On this page

# Topics

component

Media in Joomla

08 June 2026

Most Joomla components store rows in a database table: articles, contacts, banners, news feeds. The Media Manager (com_media) is different. It does not manage rows at all. It manages files on a disk: the images, PDFs, audio, and video that the rest of your website uses.

You meet the Media Manager every time you add an image to an article, pick a logo for a banner, or attach a brochure to a contact. It is the one tool that every other component borrows when it needs a file. Learn it once, and you understand the file layer of the entire CMS.

Joomla's built-in manager for images, documents, audio, and video

This article explains how the Media Manager really works. It covers the basics for website owners, the practical day-to-day use for editors and administrators, and the technical architecture for developers. You will learn how uploads are checked, why a .docx is blocked by default, why folders are not categories, and how the pluggable storage design lets Joomla write to a cloud bucket without changing the interface.

1. The Basics

1.1 What Makes Media Different

The first thing to understand is that the Media Manager does not behave like the other components you may already know. The difference is fundamental:

Most components	Media Manager
Store rows in a database table	Stores files on a filesystem
Organise content with categories	Organises with folders (real directories)
Display through menu items	Has no front-end menu item - it is a tool
Use one fixed storage location	Uses pluggable adapters (local disk, cloud, …)

The most important consequence: there is no #__media table. Your "media data" is simply the directory tree on disk. This single fact explains almost everything else in this article, including backups, search speed, and migration.

1.2 The Moving Parts

It helps to see the whole chain at once. From the screen you click on, down to the bytes on disk:

Media Manager UI (Vue single-page app)
   │  talks over REST / AJAX
   ▼
ApiModel  →  ProviderManager  →  Adapter  →  storage
                                    (local)      (images/ on disk)

The UI is a single-page JavaScript (Vue) application in the backend.
An Adapter knows how to read and write one storage backend.
A Provider is a filesystem plugin that supplies one or more adapters.
The Storage is where the bytes actually live. By default that is the images/ folder on your local disk.

Keep this picture in mind. When we reach the developer section, every part of it becomes a place you can extend.

1.3 Where to Find It

In the Joomla 6 backend, the Media Manager and its settings live in two places:

Content → Media                              (the manager itself)
System  → Global Configuration → Media       (the options)

The manager also appears embedded wherever a Media form field is used. The "Select" button next to an image field opens the very same manager inside a modal window. So most editors never open Content → Media directly - they meet it through the image button in their editor.

1.4 Two Roots: `/images` and `/files`

For years, Joomla surfaced a single images/ folder. Modern Joomla ships two roots, so that documents do not get mixed in with pictures:

Root	Default folder	Meant for
images	`images/`	Pictures used in content - the default for image pickers
files	`files/`	Documents and downloads - PDFs, Office files, archives

The split is purely organisational: keep visitor-facing pictures in /images and downloadable documents in /files. Both folders live under the Joomla root.

1.5 Two Layers Configure Those Roots

This detail trips many people up, so it is worth slowing down. The roots are set in two different places, and they do two different jobs:

1. Local filesystem plugin  (plg_filesystem_local)
   param "directories" = [{"directory":"images"}, {"directory":"files"}]
   → each entry becomes a SEPARATE adapter (a top node in the tree)
   → each can have its own thumbnails toggle
   → add more here to expose extra folders (for example "downloads")

2. com_media Options  (System → Global Config → Media)
   image_path = images   ← which root image fields default to
   file_path  = files    ← the documents root

In short: the plugin decides which folders appear as adapters; the component options decide which one counts as "images" versus "files" for the pickers. Both are validated, and core directories such as administrator, libraries, and cache are excluded. You cannot point a root at them.

2. Using the Media Manager

2.1 The Core Actions

From the toolbar and the right-click context menus, you have the actions you would expect from any file manager:

Action	What it does
Upload	Drag-and-drop or browse; several files at once.
Create New Folder	Make a real subdirectory on disk.
Rename	Rename a file or folder.
Copy / Move	Within a folder, across folders, or even across adapters.
Delete	Remove a file or folder.
Edit	Open the in-browser image editor (images only).
Preview	Inline preview of images, video, audio, and PDF.

2.2 Two Views, One Manager

The manager offers two ways to look at the same folder:

Grid view - thumbnails, ideal for images.
List view - name, size, dimensions, and date, ideal for documents.

A breadcrumb shows your current path. A tree on the left lets you jump between folders and between adapters (for example, switch from the images root to the files root).

