On this page

Private Messages in Joomla

22 June 2026

Joomla has a small mailbox built into the backend that most administrators never notice. When you log in and Joomla warns you that an update is available, or that something needs your attention, that notice often arrives as a private message. The same system lets you and your fellow administrators send short notes to each other without leaving the control panel.

This article explains how Joomla's Private Messages component (com_messages) really works. It covers the basics for owners and editors, the daily setup for administrators, and the technical details for developers - the database tables, the PHP model, the email notifications, and the REST API.

A built-in inbox for your backend team, hiding in plain sight under the Users menu.

The goal is simple: help you understand Private Messages well enough to use them on purpose instead of being surprised by them.

1. The Basics

1.1 What is the Private Messages Component?

The Private Messages component (com_messages) is Joomla's built-in tool for sending short, internal messages between backend users. It has shipped with Joomla core for many years and lives entirely in the administrator area.

What it does in short:

It lets one backend user send a message (subject plus body) to another backend user.
It stores each message as one row in the #__messages database table.
It can email the recipient when a new message arrives.
It is also the channel Joomla itself uses to notify Super Users about important events.

Think of it as a tiny internal mailbox. It is not a frontend chat, not a contact form, and not a newsletter tool. It is a quiet, administrator-to-administrator note system.

1.2 Who Can Receive a Message?

This is the single most important fact about Private Messages: you can only send a message to a user who is allowed to log in to the backend. A normal frontend-only registered user cannot receive a private message, because they have no backend inbox to read it in.

Joomla checks two things about the recipient before it sends:

The recipient must be able to log in to the administrator (core.login.admin).
The recipient must have the Manage permission on com_messages (core.manage).

In practice this means Managers, Administrators, and Super Users can exchange messages. Authors and registered visitors cannot.

1.3 Where Do I Find It?

In the Joomla 6 backend the menu path is:

Users → Private Messages

Under that menu you will find three actions:

Menu item	What it does
New Private Message	Opens the compose form (recipient, subject, message).
Read Private Messages	Opens your inbox - the list of messages sent to you.
My Settings	Your personal options (lock inbox, email on new, auto-purge).

The component lives at administrator/components/com_messages/. There is no frontend folder - by design. It is a backend-only tool.

2. Sending and Reading a Message

2.1 The Compose Form

Open Users → Private Messages → New Private Message. The form is deliberately small. It has exactly three fields:

Field	Notes
Recipient	A dropdown of users who are allowed to receive messages. Required.
Subject	A short, plain-text title for the message. Required.
Message	The body, written in the standard editor. Required.

There is no carbon copy, no attachment, and no rich toolbar in the body. The recipient list only shows users who pass the backend-login and manage checks described in section 1.2, so you cannot accidentally message someone who can never read it.

2.2 Reading and Replying

Open Users → Private Messages → Read Private Messages to see your inbox. Click a subject to open the message. The single-message view shows four things:

From - the sender's name.
Date - when the message was sent.
Subject - the title.
Message - the body text.

Opening a message you received marks it as read automatically. From the message view you can click Reply, which opens the compose form with the original sender already filled in as the recipient.

A private message is a one-to-one note. There are no group threads and no "reply all". Each reply is a brand new message row.

3. The Inbox: List, Filters, and Actions

3.1 The List Columns

The inbox list (Read Private Messages) shows the messages where you are the recipient. It never shows messages you sent to other people. The columns are:

Column	Meaning
Checkbox	Select rows for a bulk action.
Subject	The message title. Click it to open the message.
Read	A status icon showing whether the message is read or still new.
From	The name of the sender.
Date	When the message was sent. The list sorts newest-first by default.

3.2 Filtering and Searching

Above the list you get a search box and a status filter:

The search box looks in both the subject and the message body.
The status filter lets you show only read or only unread messages.

You can also change the sort order by clicking a column header.

3.3 Marking and Deleting

Select one or more rows with the checkboxes, then use the toolbar to mark them read or unread, or to delete them. Deletion is permanent - there is no trash or restore for private messages. Note that you can only mark or delete messages in your own inbox; the component will not let you touch a message addressed to someone else.

4. Your Personal Settings

Every backend user has their own private-message preferences at Users → Private Messages → My Settings. These settings are personal: they only affect your own inbox, and they are stored separately from the messages themselves (see section 7.2). There are three options.

