Page 1 of 1

Is Joomla safe enough?

Posted: Sat May 31, 2008 2:17 pm
by docright
Hi

Our company is website development company and part of the websites the clients host information and data on Joomla

We would like to make sure how safe Joomla is as it is - out of the box -

to publish this information on our website about secutiry.

Are there any componenets to make Joomla more secure?

Thank you

Re: Is Joomla safe enough?

Posted: Sat May 31, 2008 2:25 pm
by dattard
There are no particular components to make Joomla secure. You just need to follow the Security checklist to make sure you don't leave any security issues lying around.

Most security problems come from 3rd party components rather than Joomla core itself.

Re: Is Joomla safe enough?

Posted: Sat May 31, 2008 5:46 pm
by Geoff
Out of the box, joomla! is secure. If some other non-Joomla! part of your server is compromised though, it does not matter anymore how secure your Joomla! site is.

Security Extensions: http://extensions.joomla.org/index.php? ... &Itemid=35
Two "firewall" type extensions:
jFireWall EndPoint Protection - Anti hacker
JoomSuite Defender - Turn Hacker Save Mode On

Re: Is Joomla safe enough?

Posted: Tue Jun 03, 2008 5:12 pm
by merill
You can have a look at hardening progams like Suhosin. These allow the sysadmin to block/control some actions that could be considered as dangerous.

Re: Is Joomla safe enough?

Posted: Wed Jun 04, 2008 7:07 pm
by brendonhatcher
Hi

IMHO, Joomla out the box is oriented towards ease of use, not security.
So, for example, the configuration file is set to world writable to make it easy to change settings.
From a security point of view, it should be well secured against a hacker viewing or editing it.

My experience is that Joomla security rests a LOT on the underlying security of the server.
Some hosts have register globals turned on, some have it off.
Some offer php4 only.
Some servers require quite liberal permissions on the files (777 or 775), others will facilitate permissions of 755 through the use of SuExec.

On shared servers, other scripts on other domains may make Joomla vulnerable.

Regards
Brendon

Re: Is Joomla safe enough? Questions raised by government agency

Posted: Thu Jun 05, 2008 4:51 pm
by krautela
We were planning to use Joomla 1.5 for website deployment of a government agency in India. In India most of the government sites are hosted by NIC and they have now raised a question of security on whole stack ... php/mysql/joomla.

My question is for the core developers and joomla community. Do we have some kind of security audit which can prove the security reliability of this whole joomla and underlying stack?

i personally like joomla and have used for our community website and never faced problem from commercial website hosting companies for security. This is the first time i have come across such an opposition for joomla and open source.

the other possibility is that government agency will force us to go thru security audit for our website. does anyone have any experience with such security audits for joomla?

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 11:42 am
by macgig
I dont see how anyone can say joomla is easy to learn. it's not. wordpress is easy. Joomla is not, as I have found out. Joomla has a BIG learning curve in my view.

no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.

my host just informed me that wordpress is much safer than joomla. The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 2:34 pm
by mandville
macgig wrote:my host just informed me that wordpress is much safer than joomla.
please get them to prove that the aforementioned blogging core script is more secure in a side by side comparison on the same server settings as the joomla core CMS
The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.
it might actually say more about the extensions used, or the ability of the "site admins"
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.
macgig wrote:no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.
and that paragraph is probably the most accurate

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 5:11 pm
by dubois
[quote="mandville"]
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.[/quote]

actually there was a core XSS and CSRF in j1.6.3 last month.

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 5:15 pm
by alikon
@dubois
did you know that the last version from 1.6 series is the 1.6.6
so if you stay on a old one .....

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 5:32 pm
by dubois
in fact i stay with 1.5.23 exactly to be safe, will eventually jump to 1.8 in the future.

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 5:53 pm
by alikon
right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 5:54 pm
by dubois
mandville wrote: The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.it might actually say more about the extensions used, or the ability of the "site admins"
that's a fair cry considering how many holes are there in the wordpress addons.
last i heard is about an RFI in TimThumb, a popular auto-thumbnail script used in *hundreds* of
templates and addons.

Re: Is Joomla safe enough?

Posted: Thu Aug 11, 2011 6:01 pm
by dubois
alikon wrote:right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
and also {deleted}