2.3 Uploading: What Actually Happens

An upload is not a simple "copy the file" operation. Every file passes through a series of checks before it is allowed to land:

Browser → drag file → ApiModel::createFile()
   → check the extension is allowed
   → check the real MIME type (if enabled)
   → check the size is within upload_maxsize
   → Adapter writes the bytes to storage

If any check fails, the file is rejected before it is written. We will look at why these checks matter in the Security section.

2.4 The In-browser Image Editor

Select an image and click Edit. This opens a separate Vue application that offers three tools:

Tool	Plugin (in the `media-action` group)
Crop	`plg_media-action_crop`
Resize	`plg_media-action_resize`
Rotate	`plg_media-action_rotate`

Notice that each tool is a plugin, not hard-coded into the editor. That means the editor is extensible: write your own media-action plugin, and your tool appears in the toolbar. When you save, the result is written as a new (or overwritten) file through the same adapter.

2.5 Picking Media From Other Components

This is the Media Manager's real job. The Media form field (type="media") renders a small preview plus a "Select" button:

<field name="image" type="media"
       label="Image" directory="banners" />

It is used by articles, contacts, categories, modules, custom fields, templates, and more.
"Select" opens the manager in a modal, scoped to the directory you set.
It returns a path string that the component stores, for example images/banners/logo.png.

So the manager is the shared file picker for the whole CMS. The path string is the only thing the other component ever stores - the file itself stays on disk.

2.6 The Editor Image Button (How Most People Meet It)

The form field is how developers reach the manager. Editors meet it through the WYSIWYG toolbar. With TinyMCE the flow looks like this:

Edit an article → click the  Image  button in the toolbar
   → the Media Manager opens in a modal
   → browse or upload → pick a file → Insert
   → TinyMCE drops the markup into the body:

<img src="/images/articles/example.jpg" alt="Example" loading="lazy">

The images root (image_path) is what this picker shows by default.
Always set the alt text in the dialog - it helps both accessibility and SEO.
The same modal can upload on the spot, so editors rarely open Content → Media directly.

For most content editors, the Media Manager is that image button. Everything we discussed above happens quietly behind that one modal.

2.7 Linking and Embedding Files in Content

Picking an image inserts an <img> tag. Other file types you link or embed by hand (or with an editor button). The path is always the manager path under your root:

<!-- Document download (PDF / Office) -->
<a href="/files/documents/brochure.pdf">Download the brochure (PDF)</a>
<a href="/files/documents/pricing.xlsx">Price list (XLSX)</a>

<!-- Audio: an MP3 from /files or /images -->
<audio controls src="/files/audio/interview.mp3"></audio>

<!-- Video: a short MP4 hosted locally -->
<video controls width="800" src="/files/video/demo.mp4"></video>

Type	How you use it in content
Image	Editor image button → `<img>` (inline)
PDF / Office	`<a href>` download link (the browser opens or downloads it)
MP3	`<audio controls>` element
MP4	`<video controls>` element

One practical warning about large videos: do not serve big MP4 files off your Joomla server. Host them on YouTube, Vimeo, or a CDN and embed the player. A local <video> tag is fine for a short clip, but heavy for long ones - it uses your bandwidth and offers no adaptive streaming.

3. File Types: Images, Office, Audio, Video, and SVG

3.1 The Four Extension Lists

Beyond the master list of allowed uploads, the Options screen sorts extensions into four buckets. The bucket decides how the manager previews and handles a file once it is uploaded:

Option	Default value	Role
Allowed (`restrict_uploads_extensions`)	`bmp,gif,jpg,jpeg,png,webp,avif,ico,mp3,mp4, odg,odp,ods,odt,pdf,ppt,txt,xcf,xls,csv`	The whitelist - nothing outside this can upload
Image (`image_extensions`)	`bmp,gif,jpg,jpeg,png,webp,avif`	Rendered as thumbnails and openable in the editor
Audio (`audio_extensions`)	`mp3,m4a,mp4a,ogg`	Get an inline `<audio>` player
Video (`video_extensions`)	`mp4,mp4v,mpeg,mov,webm`	Get an inline `<video>` player
Document (`doc_extensions`)	`doc,odg,odp,ods,odt,pdf,ppt,txt,xcf,xls,csv`	Shown with a document icon; PDF previews inline

The rule to remember: an extension must be in Allowed to upload at all. The other three lists only decide how the file is displayed once it is there.

