Tips For Preventing Brute Force Attacks Against Joomla Websites


Here are the best tips for preventing Brute force attacks against Joomla websites

A brute force login attack is a type of attack against a website to gain access to the site by guessing or trying every combination of username and password, over and over again.

In this tutorial, we will cover some methods and extensions we can use to prevent brute force attacks against Joomla sites. Joomla is one of the most popular CMS and therefore it’s a frequent target of these type of attacks.

Tips for Preventing Brute

Strong usernames and passwords

A classic example of weak security is continuing to use the word ‘admin’ as a user name – this is the default super administration account that’s created when you first install Joomla. Make strong usernames and passwords and change the password frequently.

Joomla extension

I recommend AdminExile as an excellent plugin for Joomla 2.5 or later.  It lets you block IPs after a certain amount of failed password attempts, and you can set how long the block will be in effect.

A hacker needs to find your login page if he intends to brute force the login page to gain access. Hiding the login URL of a website is a good way to protect a website from being attacked with brute force. AdminExile helps also in doing so. It allows adding a key/ and key-value in the login URL so that only those who know the key can reach the URL. If someone will try to type “your_website_name/administrator” into the browser’s address bar, will be redirected to another url.

Using .htaccess blocking

On Apache servers, you can add IP addresses to your .htaccess file. This will prevent those IP addresses from even reaching your Joomla administrator page or any other page on your website. You can block unwanted users or bots from accessing your website via .htaccess rules.

Read more about using .htaccess to block visitors with various methods.


CloudFlare provides a free service for CDN, security, and speed. Once your website is a part of Cloudflare, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. Cloudflare allows 3 custom page rules for free accounts which we can use to prevent bots and hackers from accessing the Joomla administrator page attempting brute force attacks.

Two-Factor Authentication

Two-factor authentication is a safety feature that adds an extra layer of security on your Joomla site.

Starting from Joomla 3.2 or later versions let you enable two-factor authentication with Google Authenticator & YubiKey authentication method without installing any additional plugin.

Read more how to enable Two-factor authentication in Joomla


You must be wondering which is the best solution? It really depends on which one you think is the best for your needs. For me personally, I use both Cloudflare and AdminExile to stops brute force attacks on my site.

Let me know which one you think is the best solution for protecting against brute force attacks. Leave your thoughts and suggestions below.

Post A Comment

Your email address will not be published.