Security of the website is the foremost concern for every webmaster. Joomla itself is a secure content management system. By default, it offers two factor authentication for security. But, that is not enough for the website security. Hackers have many ways to attack a website. So, never rely on a single security measure for your website.

Using a security extension is one of the recommended measure for securing a website from different type of threats like LFI, SQL injection, Brute Force Attacks. There are near three hundred extensions inside the Joomla extension directory for providing security to the websites.

Some extensions are free and some are paid. Among the free extensions, I have picked some candidates having nice security features. The extensions I have picked, help the users to protect their website against Brute Force attacks, SQL injection, and Local File Inclusion. These attacks severely damage the websites, so it is good to be aware about such type of attacks. And, have some automatic measures to prevent the website. Check out responsive free Joomla templates.

Here at Templatetoaster Joomla website builder, let us take a look at the extensions that provide protection against such types of attacks.



Brute force begins when attacker can see the login panel of the website. Hiding the login URL of website is a good way to protect a website from being attacked with brute force. This plugin helps in doing so. It allows to add a key/ and keyvalue in the login URL so that only those who know the key can reach the URL. If someone will try to get access to a website with “website_name/administrator”, will be redirected to another url.

You can configure this extension to mail login link to the administrator for when you forget the key. Also, AdminExile gives the flexibility to set the re-entry time. Within the specified re-entry time, the user can login the administrator panel without using the key. It also gives the option to impose the restriction on front end login by the user.

That means you can restrict some user group to login from the front end. Further, it allows to make whitelist and blacklist of IP addresses for enabling IP security on the website. It notifies the administrator if detects a brute force and penalizes the attacker by blocking the IP after custom configured number of failed login attempts.


Securitycheck Joomla Extension

Securitycheck help protecting the website from SQL injection attacks, LFI and XSS attacks. This extension checks every POST, GET and REQUEST processing by Joomla for strict security. If it detects an attack, it redirects the attacker to the default error page of Joomla. Also, it keeps the log of attacks so that the administrator could know that how many times the website got attacked and from which IP.

It also allows to create blacklist as well as whitelist of IP addresses. The blacklisted IPs can’t reach the website in any way. Opposite to the blacklist, you may add trustworthy IPs in a whitelist, which can bypass the security filters.

The Securitycheck extension also checks every component against vulnerability. Alike white IPs, it allows to define the components to which security filters don’t apply. With all these features, it also provides user session protection.

Brute Force Stop

Brute Force Stop

As the name suggests, this extension helps the user to stay safe from the brute force attacks. It automatically blocks the visitor/bot if it detects the attack. You can configure a threshold limit of failed attempts. After reaching the threshold limit, this extension blocks the user who is trying to login. Plus, you will know that from which IP the attacker tried to login by viewing the record of failed logins. The record is saved in the “Failed Logins” option of Brute Force Stop component.

From the log, the administrator can also find if any genuine user gets blocked. Genuine IP addresses can be collected in the whitelist so that trustworthy users wouldn’t get blocked.

Macro’s SQL Injection

Macro's SQL Injection

This extension protects the website against SQL injections and LFI (Local File Inclusion) attacks. If the website gets SQL injection or LFI, it sends a notification to the administrator as well as blocks the attack. It is an easy to configure extension, gives the options to make custom configurations as to IP blocking, errors, components that can bypass security filters, and LFI parameters. You can define number of login attempts to block the IP addresses.


These are a few, free yet the best security extensions of Joomla. All of these do the job excellently, but to include each one in the website is not our recommendation. Among above discussed Joomla extensions, the AdminExile and Securitycheck offer more features. AdminExile works in the form of a plugin, where, the Securitycheck works in two forms, a component as well as a plugin.

AdminExile eliminates the root of brute force threat by protecting the login URL with a secret key. In case, the hacker gets to know the login url, and tries getting into the administrator panel; this extension will detect the brute force attack and block the hacker.

On the other hand, the Securitycheck protects from the SQL injections, LFI and XSS attacks. However, the features are many; little options are configurable in Securitycheck extension. Our recommendation goes with both the extensions. You may pick the best solution for your website by evaluating your needs.

How to Install and Configure the Extensions

How to install the extension:

  • Install the extension in this way: Extensions → Manage → Browse the extension package and Upload & Install.

How to configure the extensions:

  • After installing the extension successfully, do following for the configuration. Extensions → Plugins → Find “System – name_of_extension” and hit the “Edit” option.

That is it for this article. Now it is your turn to write your queries or suggestions for us. If you find the article helpful and useful, share it with others for their knowledge and help. Don’t forget to leave your views, reviews, suggestions, queries in our comment section. We will feel pleasure to chime in to your comments.