3.2 Audio and Video: MP3 and MP4 Just Work

The good news is that mp3 and mp4 are in the default whitelist and in the audio/video lists, so they work out of the box:

upload interview.mp3  → allowed → audio_extensions → inline <audio> player
upload promo.mp4      → allowed → video_extensions → inline <video> player

Drop them in /files (or /images), pick them with a Media field, and they play in the preview.
mp4 is listed as both audio and video - Joomla shows the appropriate player.
Want webm, mov, or ogg? They are already in the audio/video lists, but you may need to add them to the Allowed list before you can upload them.

3.3 MS Office and OpenDocument: A Real Gotcha

Look closely at the defaults, because this one causes regular support tickets:

Format	Extensions	Allowed by default?
OpenDocument	`odt, ods, odp, odg`	Yes
Legacy Office	`doc, xls, ppt`	Yes
Modern Office (OOXML)	`docx, xlsx, pptx`	No

Out of the box you can upload an old .doc but not a modern .docx. The x formats are missing from both the extension whitelist and the MIME whitelist.

To allow modern Office documents you must add both the extension and the MIME type:

restrict_uploads_extensions:  …,docx,xlsx,pptx

upload_mime: add the OOXML MIME types, for example
  application/vnd.openxmlformats-officedocument.wordprocessingml.document     (docx)
  application/vnd.openxmlformats-officedocument.spreadsheetml.sheet           (xlsx)
  application/vnd.openxmlformats-officedocument.presentationml.presentation   (pptx)

If you add the extension but forget the MIME type, the Check MIME step rejects the upload. That is the classic "my docx will not upload" ticket.

3.4 SVG: Deliberately Blocked

The svg extension is not in any default list - not Allowed, not Image, and image/svg+xml is not in the MIME whitelist. This is on purpose, and it is worth understanding why:

An .svg file is XML. XML can contain:
   <script>…</script>            → stored XSS
   <a xlink:href="javascript:">   → script execution
   external entity references     → SSRF / data exfiltration

Because an SVG renders like an image but executes like a document, uploading one straight into your webroot is a stored cross-site-scripting (XSS) vector. Joomla blocks it by default.

If you genuinely need SVG (for example, a trusted icon set), enable it carefully:

1. Add  svg  to restrict_uploads_extensions  AND  image_extensions
2. Add  image/svg+xml  to upload_mime
3. Allow ONLY trusted groups to upload (use ACL - see Security)
4. Sanitise the SVGs (strip <script>, event handlers, external refs)
   before they reach the webroot

Treat enabling SVG the same way you would treat enabling custom HTML banners: it is control traded for safety. Restrict it to staff and sanitise the files.

3.5 Adding a New File Type: The Checklist

Whenever an upload is refused, walk through this list in order:

1. Is the extension in  restrict_uploads_extensions ?   (if not, it is blocked)
2. Is Check MIME on?  → the real MIME must be in  upload_mime
3. Want a thumbnail or the editor?  → add it to  image_extensions
4. Want a player?                   → add it to  audio_extensions / video_extensions
5. Is the file within  upload_maxsize  AND PHP's upload_max_filesize / post_max_size ?

The extension and the MIME type must both pass. Adding one without the other is the number-one cause of "it still will not upload".

4. Folders, Not Categories

4.1 The Folder Tree Is the Filesystem

There is no nested-set category tree here. In the Media Manager, "organisation" means real directories:

images/
├── banners/
├── headshots/
│   └── 2026/
└── sampledata/

Folders are created, renamed, and deleted as actual directories on the storage backend.
Permissions are filesystem permissions plus Joomla ACL, not category ACL.

Where other components ask "which category?", Media asks "which folder, on which adapter?".

4.2 Why This Matters

Because the tree is the disk, the database tricks you may know from categories simply do not apply:

There is no "Rebuild" button and no lft/rgt values. Moving a file is a real rename() on disk.
A move across adapters is a copy-then-delete, because the two storage backends are different.
Deep folder trees are cheap to browse, but expensive to scan when you search.

4.3 A Sane Folder Convention

Because the tree is real directories, a tidy structure pays off at backup, migration, and editor-pick time. A common, reliable layout looks like this:

images/                  files/
├── articles/            ├── documents/   ← PDFs, Office files
├── banners/             ├── audio/       ← MP3
├── products/            └── video/       ← short MP4
├── logos/
└── headshots/2026/

A few guidelines:

Pictures go in /images, documents and downloads go in /files.
Use one folder per context (articles, products, banners). This keeps the pickers short and scannable.
Use date or campaign subfolders (such as 2026/) so no single folder ever balloons to thousands of files, which slows down both the UI and search.
Decide the convention before editors start uploading. Reorganising later means fixing every images/… path already baked into content.

