Every time your Joomla website loads, the template kicks into gear to deliver the desired experience. Given this central role, Joomla template security is one of the key steps to preventing unauthorized access to your web server or the insertion of spam or graffiti on your site.

The following tips will help improve the security of your Joomla template and thus your website.

1. Fix file permissions on your web server.

Like any computer system, the files on your web server all have permissions that control who can access them.

For web servers, permissions belong to one of three categories:

• Read privileges — who can read a file
• Write privileges — who can edit a file
• Execute privileges — who can execute system commands

The safest permissions for the files on your web server — including the files in your template — is for the public to have read-only access. Changes to these files should only be possible by the owner (i.e. the apache root user) of the file.

While a system administrator can easily modify permissions from the command line, we recommend that most Joomla site owners use the excellent Admin Tools extension to properly set file permissions from the Joomla backend.

You can find full details on resetting permissions in our blog post on Admin Tools.

2. Prevent file listing via .htaccess.

Letting visitors know what files you have in your Joomla template folder is never a good idea.

You can check if your template currently displays these files by typing the name of your template folder into your browser (eg. domain.com/templates/) and seeing if you get a Forbidden warning.

If you see a list of files and folders, your site is not as safe as it could be.

To solve the problem, you’ll need to edit the .htaccess file in the root of your website so that is contains the following line:

Options -Indexes

This blog post has more details on using .htaccess to control file listing.

3. Restrict template edit permissions.

Joomla has a powerful template editor that allows users to modify all the components of the template, including the main index.php file. Thus, anyone who gets backend access to your site can hack your template with ease.

In addition to having unique usernames and strong passwords, limiting the user groups allowed to edit templates is a wise strategy to improve template security. For example, we recommend that users in the Manager usergroup not be able to edit the template.

To configure this in the Joomla backend:

1. Select Templates from the Extensions menu.
2. In the Options at the top-right, locate the Permissions tab.
3. Disable the following items for Managers and other groups with backend access who do not need to edit the template:
   • Edit
   • Edit State
   • Configure ACL & Options
   • Configure Options Only

4. Review users regularly for Super User access.

Between your website developers, temporary contractors, and the staff/clients who regularly access the backend of a Joomla site, it’s easy to collect unnecessary Super Users.

Regularly monitor the Super Users and Administrators in the backend User Manager to ensure that these accounts are still active and necessary.

If you are unsure of someone’s status, check the Last Visit Date in the User Manager to see when the user last logged in.

5. Keep all templates up to date.

There are thousands of templates available for Joomla. However, many of these templates do not send alerts via the Joomla update system when releasing new versions.

Thus, we recommend that template users subscribe to any notification system provided by the template vendor.

An alternative and more comprehensive solution is to monitor the relevant changelog page on the vendor’s website (if published) for each of the templates installed on your sites. For example, the changelog page for the Callisto template from RocketTheme shows 6 updates in 6 months. 

There are a number of free ways to monitor changes to a changelog webpage including plugins for Chrome and Firefox, and the online tool Versionista.

RocketTheme also maintains an RSS feed of updates for their templates if an RSS reader is part of your daily routine. 

6. Only use templates from trusted vendors.

Like most popular software, Joomla templates are common on Warez and 0-day sites. Often, these templates contain malware and other dangerous scripts.

If you are serious about security, it is critical to always download templates from the vendor’s official website.

7. Track changes to your template files.

The files in your template folder rarely change. So tracking changes to these files is a great way to detect intruders looking to deface your site or install malware.

If you’re using Admin Tools Pro, it includes a PHP file scanner. The PHP Scanner alerts you of changes to any PHP files on your Joomla site, including those in your template folder.

Similarly, Watchfuls own early warning audit can monitor the critical files in your template. The free account at Watchful will provide daily monitoring of the following files and notify you if there are any changes:

• templates/[theme_name]/index.php
• templates/[theme_name]/error.php
• templates/[theme_name]/component.php
• administrator/templates/[theme_name]/index.php

8. Completely lock down the template folders (advanced).

Above we described how to limit template editing in the Joomla backend. This advanced technique takes this concept to the next level.

For all Joomla templates, all of the assets like PHP, CSS and JavaScript files are stored in one folder. For example, if your template is called “Biz Template 1”, the file might be located in the /templates/biz_template_1 folder in your web root.

Since intruders heavily target the template for defacing, it can be helpful to completely disable changes to the files and folders of your template. For example, even root user of the web server would not be able to edit the contents of te files/folders.

To achieve this, we can use the immutable attribute in linux. When files or folders have this flag, they cannot be modified, deleted, or renamed anyone including root user.

To add the immutable attribute to your Joomla template folder, contact your web host. Or if you have root access to your server:

1. Log into your web server using the command line interface.
2. To black modifications to all the files and folders, enter the following command:
   • chattr -R +i path_to_template_folder

Note that this technique will prevent updating the template. To apply an update, temporarily remove the attribute with this command: chattr -R -i path_to_template_folder.

Joomla security includes your template

Every Joomla website requires a template. Thus, a secure website requires a secure template.

By applying the techniques above, you can reduce the risk of intrusion and attacks targeting the Joomla template. 

If you have additional techniques for protecting your template, please post them below.