How to Protect Your Joomla Store Against Brute Force Attacks?

Brute force attack is one of the most common forms of cyberattacks used by hackers to break into a website. In a Joomla brute force attack, hackers bombard a Joomla store with an insanely huge number of login requests in a very short span of time. All in all, a brute-force attack is a hit and trial method which tries as many combinations of usernames and passwords as possible in order to bypass the website’s security. As you can clearly see in the image given below that the brute-force attack stands at the fifth most common attacks as per a report.

How to Protect Your Joomla Store Against Brute Force Attacks?

With more than 2.5 million websites, Joomla is currently the second most used framework after WordPress. Quite invariably, it attracted the attention of hackers while gaining more and more community support.

Like any other form of a cyberattack, the credit of brute-force attacks goes to security loopholes in your store. And like every other attack, you can fix it with the necessary security steps. Therefore, in this article, we discuss some effective yet easy security steps to safeguard your Joomla store against the brute-force menace.

How can one detect brute force attack?

Joomla Firewalls by Astra come with an in-built feature of reviewing login activities. So, if you have installed Astra firewall in your store, all you need to do to review the login activities is follow these steps:

  • Sign-in to your Astra dashboard.
  • Click on the ‘Login Protection’ tab.

Now, you can check your login activity.

If your Joomla store does not have a firewall, get one now!

5 Steps to protect your store against Brute force attack

1. Hide the version of your Joomla store

Hackers often try to fingerprint your website first. Therefore, keeping the version of your store will make it easier for a hacker to exploit your store with the knowledge of the version you are using. Hence, for the safety of your store follow these steps to hide your store’s version.

  • For the first step, go to the location: /yourwebsiteroot/templates/yourtempaltename/index.php.
  • Now, open the above file in a text editor (of your choice) and look for the code: <jdoc: include type=”head” />
  • Now, write these codes ahead of the above code: $this->setGenerator(“”);
  • No one can look up the version of your store now. In case you update your website, repeat these steps.

2. Enable two-factor authentication

Multi-factor authentication is used to add multiple layers of verification onto a login page. Two-factor authentication is just a part of MFA. Follow these steps to enable two-factor authentication in Joomla:

  • Log in to your Joomla account.
  • Navigate to User Manager >> Edit >> Two-factor Authentication.
  • In case you cannot find this plugin, enable the Google Authenticator plugin from Two-factor plugins option in the plugin manager.
  • Download Google Authenticator app on your computer or mobile.
    • Click on Activate two-factor authentication field in your website and enter the 6-digit generated on your app. Click the save button and proceed.

    3. Restrict access to the Joomla admin area

    The admin area of any online store is the most sensitive source of data and personal information. It is wise to restrict access to the admin area by limiting IP addresses. Follow these steps to restrict access:

    • Create a .htaccess file in the directory of your store you wish to protect if it is not already present.

    Now, add these codes to that file:                                                                                    Order Deny, Allow

    Deny from all

    Allow from xx.xx.xx.xx

    • In the place of ‘xx.xx.xx.xx’, enter the IP address you wish to allow access.

    If by any chance, these codes didn’t work for you, write these codes in your file:                                                                                                                               RewriteEngine on

    RewriteCond {b35c63bac5fac9ed648f97d4700fe9ffe9c190bec929f61ce1f7fc4e68d68241}{REQUEST_URI} ^(.*)?administrator$

    RewriteCond {b35c63bac5fac9ed648f97d4700fe9ffe9c190bec929f61ce1f7fc4e68d68241}{REMOTE_ADDR} !^xx.xx.xx.xx$

    RewriteRule ^(.*)$ – [R=403,L]

    4. Limit login attempts to your store

    One of the best methods to thwart the attempts of brute force attack in your website is by limiting the number of attempts an IP address can make. There are a number of security extensions available in the market through which you can limit the login attempts to your store. One such extension is ‘Limit Login Attempts’ which is free of cost and highly reliable. To install this plugin and activate limit login attempts in your store, follow these steps:

    • Download the zip file of this plugin from its official website.
    • Log in to your Joomla account and go to Extensions >> Manage >> Install.
      • Click on the ‘Or Browse For File’ button and select the newly downloaded zip. After complete installation, you will be redirected to a page to confirm the action.
      • Now, go to Components >> Limit Login Attempts. Click on the ‘Settings’ button once the plugin is accessed.
      • You can change the settings as per your requirements and then you are good to go.

      5. Joomla Security Audit

      Although the above-mentioned steps can do wonders in improving the security of your Joomla store. It is equally crucial that you discover the vulnerabilities of your website. And for that, your website will need a regular and robust security audit from a trusted source. Here’s how the leading Joomla security audit service Astra does it:

    • Conclusion

      It is difficult to build and secure a website, but it is not impossible. I hope that through this article I was able to explain the necessary steps to ensure protection against brute force attack. But if I have missed some points, feel free to remind me in the comments.