Joomla Security

Introduction

According to Google Trends (1), Joomla is the most widely used CMS on the market today. With its ease of use, developer community, and immense library of third party add-ons, it’s no surprise why Joomla is so popular. Popularity, though comes with a price - the issue of security.

It’s comforting to know that, out of the box, Joomla 1.5.10 is a very secure CMS (2); and when maintained properly, keeps your site nearly hack- free. But do keep in mind that nothing is 100% hack-free.

The key here is maintenance. Aside from typical security measures, the owner must be vigilant in keeping up to date with security patches, regular backups, and monitoring unauthorized access.

There is official Joomla documentation on a security checklist (3), that if not taken for granted, can reduce any downtime in having to re-implement a compromised site.


What can the Developer Do?

The developer can do a lot to ensure that the client’s new Joomla site is safe and secure. Here is a list of some of the most important things:

- use a secure host (www.siteground.com is popular)
- install recent Joomla version (ensures latest security update)
- ensure sensitive directories are write-protected (prevents unauthorized access)
- enable .htaccess (this prevents unauthorized scripting)
- enable SEF urls (this hides URLs)
- turn Magic Quotes off (prevents SQL injections)
- turn Register Globals off (prevents access to global variables)
- delete unused templates (prevents unwanted display of pages)


What can the Client Do?

The client needs to acknowledge the fact that all websites are vulnerable to attack, even those found on Secure Server Layers (SSL) like Bank websites for example. Certain precautions need to be taken to avoid potential disaster:

- secure usernames and passwords (combinations of numbers/letters/uppercase)
- an offsite backup system (don’t rely on the host to do this)
- secure third party Joomla extensions/plugins (buyer beware)
- tracking and monitoring (be aware of unauthorized traffic)


Conclusion

In summary Joomla is the number one open-source CMS on the web. This popularity has led to more than its fair share of hacking attempts, but this is normal. It’s the PC vs MAC analogy. Apple boasts that MACs have zero viruses, but this is simply due to the fact that it has less market share, thus less interest from hackers. To be sure, the underlying UNIX-based system behind a MAC is very secure to begin with, but that does not mean it cannot get hacked.

Joomla is very similar in this regard. With the release of Joomla 1.5, significant security measures have been integrated into its core. Things like SEF urls, and .htaccess do a lot to ensure your Joomla site is safe from exploits. However it is up to the developer to make sure everything is setup correctly. Thereafter, it is the client’s responsibility to change passwords, monitor third party access, and perform regular backups.

In the end, Joomla is what you make it.


SOURCES

(1) Google Trends

(2) ”Is Joomla A Secure Platform for a Business?”

(3) Joomla Security Checklist