Is Joomla safe enough?
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 15
- Joined: Wed Mar 05, 2008 4:53 pm
Is Joomla safe enough?
Hi
Our company is website development company and part of the websites the clients host information and data on Joomla
We would like to make sure how safe Joomla is as it is - out of the box -
to publish this information on our website about secutiry.
Are there any componenets to make Joomla more secure?
Thank you
Our company is website development company and part of the websites the clients host information and data on Joomla
We would like to make sure how safe Joomla is as it is - out of the box -
to publish this information on our website about secutiry.
Are there any componenets to make Joomla more secure?
Thank you
- dattard
- Joomla! Ace
- Posts: 1035
- Joined: Tue Apr 11, 2006 7:29 pm
- Contact:
Re: Is Joomla safe enough?
There are no particular components to make Joomla secure. You just need to follow the Security checklist to make sure you don't leave any security issues lying around.
Most security problems come from 3rd party components rather than Joomla core itself.
Most security problems come from 3rd party components rather than Joomla core itself.
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!
-
- Joomla! Virtuoso
- Posts: 3173
- Joined: Sun Apr 16, 2006 12:20 am
- Location: 127.0.0.1
Re: Is Joomla safe enough?
Out of the box, joomla! is secure. If some other non-Joomla! part of your server is compromised though, it does not matter anymore how secure your Joomla! site is.
Security Extensions: http://extensions.joomla.org/index.php? ... &Itemid=35
Two "firewall" type extensions:
jFireWall EndPoint Protection - Anti hacker
JoomSuite Defender - Turn Hacker Save Mode On
Security Extensions: http://extensions.joomla.org/index.php? ... &Itemid=35
Two "firewall" type extensions:
jFireWall EndPoint Protection - Anti hacker
JoomSuite Defender - Turn Hacker Save Mode On
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
-
- Joomla! Intern
- Posts: 62
- Joined: Sun Apr 20, 2008 9:44 pm
Re: Is Joomla safe enough?
You can have a look at hardening progams like Suhosin. These allow the sysadmin to block/control some actions that could be considered as dangerous.
- brendonhatcher
- Joomla! Hero
- Posts: 2744
- Joined: Sun Feb 12, 2006 2:02 pm
- Location: Durban, South Africa
- Contact:
Re: Is Joomla safe enough?
Hi
IMHO, Joomla out the box is oriented towards ease of use, not security.
So, for example, the configuration file is set to world writable to make it easy to change settings.
From a security point of view, it should be well secured against a hacker viewing or editing it.
My experience is that Joomla security rests a LOT on the underlying security of the server.
Some hosts have register globals turned on, some have it off.
Some offer php4 only.
Some servers require quite liberal permissions on the files (777 or 775), others will facilitate permissions of 755 through the use of SuExec.
On shared servers, other scripts on other domains may make Joomla vulnerable.
Regards
Brendon
IMHO, Joomla out the box is oriented towards ease of use, not security.
So, for example, the configuration file is set to world writable to make it easy to change settings.
From a security point of view, it should be well secured against a hacker viewing or editing it.
My experience is that Joomla security rests a LOT on the underlying security of the server.
Some hosts have register globals turned on, some have it off.
Some offer php4 only.
Some servers require quite liberal permissions on the files (777 or 775), others will facilitate permissions of 755 through the use of SuExec.
On shared servers, other scripts on other domains may make Joomla vulnerable.
Regards
Brendon
-----------------------------------
Web developer in Durban, South Africa - http://www.brilliantweb.co.za
Joomla Days in South Africa - http://www.joomladay.co.za
Web developer in Durban, South Africa - http://www.brilliantweb.co.za
Joomla Days in South Africa - http://www.joomladay.co.za
-
- Joomla! Apprentice
- Posts: 48
- Joined: Mon Sep 25, 2006 1:14 pm
Re: Is Joomla safe enough? Questions raised by government agency
We were planning to use Joomla 1.5 for website deployment of a government agency in India. In India most of the government sites are hosted by NIC and they have now raised a question of security on whole stack ... php/mysql/joomla.
