Joomla has a (largely undeserved) reputation for having security problems. This article will briefly discuss how Joomla got this reputation, and then list the key steps you can take to secure and maintain your Joomla site. In the process we'll explain how Abivia addresses some of these issues.

Why does Joomla have a reputation as not being secure?

To a large extent, Joomla is the victim of it's own success and popularity. It's also slightly hampered by the way the project is organized. The vast majority of  Joomla vulnerabilities originate from problems with "third party" extensions. These are extensions developed by developers who are working independently of the core development.

Extensions are the life blood of Joomla. The Joomla extensions directory lists thousands of extensions (6,800 as of January 2011), written by thousands of developers. This massive repository is what makes Joomla so powerful and flexible. Some of these extensions are small tools that offer a web builder with little conveniences (Our Auto Copy Copyright extension is a fine example of this). Others are large, complex packages that offer major functionality.

Unlike many other open source projects, Joomla is a completely volunteer driven organization. There is no major corporate entity working behind the scenes, paying key team members a full time salary. Hiring dedicated resources for the project is not an option.

This is also true for the Joomla Extensions Directory (JED) team a small group of volunteers is responsible for going through a huge flow of submissions (in December 2010, the submission rate was around 25 per day). Each extension needs to be evaluated for compliance with Joomla licensing and logo use, links need to be verified, the download process needs to be verified, etc. The team can barely keep up with these basic checks. There is no way to audit every extension for security issues.

Security requires a proactive approach. It's easy to leave a security hole, and a lot harder to verify that there aren't any. This is true to some extent with any programmable system. Vulnerabilities are inevitable. The Joomla community has thousands of independent developers who work on thousands of extensions. The odds that there's a serious vulnerability in one of these extensions at any point in time is pretty high.

Still, hundreds of thousands of web sites run Joomla without ever experiencing a problem. Joomla's massive base of extensions is what makes it a compelling CMS.

So how do I keep my Joomla site secure? What should I do to maintain security?

There are a lot of articles on this subject that go into considerable technical depth. We're going to cover the most important and least technical steps, in order of importance:

  1. Make Regular Backups.
  2. Make Regular Backups.
  3. Make Regular Backups!! The best assumption is that your site is always vulnerable to a hack. If you make this assumption, then the only viable defense is to have frequent backups of your site. If you consider a hack to be inevitable, then you will always be protected. With most hosting plans, backups are the responsibility of the site owner. Do not assume your host will be able to restore your site unless they have a clear policy on backups. For example, Abivia's Basic Hosting packages don't offer client level backup protection. We can restore a crashed server, but not individual accounts. If you are on one of these plans, you should get Akeeba backup pro and subscribe to a data warehouse service that allows you to transfer the backups to an independent server. Our Premium Hosting packages maintain twice-daily snapshots of your site for a 30 day time period, and we can restore from any of these snapshots within minutes.
  4. Subscribe to the Joomla Vulnerable Extensions List RSS Feed. Scan the list for extensions you use and disable or upgrade them as appropriate.
  5. Subscribe to the Joomla Release News and Joomla Vulnerability News feeds. When a new security release is available upgrade as soon as possible.
  6. Check for extension updates (in Joomla 1.6). The new extension update feature in Joomla 1.6 will list any updates that are available. This lists all upgrades, so you should understand what the upgrade will do before allowing it.
  7. Go deeper. A good place to start is the Joomla security checklist. More advanced security measures require a certain level of technical skill, and many third party articles on this subject recommend steps that are either redundant, outdated, or apply to previous versions of Joomla. Some more advanced techniques can break your site if they're not implemented correctly (such as advanced .htaccess rules). If you really want to harden your site against hackers, start working through these techniques on a backup copy of your site before implementing them on your live site. Alternatively, you can choose a managed hosting plan and let someone else deal with the technology.

Conclusions

Remember the only 100% secure web site is one that's not connected to the Internet! Assume your site can be hacked at any time and make sure you're always ready to recover..

If you don't have time to make backups, monitor security feeds, and implement upgrades, then consider working with professionals who can manage site security for you.