4.1 Lock Inbox

The Lock Inbox option (stored internally as lock) is a simple Yes/No switch. When you set it to Yes, nobody can send you a private message. Any attempt to message you fails with a "send failed" error. The default is No.

This is useful if you never use private messages and do not want your inbox to fill up with system notices.

4.2 Send me an Email

The email notification option (stored as mail_on_new) is also Yes/No. When it is Yes - which is the default - Joomla emails you whenever a new private message arrives, so you do not have to keep checking the backend. Set it to No to receive messages silently.

4.3 Auto-purge after N Days

The auto-purge option (stored as auto_purge) is a number of days. Joomla automatically deletes messages in your inbox that are older than this number. The default is 7 days.

Set a larger number (for example 30) to keep messages longer.
Set it to 0 to disable automatic deletion entirely.

Auto-purge looks only at the message age, not at whether you have read it. An unread message older than the limit is deleted too, so do not rely on a low number if important notices may sit unread for a while.

5. Email Notifications

5.1 When an Email is Sent

When you send a private message, Joomla decides whether to email the recipient based on their mail_on_new setting, not yours. If the recipient has email notifications switched on (the default), they get an email. If they switched it off, the message is still stored in their inbox - it just arrives silently.

The email is sent in the recipient's backend language and contains the subject and a plain-text version of the message body, plus a link back to the message in the administrator area. The reply-to address is set to the sender, so a direct email reply reaches the right person.

5.2 The Mail Template

The notification uses Joomla's Mail Templates system. The template key is com_messages.new_message. You can customise the wording at System → Templates → Mail Templates by editing that template. The available placeholders include the subject, the message body, the sender name, the site name, and the site URL.

5.3 What if Email Fails?

If your site cannot send email - mail is disabled, or the mail server rejects the message - Joomla does not lose the private message. It still stores the message in the inbox and only logs a warning that the notification email could not be delivered. The recipient will still see the message the next time they open their inbox.

6. System Messages from Joomla

Private Messages are not only for human-to-human notes. Joomla core uses the same component to notify administrators about important events. The most common example is the update notification: when a new Joomla version is available, the system can drop a private message into the inboxes of all Super Users.

Under the hood this is a helper that loops over every enabled Super User and sends each of them the same message, with the sender and recipient set to that user. Because it reuses the normal send path, these system messages also respect each user's mail_on_new preference and trigger the same email notification.

This is why you sometimes log in to a fresh notification you did not expect. It is not spam - it is Joomla using its own internal mailbox to get your attention. If you never want these, you can lock your inbox (section 4.1), but then you also miss genuine notices, so think twice before doing that on a production site.

7. Under the Hood: The Database

7.1 The #__messages Table

Every private message is one row in the #__messages table. The columns are:

Column	Meaning
`message_id`	Primary key.
`user_id_from`	The sender's user id.
`user_id_to`	The recipient's user id.
`date_time`	When the message was sent.
`state`	Read state: `0` = unread/new, `1` = read.
`priority`	Priority level: `0` normal, `1` medium, `2` important.
`subject`	The message title.
`message`	The message body.
`folder_id`	A legacy folder column, kept for compatibility but not used by the current interface.

Two details are worth knowing. First, the priority column exists in the database, but the standard compose form does not let you set it - so in practice every message you send by hand has priority 0. It mainly surfaces through the REST API. Second, "read" and "unread" are just the value of the state column, which the code also exposes under the alias published.

7.2 The #__messages_cfg Table

Your personal settings from section 4 are not stored in the messages table. They live in a separate key/value table called #__messages_cfg:

Column	Meaning
`user_id`	The user the setting belongs to.
`cfg_name`	The setting name: `lock`, `mail_on_new`, or `auto_purge`.
`cfg_value`	The stored value (for example `1` or `7`).

Each option is one row. When you save your settings, Joomla deletes your existing rows and writes a fresh row per option. This is why a brand-new user has no rows here at all and simply uses the defaults.

7.3 The Indexes

Both tables carry an index that tells you how Joomla actually reads them.