The folder names become part of your URLs and content paths. Treat them as a small information architecture, not a dumping ground.

5. The Adapter Architecture (The Clever Bit)

5.1 One UI, Pluggable Storage

The whole component is built around a single contract called AdapterInterface. It defines twelve methods:

getFile       getFiles      getResource
createFolder  createFile    updateFile
copy          move          delete
getUrl        search        getAdapterName

Implement those twelve methods and the entire Media Manager UI works against your storage: Amazon S3, Azure Blob, a digital asset manager (DAM), anything you like.

5.2 Providers Supply Adapters

An adapter does not appear by itself. A provider supplies it:

Filesystem plugin (provider)  →  one or more Adapters
plg_filesystem_local          →  LocalAdapter (one per configured root)

A filesystem provider is a plugin in the filesystem group.
Core ships exactly one: Local (plugins/filesystem/local).
Its configuration lists the roots (such as images and files), and each root becomes a selectable adapter in the tree.

5.3 The ProviderManager

A small registry ties it all together:

ProviderManager
  ├─ registers every enabled filesystem plugin
  ├─ each plugin returns its adapter(s)
  └─ the UI lists them as  provider-adapter  nodes

An adapter is addressed as provider:adapter:/path, for example:

local-images:/headshots/peter.png
local-files:/contracts/2026.pdf

That provider-adapter prefix is how the UI and the API know which storage a path lives on.

5.4 Writing a Cloud Adapter (Concept)

To picture how extensible this is, here is the skeleton of an S3 adapter:

class S3Adapter implements AdapterInterface
{
    public function getFiles(string $path = '/'): array { /* list bucket */ }
    public function createFile(string $name, string $path, $data): string { /* putObject */ }
    public function getUrl(string $path): string { /* signed URL */ }
    // … the other nine methods
}

Wrap it in a filesystem plugin that returns the adapter, enable the plugin, and a new root appears in the manager - with zero changes to the UI. This is the single most important architectural idea in com_media: storage is a plugin.

6. Security: The Media Manager Is an Attack Surface

6.1 Why It Is Sensitive

A file manager lets users write files that look executable into your webroot. That is exactly what an attacker wants. Joomla defends against this in layers, and you should keep those layers switched on.

6.2 The Upload Gauntlet

Every upload is checked, in this order:

Check	Option	Effect
Restrict Uploads	`restrict_uploads`	Master switch - only allow listed types
Allowed Extensions	`restrict_uploads_extensions`	The whitelist (`bmp,gif,jpg,png,webp,avif,pdf,mp4…`)
Check MIME Type	`check_mime`	Sniff the real content type, not just the extension
Legal MIME Types	`upload_mime`	Whitelist of acceptable MIME strings
Ignored Extensions	`ignore_extensions`	Skip the MIME check for these
Max Size	`upload_maxsize`	Reject files over N MB (default 10)

6.3 Extension Is Not Content

This is the heart of upload security. A file called logo.png can contain PHP. That is exactly why Check MIME Type matters:

restrict_uploads = Yes   → only whitelisted extensions
check_mime       = Yes   → the bytes must actually BE that type

With both switched on, a shell.php renamed to shell.png is rejected, because its sniffed MIME type is not an image. Leave Restrict Uploads and Check MIME on. Turning them off to "make an upload work" is how sites get hacked.

6.4 Path Traversal and Root Confinement

Joomla also defends against attempts to escape the configured folder:

Roots are validated, and core directories (administrator, libraries, cli, …) are excluded.
The LocalAdapter resolves and confines every path inside its configured root, so a path like ../../configuration.php cannot escape.
File and folder names are cleaned with Joomla's path helpers before any write happens.

6.5 ACL on Actions

The component's access.xml defines fine-grained permissions:

core.create   → upload / create folders
core.edit     → rename / edit images
core.delete   → delete files / folders

Grant these only to trusted groups such as Manager and Administrator. A contributor who can upload to the webroot is a contributor who can potentially upload a webshell. Restrict the right to write files as tightly as you can.

