HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Documentation

HTProtect – Documentation

Everything that matters about HTProtect – explained simply, no jargon. For most people it comes down to a single click.

What is HTProtect?

HTProtect is your "server shield" for Joomla: it hardens the central configuration file (the .htaccess), locks the admin area behind an extra password, scans for malicious code and keeps your extensions up to date. It runs on Joomla 2.5 to 6 and sends no data whatsoever to the outside – no telemetry.

For most people, one click is enough
The normal case is a single click on "Secure now" in the overview – everything else happens automatically. And no need to worry: HTProtect does not break anything. Before every change it makes a backup, checks itself, and automatically rolls back if something goes wrong.

Overview

This is HTProtect's start page with the security traffic light: green means all good, yellow is a hint, red means action needed. The big "Secure now" button does everything important in one click. Yellow or red items are clickable – they take you straight to the fix.

Quietly in the background, a watchdog checks about every 6 hours for new admin accounts, secretly changed passwords, defacement of your site, and new attack patterns. It emails you only when something is really wrong – so no spam.

Back-end password protection

Here you place a second password prompt in front of your Joomla back end (the address ending in /administrator). Attackers and bots never even reach the login page – which also protects against flaws nobody knows about yet.

  1. Choose a username and password
  2. Turn the protection on – done

It cannot lock you out: HTProtect tests itself and automatically switches back if something is not right. An existing protection can be adopted.

Protection shield

The heart of it all: a hardened .htaccess following the principle "everything forbidden except what is needed". It blocks exploit attacks, prevents programs from being run secretly in upload folders (e.g. images/), hides sensitive files, sets protective headers, and enforces an encrypted connection (HTTPS).

All you need is "Secure now" – the recommended settings are already on. Everything else sits collapsed under "Advanced settings" (for pros; when in doubt, just leave it).

Your own downloads stay intact
After securing, HTProtect visits your site itself and automatically re-allows legitimate, linked downloads and forms. So securing never breaks your own downloads. Only genuinely risky things – such as a PHP program file in the image folder – are reported to you by name, so you can decide on purpose.

Site scan

The scan searches your entire website for malicious code, planted files, and hidden back doors (so-called web shells) – and can remove anything it finds right away. It runs only when you start it, never on its own, and puts no constant load on your server.

Very large sites are scanned in small chunks so nothing is cut off by a time limit; a repeat scan then only checks what has changed. On top of that, it can test whether your linked files and downloads are reachable.

Backups & updates

Before every change to the .htaccess, HTProtect automatically makes a backup – so you can return to the previous state at any time with a single click.

If you like, HTProtect also updates your Joomla extensions automatically, including a backup of files and database; if an update breaks something, it is rolled back by itself (switchable per extension). The assistant that cleanly removes HTProtect again, should you ever want that, lives here too.

Help & support

Here you can reach support (optionally with helpful diagnostic data), the live chat, this documentation, and the tip jar.

If you ever want to remove HTProtect, an assistant offers – during uninstall – to cleanly remove the protection files and restore your original .htaccess. On privacy: HTProtect sends no data to the outside.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now