Table	Index	Why it exists
`#__messages`	`useridto_state (user_id_to, state)`	The inbox query loads messages for one recipient, often filtered by read/unread. This index makes that lookup fast even with many rows.
`#__messages_cfg`	unique `idx_user_var_name (user_id, cfg_name)`	It is a UNIQUE key, so a user can hold only one value per setting name. This is what guarantees you never end up with two conflicting `mail_on_new` rows.

On a one-person site neither index matters. On a busy multi-editor backend with thousands of stored messages, the useridto_state index is what keeps the inbox responsive.

7.4 A Note on Privacy and Security

Private Messages are "private" only in the sense that other backend users cannot read each other's inboxes through the interface. They are not encrypted. Each message sits as plain text in the #__messages table, which means:

Anyone with database access (a hosting admin, a DBA, a Super User running a query) can read every message.
Messages are included in your normal database backups, in plain text.
The notification email also carries a plain-text copy of the body.

So treat the component as a place for internal notes, not a vault. Never send passwords, API keys, or other secrets through a private message. If you need to share a credential, use a dedicated secrets tool and send only a reference through Joomla.

8. Under the Hood: The PHP API

8.1 Sending a Message in Code

The component follows the modern Joomla MVC pattern. To send a message from your own extension or a CLI script, boot the component and use its Message model:

use Joomla\CMS\Factory;

$app     = Factory::getApplication();
$factory = $app->bootComponent('com_messages')->getMVCFactory();

$model = $factory->createModel('Message', 'Administrator', ['ignore_request' => true]);

$model->save([
    'user_id_from' => 100,        // sender
    'user_id_to'   => 200,        // recipient (must be a backend user)
    'subject'      => 'Backup finished',
    'message'      => 'The nightly backup completed without errors.',
]);

The model's save() method does all the heavy lifting: it checks that both users exist, verifies the recipient is allowed to receive messages, honours the recipient's locked-inbox setting, stores the row, and - if the recipient wants it - sends the notification email.

8.2 Reading and Marking Read

When the recipient opens a message through the model's getItem() method, the model also flips state to 1 for that row. Reading a message and marking it read are the same operation, which is why there is no separate "mark read" step when you click a subject in the inbox.

8.3 Auto-purge in Code

The auto-purge logic lives in the list model. It reads the user's auto_purge value (defaulting to 7 if the user has no setting), and if that value is greater than zero, it deletes rows from #__messages where date_time is older than that many days and user_id_to is the current user. A value of 0 skips the deletion entirely.

9. The Web Services API

Unlike some small core components, Private Messages does expose a REST API. The Web Services plugin for messages registers a standard set of CRUD routes under:

/api/index.php/v1/messages

9.1 Listing and Reading

To list the messages in your inbox, send an authenticated GET request with an API token:

curl -H "X-Joomla-Token: <token>" \
     https://example.test/api/index.php/v1/messages

To read a single message, append its id:

curl -H "X-Joomla-Token: <token>" \
     https://example.test/api/index.php/v1/messages/42

Each item returns the fields id, user_id_from, user_id_to, date_time, priority, subject, message, state, and the sender's display name. Note that the API renames the message_id column to id in its output.

9.2 Creating a Message

To send a new message, POST a JSON body:

curl -X POST \
     -H "X-Joomla-Token: <token>" \
     -H "Content-Type: application/json" \
     -d '{"user_id_to": 200, "subject": "Deploy done", "message": "Release 2.4 is live."}' \
     https://example.test/api/index.php/v1/messages

Because the API uses the same model as the backend, the same rules apply: the recipient must be a backend user, and their locked-inbox and email-notification settings are respected. The REST route is the only standard way to set a non-zero priority on a message.

10. Permissions and ACL

Private Messages uses Joomla's standard access control. You can configure it at System → Global Configuration → Private Messages → Permissions. The relevant actions are:

Action	What it gates
`core.admin`	Configure the component and its permissions.
`core.manage`	Use the inbox. This is also the permission that makes a user eligible to receive messages.
`core.create`	Compose and send a message.
`core.delete`	Delete messages.
`core.edit.state`	Change the read/unread state.

The key point for administrators is the link between ACL and delivery: a user only appears in the recipient dropdown if they have Manage on com_messages and can log in to the backend. If a colleague says "I never get private messages", the usual cause is that their user group lacks one of those two permissions.

