HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Documentation

HTProtect – Documentation

The essentials of the Joomla security extension HTProtect at a glance: installation, the core features and answers to common questions.

In short
HTProtect is one-click hardening for Joomla with real-time protection (WAF), automatic monitoring and live signature updates. It does not replace updates – it complements them as an additional layer of protection.

Installation & first steps

  1. Install the extension

    In the Joomla back end open SystemInstallExtensions and upload the HTProtect package.

  2. Open HTProtect

    Open the Overview under ComponentsHTProtect.

  3. Run the one-click hardening

    The security status lists every protection point (HTTPS enforcement, protection shield, exploit shield, upload hardening …). Bring it into the green with the one-click hardening.

  4. Enable real-time protection & watchdog

    A single switch enables real-time protection (WAF), the automatic watchdog and live signature updates at once.

  5. Set an alert email

    Enter an email address for notifications and verify it with Send test email.

  6. Run a site scan

    Use Site Scan to check the installation for vulnerable extensions and anomalies.

The areas at a glance

Overview & security status
All protection checks at a glance, one-click hardening and the self-test.
Protection shield
Exploit shield with current attack signatures.
Real-time protection (WAF)
Blocks exploit calls even in the POST body that a plain .htaccess never sees.
Back-end access
Optional extra protection for the administrator login.
Site scan
Checks the installation for, among other things, known vulnerable extensions.
Monitoring & alerts
Watchdog for files, super-user accounts, defacement & a watch list – with email notifications.
Live signature updates
New signatures are loaded automatically – zero-days are covered promptly.
Self-test
A regular self-check ("X of X passed") confirms everything is working.

Requirements

Platform
Joomla (a currently supported version – the server self-test shows compatibility)
PHP
8.x
Server
Apache or compatible
Availability

Good to know

HTProtect does not replace updates
The most effective measure remains applying vendor updates promptly. HTProtect lowers the risk in the window beforehand (WAF, upload hardening) and reports anomalies.
  • Back-end access protection is optional and can be added at any time under "Back-end access".
  • Scan regularly: run the site scan and self-test manually now and then; the watchdog runs automatically anyway.
  • On an alert, check the reported points – if compromised, have the site professionally cleaned and change all passwords.

Frequently asked questions

Does HTProtect replace my updates?

No. HTProtect is an additional layer of protection. Updating the affected extensions remains the most important measure.

Does it protect against the vulnerabilities documented here?

It hardens the upload folders – the entry point of many of these flaws – and blocks exploit calls via the WAF. The actual fix, however, remains updating the respective extension.

What happens on an alert?

You receive an email at the address you set. Open items are re-reported at a configurable interval until they are resolved.

Support & availability

Inside the extension you will also find a Help Center with further guidance.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Support HTProtect now