Is joomla security / hack resistance better now than in the past? Topic is solved

[rohit01]

A few years ago I built a joomla site. Spent some time on it, taught myself a lot. It was just a personal website with some product reviews. I believe I had built it up from a rocket theme template.

It's a hobby, and something I wanted to make, but not have to babysit constantly. Well eventually it got hacked, and rather than start from scratch, or taking hours and hours to fix / remove the hack, I just said screw it and removed the site.

Spending hours every month just trying to keep script kiddies from defacing your humble little site, frankly takes ALL the fun out of it.

I had changed the default admin account, changed the admin ID, hid the admin page, secured permissions, and changed the database prefix, etc etc. but it still got Zapped. (SQL injection I assume)

So my question is, has joomla security improved to the point where after basic security protections, now it's pretty safe, and can auto update?

This isn't a business for me, and I have no intention of having to spend an hour or more every week just keeping my dinky website from being hacked and fixing stuff updates break.

And I have no intention of having to completely rebuild my site every 6months because a new version of joomla came out that's not compatible with the old... and the old one will be "hack central" in a few weeks. Again, it takes all the fun out of it.

But I would like to have a website, and I like joomla... But I'm just not into constantly having to babysit it.

Is this in the realm of possibility yet? Maybe with a firewall plugin or something?

[Pavel-ww]

Hi. When working with any CMS, you should always keep it up to date. It should be updated every time a new version is released. Thus, you will never have a situation that your site is outdated and cannot be updated. Each new release contains security fixes.

You need to understand that Joomla is a free open source CMS. Therefore, a hacker can dissect it and find new vulnerabilities. After the vulnerability is discovered, the joomla developers release another patch to fix it. Therefore, it is very important to update and monitor the system. And this applies not only to Joomla, but absolutely any system that has a backend on board.

If you want to build a site and not care about it, create a simple html site. In such a site there are no "brains" and it means that there is simply no subject to hack. But in doing so, you will lose various functionalities.

If you want to drive a modern car, you need to study the instructions, undergo regular maintenance. If you don't want this, buy a simple scooter.

And yes, Joomla is now much more secure than it used to be. But this in any case does not guarantee against hacking. Just like your latest model Mercedes is not guaranteed against theft.

[toivo]

Joomla extensions can act as application firewalls and examine the HTTP requests, block hack attempts and report them, which makes the webmaster's job easier.

The Joomla Extensions Directory (JED) has those extensions in the following sections:
Site Security
Security Tools
Access & Security

[AMurray]

Good advice above, but again, it's not matter of "lock it and leave it", you still have to monitor your site and take action to fix any issues those tools report.

One good service I would recommend is mysites.guru. It is perfect for any site, and its audits and reports focus on matters you may never have considered were primary aspects of website security. Do an audit of your site, mysites.guru will do your first audit free (but it is a subscription service thereafter).

Additionally it's an all in one site management tool and can even help with maintenance tasks such as core updates and extension updates.

EDIT : I failed to catch it the first time but notice this is posted to the Joomla 1.5 forum - Joomla 1.5 has been obsolete for 9 years and therefore unsupported; it won't have received ongoing updates since 2012. Suggest you update to Joomla 3.9.23 (November 2020). That is definitely a necessity, despite your reluctance as you have already stated to spend huge amounts of time working on the site.

[rohit01]

[ redacted ]
Thank you all for your responses.

[darb]

I have been using Joomla since version 1.0 2005 and never have this experience that you say but heard people coming from Wordpress world that have constantly these issues. You can check the history security breaches numbers and comparing Joomla, Wordpress and Drupal to see which one have been the most secure CMS over time and Joomla come up there as winner regarding statistics over time.

If you set up a CMS site with whatever application on whatever hosting server you must know the basic and know what you doing. My Joomla sites since 2005 have never been hacked so if you know what you are doing or take help from others that knows Joomla is very secure, easy to work with, stable and fast to work with for organisations, blogs and companies. And it’s a lot of extra features you can add to customise it for your needs and your client’s needs.

To update Joomla you click on a button and 30 seconds later you have a fresh new updated site with all security and new features update! Your site will never be crashed if you update within Joomla semantics for versions so you have to have a little interest to know how Joomla works.

BTW - The new Joomla 4 is awesome and you should really test it and see by yourself how good it is. I see you have register here dec 2020 and made 2 post here so just join here to get more experience and to ask questions if you need more help to get your site going.

[toivo]

I see you have register here dec 2020 and made 2 post here so just join here to get more experience and to ask questions if you need more help to get your site going.

Unfortunately that forum member had gone to the dark side, added a spam link to the quoted text and was therefore banned.

[sozzled]

In the context of J! 1.5, J! was terrible as far as security was concerned. Years ago (around 2014, perhaps) I had six J! 1.5 websites hosted on a server and, somehow, someone managed to upload malware that compromised all of them. I had to rebuild two of those sites (and I deleted the remainder) using J! 3.x. Since then I will not create any J! 1.5 websites on the internet; the risk of them being successfully attacked is too great.

Besides, my webhosting environment today does not have the requisite PHP environment that would allow me to create a J! 1.5 website. If I need to create a website using J! 1.5 I have to do this using a PC-hosted environment, i.e. "offline" and not connected to the internet, purely for development activities (e.g. migrating a client's J! 1.5 website to J! 3.x). Even then it's tricky.

J! 3.x is better security-wise than J! 1.5 ever was.

As far as J! 4 is concerned, I wouldn't describe it as "awesome". Besides, J! 4 doesn't exist for production usage yet and the market hasn't made up its mind about whether it will be a successful venture or not.

My advice:

J! 1.0 → 1.5: security was terrible. Don't use it.
J! 1.6 → 1.7 → 2.5: security was not much improved. Don't use it.
J! 3.0 → J! 3.9: security has steadily been improved. Make sure you use the latest release.
J! 4.0: no comment. The software is still in development, is unsupported and is not ready for production usage. Don't use it until it has gained popular acceptance (currently less than 1% of all J! websites use J! 4 and I think that says everything that needs to be said).

This is an old topic—marked as resolved—and it should probably be laid to rest.