11. SEO and Metadata

This section is short for a good reason: Private Messages has no SEO footprint at all. The component is backend-only, so:

There are no frontend URLs, no menu item types, and no public pages to index.
There are no metadata, slugs, or canonical tags to manage.
Search engines never see message content, which is exactly what you want for private internal notes.

If you are looking for the component when planning your site structure, the practical takeaway is that it needs zero SEO configuration. Spend that attention on your articles, categories, and menus instead.

12. Common Mistakes and Pitfalls

12.1 Messaging a Frontend-only User

Symptom: A user is missing from the recipient dropdown, or a scripted send fails for a particular person.

Fix: That user cannot log in to the backend, or lacks Manage on com_messages. Private messages only reach backend users. Adjust the user's group, or use email instead.

12.2 Important Notices Vanish

Symptom: A message you wanted to keep disappeared on its own.

Fix: Auto-purge deleted it. The default is 7 days, and it ignores read state. Raise the number in My Settings, or set it to 0 to disable purging.

12.3 No Email Arrives

Symptom: Messages appear in the inbox but no notification email is sent.

Fix: Check the recipient's mail_on_new setting (it may be off), and confirm the site can send mail at all under System → Global Configuration → Server → Mail Settings. Remember a mail failure never blocks the message itself.

12.4 A Locked Inbox Swallows System Notices

Symptom: A Super User never sees Joomla update notifications.

Fix: Their inbox is locked. Locking blocks all incoming messages, including genuine system notices. Unlock it in My Settings if you rely on those notifications.

12.5 Looking for Sent Messages

Symptom: You cannot find a copy of a message you sent.

Fix: There is no "Sent" folder. The inbox only shows messages addressed to you. If you need a record of what was sent, keep your own copy or query the #__messages table directly.

13. Best Practices

If you only remember a few things from this article, remember these:

Private Messages is a backend-only mailbox. It reaches Managers, Administrators, and Super Users - never frontend visitors.
A user must have backend login and Manage on com_messages to receive a message.
Auto-purge defaults to 7 days and ignores read state. Raise it or set it to 0 if you need to keep notices.
Do not lock a Super User's inbox on a production site - you will miss Joomla's own system notifications.
The email notification depends on the recipient's setting, not the sender's.
Messages are stored as plain text, not encrypted. Never send passwords or secrets through a private message.
There is no Sent folder and no trash. Deletion is permanent.
Developers can send messages through the Message model or the REST endpoint at /api/index.php/v1/messages.

14. Quick Reference

SEND A MESSAGE     Users → Private Messages → New Private Message
READ YOUR INBOX    Users → Private Messages → Read Private Messages
PERSONAL OPTIONS   Users → Private Messages → My Settings
LOCK INBOX         My Settings → Lock Inbox = Yes (blocks all incoming)
EMAIL ON NEW       My Settings → controlled by mail_on_new (default On)
AUTO-PURGE         My Settings → days to keep (default 7, 0 = never)
MAIL TEMPLATE      System → Templates → Mail Templates → com_messages.new_message
MESSAGES TABLE     #__messages (message_id, user_id_from, user_id_to, subject, state)
SETTINGS TABLE     #__messages_cfg (user_id, cfg_name, cfg_value)
REST ENDPOINT      /api/index.php/v1/messages
RECEIVE RIGHTS     Backend login + core.manage on com_messages

15. Summary

Joomla's Private Messages component is a small, backend-only mailbox that quietly connects your administrators. Two database tables hold everything: #__messages for the notes and #__messages_cfg for each user's preferences. One compose form, one inbox, and three personal settings cover the whole feature.

It only works between backend users with the right permissions.
It can email recipients, using a mail template you can edit.
Joomla itself uses it to deliver system notices to Super Users.
Auto-purge keeps inboxes tidy, and a REST API exposes it to scripts.

Most sites can leave Private Messages on its sensible defaults and never think about it. But if your team relies on backend notifications - update alerts, deploy notices, or simple internal notes - it pays to understand how delivery, locking, and auto-purge interact. If you suspect your administrators are missing important Joomla notices, or you want to wire your own extension into this internal mailbox, that is exactly the kind of detail worth checking before it causes a surprise.

Peter Martin

Joomla Specialist

Peter is a Joomla specialist and a Linux admin for fast, secure and scalable websites.

05 June 2026