My question is for the core developers and joomla community. Do we have some kind of security audit which can prove the security reliability of this whole joomla and underlying stack?
i personally like joomla and have used for our community website and never faced problem from commercial website hosting companies for security. This is the first time i have come across such an opposition for joomla and open source.
the other possibility is that government agency will force us to go thru security audit for our website. does anyone have any experience with such security audits for joomla?
My question is for the core developers and joomla community. Do we have some kind of security audit which can prove the security reliability of this whole joomla and underlying stack?
i personally like joomla and have used for our community website and never faced problem from commercial website hosting companies for security. This is the first time i have come across such an opposition for joomla and open source.
the other possibility is that government agency will force us to go thru security audit for our website. does anyone have any experience with such security audits for joomla?
-
- Joomla! Apprentice
- Posts: 34
- Joined: Fri Oct 08, 2010 4:47 am
Re: Is Joomla safe enough?
I dont see how anyone can say joomla is easy to learn. it's not. wordpress is easy. Joomla is not, as I have found out. Joomla has a BIG learning curve in my view.
no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.
my host just informed me that wordpress is much safer than joomla. The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.
no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.
my host just informed me that wordpress is much safer than joomla. The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Is Joomla safe enough?
please get them to prove that the aforementioned blogging core script is more secure in a side by side comparison on the same server settings as the joomla core CMSmacgig wrote:my host just informed me that wordpress is much safer than joomla.
it might actually say more about the extensions used, or the ability of the "site admins"The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.
and that paragraph is probably the most accuratemacgig wrote:no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- dubois
- Joomla! Enthusiast
- Posts: 150
- Joined: Wed Jul 20, 2011 5:59 am
- Location: the holy Mekong
Re: Is Joomla safe enough?
[quote="mandville"]
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.[/quote]
actually there was a core XSS and CSRF in j1.6.3 last month.
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.[/quote]
actually there was a core XSS and CSRF in j1.6.3 last month.
- alikon
- Joomla! Champion
- Posts: 5941
- Joined: Fri Aug 19, 2005 10:46 am
- Location: Roma
- Contact:
Re: Is Joomla safe enough?
@dubois
did you know that the last version from 1.6 series is the 1.6.6
so if you stay on a old one .....
did you know that the last version from 1.6 series is the 1.6.6
so if you stay on a old one .....
- dubois
- Joomla! Enthusiast
- Posts: 150
- Joined: Wed Jul 20, 2011 5:59 am
- Location: the holy Mekong
Re: Is Joomla safe enough?
in fact i stay with 1.5.23 exactly to be safe, will eventually jump to 1.8 in the future.
- alikon
- Joomla! Champion
- Posts: 5941
- Joined: Fri Aug 19, 2005 10:46 am
- Location: Roma
- Contact:
Re: Is Joomla safe enough?
right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
- dubois
- Joomla! Enthusiast
- Posts: 150
- Joined: Wed Jul 20, 2011 5:59 am
- Location: the holy Mekong
Re: Is Joomla safe enough?
that's a fair cry considering how many holes are there in the wordpress addons.mandville wrote: The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.it might actually say more about the extensions used, or the ability of the "site admins"
last i heard is about an RFI in TimThumb, a popular auto-thumbnail script used in *hundreds* of
templates and addons.
- dubois
- Joomla! Enthusiast
- Posts: 150
- Joined: Wed Jul 20, 2011 5:59 am
- Location: the holy Mekong
Re: Is Joomla safe enough?
and also {deleted}alikon wrote:right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
Last edited by Per Yngve Berg on Sat Aug 13, 2011 1:31 pm, edited 4 times in total.
Reason: link to exploit site containing hacks and methods removed
Reason: link to exploit site containing hacks and methods removed