HTProtect – Documentation
Everything that matters about HTProtect – explained simply, no jargon. For most people it comes down to a single click.
What is HTProtect?
HTProtect is your "server shield" for Joomla: it hardens the central configuration file (the .htaccess), locks the admin area behind an extra password, scans for malicious code and keeps your extensions up to date. It runs on Joomla 2.5 to 6 and sends no data whatsoever to the outside – no telemetry.
Overview
This is HTProtect's start page with the security traffic light: green means all good, yellow is a hint, red means action needed. The big "Secure now" button does everything important in one click. Yellow or red items are clickable – they take you straight to the fix.
Quietly in the background, a watchdog checks about every 6 hours for new admin accounts, secretly changed passwords, defacement of your site, and new attack patterns. It emails you only when something is really wrong – so no spam.
Back-end password protection
Here you place a second password prompt in front of your Joomla back end (the address ending in /administrator). Attackers and bots never even reach the login page – which also protects against flaws nobody knows about yet.
- Choose a username and password
- Turn the protection on – done
It cannot lock you out: HTProtect tests itself and automatically switches back if something is not right. An existing protection can be adopted.
Protection shield
The heart of it all: a hardened .htaccess following the principle "everything forbidden except what is needed". It blocks exploit attacks, prevents programs from being run secretly in upload folders (e.g. images/), hides sensitive files, sets protective headers, and enforces an encrypted connection (HTTPS).
All you need is "Secure now" – the recommended settings are already on. Everything else sits collapsed under "Advanced settings" (for pros; when in doubt, just leave it).
Site scan
The scan searches your entire website for malicious code, planted files, and hidden back doors (so-called web shells) – and can remove anything it finds right away. It runs only when you start it, never on its own, and puts no constant load on your server.
Very large sites are scanned in small chunks so nothing is cut off by a time limit; a repeat scan then only checks what has changed. On top of that, it can test whether your linked files and downloads are reachable.
Backups & updates
Before every change to the .htaccess, HTProtect automatically makes a backup – so you can return to the previous state at any time with a single click.
If you like, HTProtect also updates your Joomla extensions automatically, including a backup of files and database; if an update breaks something, it is rolled back by itself (switchable per extension). The assistant that cleanly removes HTProtect again, should you ever want that, lives here too.
Help & support
Here you can reach support (optionally with helpful diagnostic data), the live chat, this documentation, and the tip jar.
If you ever want to remove HTProtect, an assistant offers – during uninstall – to cleanly remove the protection files and restore your original .htaccess. On privacy: HTProtect sends no data to the outside.
- Securing the Joomla .htaccess with HTProtectBackground article
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.deSpecialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.