Wow, things have got lively
@rliskey - thanks for your comments. I agree with some and disagree with others.
Text can make opinions seem more black and white than they are. I feel strongly about some suggestions and have very mixed feelings about others, and in almost every case my ambivalence matched your comments.
While you find this a criticism of the project, the ease of use is actually one thing that sets it apart from others, and hence contributes to why people use it.
This is a misunderstanding. I think Joomla's ease-of-use and interface are awesome. No other project I know comes close. I wasn't criticizing. I meant to point out a sad but unavoidable consequence of that great ease of use, i.e., the naive, foolish, trusting, newbies (pick your label) tend to assume there is security where it seems we all agree there is very little (the Internet).
Ironically most of your points are easy to solve or or being planned or already implemented, so I'm still left wondering if there is a deeper root issue here.
Why ironic? What you say is great news. Remember, I was originally responding to yet another knee-jerk "I've been hacked" post with what was actually a defense of Joomla.
My mistake was in being a little too harsh in blaming "Joomla's marketing program." I apologize for using a phrase that implied a strategic intent to fool users. That was unintended and unfair. I tried to correct that impression in my follow up post.
Deeper issue? No! Don't go there. Something I learned in the trenches of the 80-90's corporate wars: Never assume ill intent when perfectly normal stupidity is a reasonable explanation.
If I didn't make sense, then I was just being stupid. After all, it was 4am on my side of the planet when I wrote that!
Re; "WARNING", Not a bad suggestion, I'll pass it on the JED people.
RE: 2. Add critical security information
Brilliant! Would you be willing to prepare the patch to the sample content.
Well...Rob Schley proposed adding one of my security posts (Top 10 Stupidest Tricks
) to the sample content, but the idea was nixed. I don't know why.
In the end, someone added a direct link to the Admin Checklist, which scared the pants off me as I hadn't written it as an official Joomla document. I didn't even know for sure if it was all accurate!
I immediately spent many long nights fact-checking and making it a more official sounding document. No one asked me to do that, but it seemed the right thing for the project.
Even after focusing on other CMSs, I came back and spent many more days converting the Admin Checklist and every security FAQ I could find to the new wiki docs site. I hope this embarrassing little list of Joomla contributions resolves any worries about my having "deeper issues".
I like Joomla, I just have a few concerns, which began on day 3 of my Joomla career when 7 of my 10 brand new Joomla sites were defaced. Ruined my summer! But taught me how to secure a site (for now).
Re: Super Admin name:
We are refactoring the installation for 1.6 right now. I'll put that feature on the list. If someone wants to do a patch for 1.5 I'm sure the bug squad would seriously consider it for inclusion in 1.5.8.
Re: 4. Make install a little harder:
Here's where I disagree. I think it's complex and daunting enough for the uninitiated.
I can see it both ways. Given the serious pain this causes many of the uninitiated (included myself once) I lean the other way. Oh well...
GPL compliance is an ongoing work but really, while a valid point, it's part of a very different discussion.
You're right. It's outside this discussion. I hesitated to add it, but then realized that it's the other big reason I left Joomla, so in it went.
I was pissed off to see those extension developers whining about how Joomla was clarifying it's GPL position and how that was going to make it harder for them to charge illegal, proprietary fees on top of this clearly GNU/GPL shared resource.
The GNU philosophy may not be perfect, but it has done wonders in freeing up creative developer energy around the world. Just think where we'd be today if "Small-and-Limp" still controlled everything!
6. Make it easier to move critical files and directories outside of public_html.
This work is ongoing.
Great. I was part of an internal discussion in which a core developer showed how to do this in 1.5. I wanted to write up a nice FAQ to share this great information, but the others felt that the user population didn't know enough to be given this kind of information.
I dropped it, as I couldn't judge if that was correct, BUT, that was the PRIME reason I left Joomla. I didn't want to dedicate my best efforts to an 'open source' project that thinks users can't be trusted with basic UNIX file permission/configuration options info--essentially the same information Gallery2 shares in the document I referenced above.
I'm sorry to share that dirty laundry, and don't mind if a mod deletes it. It's probably important to say that it was an isolated experience in an otherwise great time working with the Joomla team, but for me it happened to be the tipping point.
7. Add a more powerful logging system to the core.
More powerful that what? JLog is already there and we have plugins that can fire on various triggers. Maybe your point is add more triggers in "X, Y, Z" locations to be able to log those things?
Here's where my ignorance of J1.5 shows. I haven't done much with J1.5 yet. Glad to know it's in.
8. Develop an extension update system...
That's a good goal. 1.6 will lay some more foundation work that will one day allow that to be a reality.
It's one of the main reasons I went to Drupal. I love being able to quickly review the security/update status of everything on my site, and download every related update with a few clicks. That alone has made a good part of my business model viable again.
