In very much the same way is happening with WordPress, Joomla! websites are currently under attack on a global scale, with hackers using millions of unique IP to launch their brute force attacks.
Precautions to take are basically the same as with WordPress, or any other CMS for that matter, mainly make sure you are using unique usernames and strong passwords for your Joomla! admin access. Top 5 usernames being used by the hackers to try to break into the websites are admin, test, administrator, Admin, and root, while the top five passwords being used are admin, 123456, 666666, 111111, and 12345678. And believe it or not in many cases it works.
Actually it’s just a matter of probabilities, and hackers are aware that the greater the number of sites they try out, the higher the chances to succeed. To help understand the magnitude of the attacks, Sucuri, a security firm, recently released the following analytic data of failed hacking attempts:,
- December 2012: 678,519 login attempts blocked.
- January 2013: 1,252,308 login attempts blocked.
- February 2013: 1,034,323 login attempts blocked.
- March 2013: 950,389 login attempts blocked.
- April 2013: 774,104 login attempts blocked for the first 10 days.
Apart from the obvious precaution of using unique usernames and strong passwords in order to prevent Your Joomla! website from being hacked, you must also keep an eye on Joomla! Updates both of the core files and the extensions.
Also recommended is to do a ‘CHMOD Sweep’ once the Joomla! website has been properly configured, by changing directories permission to 755 and files permissions to 644. Additionally you should set your .htaccess file permission to 444.
If you’re looking for a security extension for Joomla! to do the hard work for you, we’d recommend ‘Admin Tools‘ a security Swiss Army knife with both free and commercial versions available, that will detect, notify you and painlessly install new Joomla! releases as they are made available, fix your files’ and directories’ permissions, protect your administrator directory with a password, change your database prefix, set a secure Super Administrator ID, migrate links pointing to your old domain on-the-fly and perform database maintenance, all with a single click.