Open Source Network Blog

Jisse Reitsma

Jisse Reitsma is co-founder of Jira ICT, wrote a book on Joomla! Templates, teaches many courses and programs in Joomla!, Magento and Drupal. Authors profile

Is Joomla! safe? It is an important question and so now and then I encounter a technical person who answers this question firmly with "NO!". The reasons for such an answer vary, but in the end they come down to the news that some Joomla! site got hacked.

The Syndrom

I would call this the Microsoft Windows Syndrom: A software package gets the label of being unsecure and people tend to remember this label while it is no longer true. The example of MS Windows serves well, because for a long time Microsoft made little effort to secure their operating systems thoroughly. Regarding security Windows 98 and Windows ME were a joke, but with Windows XP and Windows Server 2003 major work was done to create a more secure platform.

The same is true for Joomla! though the finger should not be pointed to the core-developers, but to the third party developers instead. True, Joomla! has known some vulnerabilities and some of them had far going consequences - if you are running Joomla! 1.5.5 and older, you should know it's a timebomb. But in the past, the large majority of hacks were performed due to vulnerabilities of third party extensions.

Vulnerabilities in third party extensions

Some Joomla! extensions are developed by many people and are so populair that even more people are reviewing the code. When using those extensions there's always a good chance that somebody will notice bad code and report it - sometimes the hackers are quicker and sites get hacked before a fix is available. But hey, it is available for free and the work is done by volunteers.

But other extensions are less common, perhaps developed by a single person, and though many people might use it, just a few could be looking at the quality of the code. In such a case, there might be very obvious programming errors present in the code, but there's simply no-one looking for them. No one except the hackers of course.

The reason why Joomla! could be trusted, is exactly the same reason to be wary of third party extensions: Many programmers work on the code of Joomla!, but with third party projects there might be just a few people checking the quality. You - the owner of a Joomla! website - are first of all responsible for choosing those extensions, so if the website gets hacked because of such extensions, you should be the first to blame.

Unfortunately the situation is in fact more complicated. The hosting providers are to blaim too.

Why do hosting providers complain?

Now, I know from first hand that a few hosting providers in the Netherlands were complaining about Joomla!, while in fact their hosting environment gave all the reason for hackers to do their work. The dangerous setting "Register Globals" was simply enabled, and any PHP-code that is dependant on that setting should be considered very dangerous. Either the hosting providers did not have enough knowledge of the impact of "Register Globals", or they were just searching for somebody to blame.

Wake up: "Register Globals" should be turned off at all times. PHP Safe Mode is not secure at all. It is safe to enable CURL but just keep looking for bad code on the server. I've helped several hosting providers with keeping their environment up to date, and after a few simple tricks like configuring ModSecurity the number of websites getting hacked got down to a minimum.

Complaining about old software

Last but not least, if you keep running old software, you will keep running into old vulnerabilities. It is now more than one year ago that PHP 4 was officially anounced obsolete and still people have websites running on PHP 4. Perhaps there are hosting providers that find making money more important then keeping the software up to date. But again the responsibility also lies with the customer. The customer should take the responsibility of checking for PHP 5 before installing Joomla!. The customer should check the minimum requirements, and demand newer versions.

I almost forgot about Joomla!

O yeah, the article is named "Is Joomla! safe?". I would answer that question with "YES" right away. If it was not, the number of hacked Joomla! websites should almost match the total number of Joomla! websites. The reality is that every security issue in the past was resolved. Even better: It was resolved quicker than those issues would be in the closed source world.

Joomla! (version 1.5) has all the elements that are needed to build a secure site: Passwords are properly encrypted, forms are protected against spoofing, attacks like CSRF and SQL Injection are prevented. Even for developers there are enough utilities to develop secure code in an extension. The only complaint about creating a solid security architecture is that the ACL-features (who can do what) are still far too inflexible. But that's not a security issue, that's a functionality request.

Running Joomla! does not make your site unsecure. Running your website without proper checking does.

If you want to know what you can do to check how secure your site is, have a look at the official Joomla! Security Checklists.