width is 1935 pixels. Click on the minus sign to reduce the width to 1800 pixels. Then click Accept. Then click on the Crop button which is just to the right of the Resize button. Click Maximize.
The height is 422 pixels. Click the minus sign to reduce the height to 400 pixels. Then click the Position Plus sign to add back 9 pixels (taking some of these 22 pixels off the top of the image). Then click Accept. Then click the Save As button and save the image as header-1800.jpg. Close Gthumb. Here is our File Manager Images folder:
Note that the header image is under 100KB.
Load your Header Image
Log into your Joomla Dashboard. Then go to Content, Media. Upload, Browse. Select the Header-1800 Image and click Upload.
Create a Header Module
Go to Content, Site Modules, New, Custom. For Title, type Header. Then Hide the title and select the banner position. Then click on the JCE image icon to select and insert the header image.
Then click Save and Close. Click on the front end to view the result:
To get rid of the word Cassiopeia, click Template, Styles and click on the template to edit it. Click on the Advanced Tab and turn of Brand.
Hide the Main Menu for now as we will use a different template to configure it later. Click Content, Site Modules and select the main menu and click Unpublish. We will also hide the Home menu item by going to Menus, Main Menu and clicking on the Home menu item. Click the Page Display tab. Then change Show Page Heading to Hide and change the Browser Page Title to the name of your website.
Use Libre Writer to Create a Welcome Article
Create a new Writer document and save it in your website articles folder as Welcome to My Website. Add text explaining the benefits of your website. Then use Libre Draw and Flameshot to add images for folks who get more from looking at images than reading text.
When you are done creating your Welcome article, right click on each image and compress to 150 DPI. Then click Save As and save a copy of the Welcome article with a w (for web version) at the beginning of the file name.
Next, create a 0-welcome folder in your file manager images folder. Then use the web version to create a text only document by typing a placeholder image number above each image. Then save each image to the 0-welcome images folder. Then delete each image leaving only the placeholder image numbers.
Upload the 0-welcome images to your website media manager
Log into your Joomla Dashboard and click Content Media to open the media manager:
Click Create New Folder:
Name the folder 0-welcome and click Create. Then click on the 0-welcome folder to open it. Then click on Upload to upload all of the images from the 0-welcome images folder on your home computer. Hold down the Control key to select up to 20 images. Then click Open. Then click Upload again if needed to load any remaining images. Here is the result:
Use the JCE Editor to Copy Paste the Text Only version of your Welcome into a new Joomla article
Go to Content, Articles, New and type in a title for your Welcome Article. Copy the text only version of your welcome article into your clipboard. Then place your cursor in the JCE workspace and click Paste. This will bring up a Paste popup. Press Control plus V on your keyboard to paste the text into the workspace:
Click Save. Then select all of the text and change the font family to Arial and the font size to 14. Then change Featured from No to Yes. This will put the article on your Home page. Click Save again. Delete the placeholder 01 and click the Picture Icon in the JCE editor to open the JCE Images Manager.
Select the first image in the 0-welcome images folder. Then increase or decrease the width if needed. The maximum width should be 800 and the minimum width should be 300. Then click Insert. Then scroll down to placeholder 02 and delete the 02 and click on the images icon to repeat the process. After the first 10 images, click on Save at the top of the page. Then finish loading the images and click Featured, then click Save. Then click Save and Close. Then visit the front end of the site to view and check the Welcome article:
To hide the Details, which distracts from the article, go to Content, Articles and click on Options in the upper right corner. Set Show Category and Link Category to No. Set Show Author and Show Publish Date to Hide. Set Show Tags and Show Hits to Hide. Then click Save. While we are here, click the Category Tab and Hide the Subcategories, No Articles Message and Subcategories Descriptions and Tags. For categories, hide subcategories and # of articles. For the Blog tab, we can change the defaults to 9 leading articles, 9 intro articles, 1 columns and 9 links. For List Layouts, hide Hits and Author.
What’s Next?
In the next article, we will install and configure the Helix template – which will give us much more control over the layout and appearance of our website than the default Cassiopeia template.