7. Under the Hood (Developer View)

7.1 No Table, a Service Stack

Because there is no database table, the component is a stack of services and plugins:

administrator/components/com_media/
  src/Adapter/AdapterInterface.php      the 12-method contract
  src/Provider/ProviderManager.php      registers providers / adapters
  src/Model/ApiModel.php                CRUD orchestration
  src/Model/MediaModel.php              the SPA-backing model
  src/Controller/ApiController.php      AJAX endpoints for the Vue UI
  src/Controller/DisplayController.php  renders the SPA shell

plugins/filesystem/local/   the one core provider
  src/Adapter/LocalAdapter.php

plugins/media-action/        crop / resize / rotate
media/com_media/js/          media-manager.js + edit-images.js (Vue)

7.2 The Request Flow

When you open the manager, two things happen: first the page shell loads, then the JavaScript app takes over and talks to the API:

1. Content → Media
   → DisplayController renders the Vue SPA shell (one <div> + assets)

2. The Vue app boots → calls the internal API:
   → ApiController (com_media&task=api.*)  OR  /api/index.php/v1/media/...
   → ApiModel → ProviderManager → Adapter → storage
   → JSON back to Vue → the grid re-renders

The PHP side is a thin JSON service; the manager itself is a JavaScript app. That has a practical consequence: to change the look, you override with CSS and JavaScript layout, not with PHP template overrides.

7.3 The Web Services / Internal REST API

The component is API-first. The same routes power the single-page app and any headless client:

GET    /api/index.php/v1/media/adapters            list storage adapters
GET    /api/index.php/v1/media/adapters/{id}       one adapter
GET    /api/index.php/v1/media/files?path=...      list files / folders
GET    /api/index.php/v1/media/files/{path}        one file (meta / content)
POST   /api/index.php/v1/media/files               upload / create
PATCH  /api/index.php/v1/media/files/{path}        rename / move / edit
DELETE /api/index.php/v1/media/files/{path}        delete

These routes are registered by the webservices/media plugin. Because the UI uses these exact endpoints, anything the manager can do, a script can do too - which is great for automation and integration, and another reason to keep ACL tight.

7.4 The Adapter Contract in Full

For developers who want to build their own storage backend, here is the complete interface:

interface AdapterInterface
{
    public function getFile(string $path = '/'): \stdClass;
    public function getFiles(string $path = '/'): array;
    public function getResource(string $path);          // stream
    public function createFolder(string $name, string $path): string;
    public function createFile(string $name, string $path, $data): string;
    public function updateFile(string $name, string $path, $data): void;
    public function delete(string $path): void;
    public function copy(string $source, string $destination, bool $force = false): string;
    public function move(string $source, string $destination, bool $force = false): string;
    public function getUrl(string $path): string;
    public function getAdapterName(): string;
    public function search(string $path, string $needle, bool $recursive = false): array;
}

Twelve methods are the entire surface area. That is the contract a cloud adapter must satisfy - no more, no less.

7.5 Three Plugin Groups

The component is extensible without touching core code, thanks to three plugin groups:

filesystem      → add storage backends
media-action    → add image-editor tools
webservices     → expose / extend the REST API

7.6 Thumbnails and Image Handling

Previews and thumbnails are generated through Joomla's Image library (libraries/src/Image/Image.php), which sits on top of GD or Imagick. The editor's crop, resize, and rotate operations run through the same layer, and EXIF orientation, dimensions, and resampling are handled on the server. This is the same Image class you can call from your own code - Media just wraps it in a user interface.

7.7 At Scale

A filesystem-backed manager behaves differently from a database component, and that changes how you operate it:

Concern	Why	Mitigation
Big folders	Listing a directory with 10,000 files is slow and heavy in the UI	Split into subfolders; paginate
Search cost	`search()` walks the tree (there is no database index)	Keep trees shallow; search a subfolder
Thumbnail CPU	Generating previews on the fly is CPU work	Cache thumbnails; let a CDN serve originals
Remote adapters	Each list or read is a network call to the bucket	Cache listings; use signed URLs from `getUrl()`
Backups	Files live on disk, not in the SQL dump	Back up `images/` and `files/` separately from the database

A reminder for operations: a database dump does not contain your media. The bytes are on the filesystem (or in a cloud bucket), and you must back them up separately.

8. Common Mistakes and Pitfalls

8.1 "My Upload Is Rejected"

Work through this checklist - the cause is almost always one of these:

Is the extension in Allowed Extensions?
Is it a .docx, .xlsx, or .pptx? Those are not allowed by default - add the extension and the OOXML MIME type.
Is it an .svg? Blocked by design (XSS risk) - only enable it for trusted groups, and sanitise the files.
Is Check MIME rejecting a mislabeled file? That is the defence working. (Did you add the extension but not the MIME type? Then it is still rejected.)
Is the file over Max Size (upload_maxsize)? Also check PHP's upload_max_filesize and post_max_size.
Is the folder writable by the web server user?