9. Refactor the file and directory structure...
I'm actually not a big fan of that. You have to have a certain level of knowledge to detect suspicious changes regardless of the file tree. I see your point but I don't think the effort delivers a significant gain because people still have to know what they are looking at and looking for.
Well, I respectfully disagree. I think there are more issue than security that would benefit from this, but that's another discussion...
10. Adapt Gallery2's security documents...
I'm all for cheating, but going back to my earlier points - some people don't care about the fine print and don't want to read the manual.
Yep! But, that's not a reason to not make the information available.
11. Develop a clear security reporting process to better track trends and to reduce noise in the forums.
Again, my J1.5 ignorance shining through. I'll figure out what that means 'real soon now.'
12. Add many more sanity checks...
Huh? We deliberately (with extreme prejudice) made 1.5 immune to the server register_globals setting. Did you not know that? See JRequest::clean (I think that's the one). We can't rely on the server settings so we nuke all the globals very early on in the core execution.
Yes, I know. I campaigned hard for it. I mentioned register_globals because it was a prime example of a setting that benefited from this kind of reporting. Remember how much pain leaving that option available caused!? I even remember developers of some pretty key extensions arguing for RG ON. Luckily the PHP team itself disagreed, so that issue will soon be totally moot.
But, there are so many other settings that Joomla could report on. I don't need to list them. I know J1.5 is checking lots of things. I'm saying be really aggressive about this. It could produce a flashy, image-filled report that users who don't check readme files would notice, complete with context-sensitive links to related information on the Joomla sites.
13. Consider adding some of the best security extensions to the core package...
But what you've done is point out that one (or more) is/are available at present. Do all people know about them? No.
Agreed, we don't all know about them, but is that any reason not to merge the best ideas into core? I realize merging a feature into core is a big decision, but only because it's an important decision.
I also think admin based security panels have a limited boundary of effectiveness. Case in point is the one that checks whether things are up to date or not. You have to log in to find out that your Joomla site is out of date - oh wait, I can't log in because it's just been hacked.
True, that's a risk. I don't agree that it's wrong to provide this for users (whom you acknowledge often know little more than how to use a browser). Why not give them the tools they need within the interface that you've done so much to fine tune? I think your argument is logically false and is essentially identical to the following:
1. Account passwords must be set on the Joomla site.
2. If someone does a little packet sniffing, hacks my site, and changes my password, I'll lose access to my site.
3. Therefore I should not bother with password security on a Joomla site.
A much better approach is for a service to exist that pings a site, upgrades it while you are sleeping and sends you an SMS when done.
That sounds great! And in the meantime?
14. Make the JED Site Security section easier to find...
As you will have seen, all the joomla.org family of sites are being reworked. I'm sure this can be taken into account when it's the JED's turn.
15. Respect the intelligence of the users...
And respect their stupidity and laziness. There is no black and white answer here, just differences of opinion.
Did you really mean to say that? Does the Joomla team really think its users are "stupid and lazy," and make project decisions based on that assumption? I really hope I'm misunderstanding.
A final comment on ease of use...
I agree with all you say about ease-of-use, T3 being tough, Drupal interface being clunky, etc. I agree that Joomla absolutely wins the ease-of-use prize.
I'll be the first to agree that on the post-implementation side of things, we could do a better job. However, to suggest we are deliberately doing nothing because we want to keep it that way is really unwarranted.
I didn't suggest this. Perhaps you're referring to some other post.
We can do better - most certainly (<insert std call for volunteers to make it happen - bla bla bla>) - but if you look over this year you'll see many, many changes, I believe, in the right direction.
I think you're doing a lot! When I get frustrated figuring out some arcane Drupal hook, I'm sometimes tempted to come back to Joomla where all my modern CMS adventures started. I'm kinda sad that this visit to my old community resulted in this thread.
Anyway, once again, thanks for your comments.
But when you do find the project that fits like a glove, by heck put your heart and soul into supporting it. That's all any of them would ask.
Absolutely right on!
BTW: I ain't no core coder, but I tried to give a lot to Joomla over the years, in the user forum, the doc sites, and with a shared extension. Don't mean to brag, but it seems like you should know that these points were not from someone who never tried give back.
And absolute last:
Let me just post the link so no one misses it: http://feeds.joomla.org/JoomlaSecurityNews
^^ what Brad said. Get onto the security RSS feed - it could save your site.
Yep. Brad is one of the coolest dudes I ever met on Skype! He also happens to be my preferred hosting provider who delivers incredible technical support, and where over many years no site of mine has ever been compromised.
To respond to a few comments further up: Brad and crew prove every day that correctly configured Joomla sites on shared servers can be safe if the techs involved know what they're doing.