Is Joomla safe enough?

[docright]

Hi

Our company is website development company and part of the websites the clients host information and data on Joomla

We would like to make sure how safe Joomla is as it is - out of the box -

to publish this information on our website about secutiry.

Are there any componenets to make Joomla more secure?

Thank you

[dattard]

There are no particular components to make Joomla secure. You just need to follow the Security checklist to make sure you don't leave any security issues lying around.

Most security problems come from 3rd party components rather than Joomla core itself.

[Geoff]

Out of the box, joomla! is secure. If some other non-Joomla! part of your server is compromised though, it does not matter anymore how secure your Joomla! site is.

Security Extensions: http://extensions.joomla.org/index.php? ... &Itemid=35
Two "firewall" type extensions:
jFireWall EndPoint Protection - Anti hacker
JoomSuite Defender - Turn Hacker Save Mode On

[merill]

You can have a look at hardening progams like Suhosin. These allow the sysadmin to block/control some actions that could be considered as dangerous.

[brendonhatcher]

Hi

IMHO, Joomla out the box is oriented towards ease of use, not security.
So, for example, the configuration file is set to world writable to make it easy to change settings.
From a security point of view, it should be well secured against a hacker viewing or editing it.

My experience is that Joomla security rests a LOT on the underlying security of the server.
Some hosts have register globals turned on, some have it off.
Some offer php4 only.
Some servers require quite liberal permissions on the files (777 or 775), others will facilitate permissions of 755 through the use of SuExec.

On shared servers, other scripts on other domains may make Joomla vulnerable.

Regards
Brendon

[krautela]

We were planning to use Joomla 1.5 for website deployment of a government agency in India. In India most of the government sites are hosted by NIC and they have now raised a question of security on whole stack ... php/mysql/joomla.

My question is for the core developers and joomla community. Do we have some kind of security audit which can prove the security reliability of this whole joomla and underlying stack?

i personally like joomla and have used for our community website and never faced problem from commercial website hosting companies for security. This is the first time i have come across such an opposition for joomla and open source.

the other possibility is that government agency will force us to go thru security audit for our website. does anyone have any experience with such security audits for joomla?

[macgig]

I dont see how anyone can say joomla is easy to learn. it's not. wordpress is easy. Joomla is not, as I have found out. Joomla has a BIG learning curve in my view.

no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.

my host just informed me that wordpress is much safer than joomla. The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.

[mandville]

my host just informed me that wordpress is much safer than joomla.

please get them to prove that the aforementioned blogging core script is more secure in a side by side comparison on the same server settings as the joomla core CMS

The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.

it might actually say more about the extensions used, or the ability of the "site admins"
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.

no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.

and that paragraph is probably the most accurate

[dubois]

[quote="mandville"]
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.[/quote]

actually there was a core XSS and CSRF in j1.6.3 last month.

[alikon]

@dubois
did you know that the last version from 1.6 series is the 1.6.6
so if you stay on a old one .....

[dubois]

in fact i stay with 1.5.23 exactly to be safe, will eventually jump to 1.8 in the future.

[alikon]

right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews

[dubois]

The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.it might actually say more about the extensions used, or the ability of the "site admins"

that's a fair cry considering how many holes are there in the wordpress addons.
last i heard is about an RFI in TimThumb, a popular auto-thumbnail script used in *hundreds* of
templates and addons.

[dubois]

right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews

and also {deleted}