8.2 "I Cannot See My Images Folder"

Is the path to the images folder valid and does it actually exist?
Did you point it at an excluded core directory? That is not allowed.
Is the right adapter selected in the tree (local-images versus local-files)?

8.3 Security Mistakes

Do not disable Restrict Uploads or Check MIME to force a stubborn upload through.
Do not grant upload (core.create) to untrusted groups - writing to the webroot is a real risk.
Remember that a .png can hide PHP. MIME checking is the defence; keep it on.

8.4 Backup and Migration

Database backups exclude media files - back up the folders too.
Moving hosts? Copy images/ and files/ and then re-check the folder permissions.
Hard-coded images/… paths in your content will break if you change the image_path root.

9. Best Practices

If you only remember a few things from this article, remember these:

Media lives on the filesystem, not in the database. Back up the folders separately.
Keep Restrict Uploads and Check MIME switched on. Never turn them off to force an upload.
Plan your folder convention before editors start uploading - pictures in /images, documents in /files.
Keep folders small; split large collections into date or context subfolders.
To add a file type, add the extension and the MIME type, not just one.
Grant core.create only to trusted groups.
For storage beyond local disk, write a filesystem plugin that implements the 12-method adapter contract.

10. Quick Reference

OPEN          Content → Media
OPTIONS       System → Global Config → Media
IMAGE ROOT    image_path  (default: images)  - pictures, image pickers
FILE ROOT     file_path   (default: files)   - documents / downloads
ROOTS SET     plg_filesystem_local "directories" → adapters (images + files)
NO TABLE      media lives on the FILESYSTEM, not in the DB
ORGANISE      real folders (no #__categories, no lft/rgt)
EDIT IMAGE    crop / resize / rotate = media-action plugins
EDITOR BTN    TinyMCE Image button → Media modal → inserts <img>
EMBED         PDF/Office=<a href>, MP3=<audio>, MP4=<video> (big video→CDN)
PICK MEDIA    <field type="media"> → Select button → modal
ADAPTER       12-method AdapterInterface = storage contract
PROVIDER      filesystem plugin supplies adapter(s); core = Local
MANAGER PATH  provider-adapter:/path   e.g. local-images:/logo.png
EXT LISTS     allowed / image / audio / video / doc
AUDIO/VIDEO   mp3, mp4 allowed by default → inline players
OFFICE        odt/ods/odp, doc/xls/ppt OK; docx/xlsx/pptx NOT (add ext+MIME)
SVG           BLOCKED by default (XML → XSS); add ext+image/svg+xml, sanitise
SECURITY      restrict_uploads + restrict_uploads_extensions
MIME          check_mime + upload_mime  (extension is not content!)
SIZE          upload_maxsize (MB, default 10) + PHP limits
ACL           core.create / core.edit / core.delete (access.xml)
API           /api/index.php/v1/media/files  and  /media/adapters
UI            Vue SPA (media-manager.js) - override via CSS/JS, not tmpl
BACKUP        DB dump does NOT include media - back up folders too

11. Summary

The Media Manager is Joomla's file layer: a storage-agnostic, plugin-driven manager that every other component borrows as its file picker. It is a different shape from the rest of Joomla, and once you see that shape, the whole component makes sense.

To summarise what it gives you:

One manager - upload, browse, and organise, reached from every edit screen.
In-browser editing - crop, resize, and rotate, each a swappable plugin.
Pluggable storage - a 12-method adapter contract; local disk today, cloud tomorrow.
API-first design - the same REST endpoints power the Vue UI and headless clients.
Layered security - extension and real-MIME checks, size limits, root confinement, and ACL.
A different shape - files on disk, not rows in a table; folders, not categories.

Understanding these points helps you avoid the everyday traps (the rejected .docx, the missing backup, the over-shared upload permission) and gives you a clear path when you need to scale storage to the cloud.

If you are planning a new Joomla site, migrating an old one, or troubleshooting stubborn uploads or media that went missing after a move, it pays to treat the Media Manager as the foundation it really is - and to handle its files with the same care you give your database.

Peter Martin

Joomla specialist and Linux admin for fast, secure and scalable websites.

11 June 2026