Is Joomla safe enough?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
docright
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Wed Mar 05, 2008 4:53 pm

Is Joomla safe enough?

Post by docright » Sat May 31, 2008 2:17 pm

Hi

Our company is website development company and part of the websites the clients host information and data on Joomla

We would like to make sure how safe Joomla is as it is - out of the box -

to publish this information on our website about secutiry.

Are there any componenets to make Joomla more secure?

Thank you

User avatar
dattard
Joomla! Ace
Joomla! Ace
Posts: 1023
Joined: Tue Apr 11, 2006 7:29 pm
Contact:

Re: Is Joomla safe enough?

Post by dattard » Sat May 31, 2008 2:25 pm

There are no particular components to make Joomla secure. You just need to follow the Security checklist to make sure you don't leave any security issues lying around.

Most security problems come from 3rd party components rather than Joomla core itself.
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!

Geoff
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3193
Joined: Sun Apr 16, 2006 12:20 am
Location: 127.0.0.1

Re: Is Joomla safe enough?

Post by Geoff » Sat May 31, 2008 5:46 pm

Out of the box, joomla! is secure. If some other non-Joomla! part of your server is compromised though, it does not matter anymore how secure your Joomla! site is.

Security Extensions: http://extensions.joomla.org/index.php? ... &Itemid=35
Two "firewall" type extensions:
jFireWall EndPoint Protection - Anti hacker
JoomSuite Defender - Turn Hacker Save Mode On
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess

merill
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Sun Apr 20, 2008 9:44 pm

Re: Is Joomla safe enough?

Post by merill » Tue Jun 03, 2008 5:12 pm

You can have a look at hardening progams like Suhosin. These allow the sysadmin to block/control some actions that could be considered as dangerous.

User avatar
brendonhatcher
Joomla! Hero
Joomla! Hero
Posts: 2745
Joined: Sun Feb 12, 2006 2:02 pm
Location: Durban, South Africa
Contact:

Re: Is Joomla safe enough?

Post by brendonhatcher » Wed Jun 04, 2008 7:07 pm

Hi

IMHO, Joomla out the box is oriented towards ease of use, not security.
So, for example, the configuration file is set to world writable to make it easy to change settings.
From a security point of view, it should be well secured against a hacker viewing or editing it.

My experience is that Joomla security rests a LOT on the underlying security of the server.
Some hosts have register globals turned on, some have it off.
Some offer php4 only.
Some servers require quite liberal permissions on the files (777 or 775), others will facilitate permissions of 755 through the use of SuExec.

On shared servers, other scripts on other domains may make Joomla vulnerable.

Regards
Brendon
-----------------------------------
Web developer in Durban, South Africa - http://www.brilliantweb.co.za
Joomla Days in South Africa - http://www.joomladay.co.za

krautela
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Sep 25, 2006 1:14 pm

Re: Is Joomla safe enough? Questions raised by government agency

Post by krautela » Thu Jun 05, 2008 4:51 pm

We were planning to use Joomla 1.5 for website deployment of a government agency in India. In India most of the government sites are hosted by NIC and they have now raised a question of security on whole stack ... php/mysql/joomla.

My question is for the core developers and joomla community. Do we have some kind of security audit which can prove the security reliability of this whole joomla and underlying stack?

i personally like joomla and have used for our community website and never faced problem from commercial website hosting companies for security. This is the first time i have come across such an opposition for joomla and open source.

the other possibility is that government agency will force us to go thru security audit for our website. does anyone have any experience with such security audits for joomla?

macgig
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Fri Oct 08, 2010 4:47 am

Re: Is Joomla safe enough?

Post by macgig » Thu Aug 11, 2011 11:42 am

I dont see how anyone can say joomla is easy to learn. it's not. wordpress is easy. Joomla is not, as I have found out. Joomla has a BIG learning curve in my view.

no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.

my host just informed me that wordpress is much safer than joomla. The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14850
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Is Joomla safe enough?

Post by mandville » Thu Aug 11, 2011 2:34 pm

macgig wrote:my host just informed me that wordpress is much safer than joomla.
please get them to prove that the aforementioned blogging core script is more secure in a side by side comparison on the same server settings as the joomla core CMS
The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.
it might actually say more about the extensions used, or the ability of the "site admins"
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.
macgig wrote:no program is 100% safe all the time. all programs have code, created by humans. and all have bugs. flaws. security issues. that's life. Joomla is far from being perfect. the only way to have 100% security on a website is not to have one.
and that paragraph is probably the most accurate
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
dubois
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Wed Jul 20, 2011 5:59 am
Location: the holy Mekong

Re: Is Joomla safe enough?

Post by dubois » Thu Aug 11, 2011 5:11 pm

[quote="mandville"]
Go through the last two months (or more) topics on these security forums and count how many times the core Joomla CMS has been at fault for a hack.[/quote]

actually there was a core XSS and CSRF in j1.6.3 last month.

User avatar
alikon
Joomla! Champion
Joomla! Champion
Posts: 5941
Joined: Fri Aug 19, 2005 10:46 am
Location: Roma
Contact:

Re: Is Joomla safe enough?

Post by alikon » Thu Aug 11, 2011 5:15 pm

@dubois
did you know that the last version from 1.6 series is the 1.6.6
so if you stay on a old one .....
Nicola Galgano
i know that i don't know
www.alikonweb.it

User avatar
dubois
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Wed Jul 20, 2011 5:59 am
Location: the holy Mekong

Re: Is Joomla safe enough?

Post by dubois » Thu Aug 11, 2011 5:32 pm

in fact i stay with 1.5.23 exactly to be safe, will eventually jump to 1.8 in the future.

User avatar
alikon
Joomla! Champion
Joomla! Champion
Posts: 5941
Joined: Fri Aug 19, 2005 10:46 am
Location: Roma
Contact:

Re: Is Joomla safe enough?

Post by alikon » Thu Aug 11, 2011 5:53 pm

right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
Nicola Galgano
i know that i don't know
www.alikonweb.it

User avatar
dubois
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Wed Jul 20, 2011 5:59 am
Location: the holy Mekong

Re: Is Joomla safe enough?

Post by dubois » Thu Aug 11, 2011 5:54 pm

mandville wrote: The number of support requests they get as system admins for hacked joomla sites is high. That says alot about joomla security.it might actually say more about the extensions used, or the ability of the "site admins"
that's a fair cry considering how many holes are there in the wordpress addons.
last i heard is about an RFI in TimThumb, a popular auto-thumbnail script used in *hundreds* of
templates and addons.

User avatar
dubois
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 150
Joined: Wed Jul 20, 2011 5:59 am
Location: the holy Mekong

Re: Is Joomla safe enough?

Post by dubois » Thu Aug 11, 2011 6:01 pm

alikon wrote:right
can i also suggest for increasing safety to follow these feeds:
http://feeds.joomla.org/JoomlaSecurityV ... Extensions
and obvoiusly
http://feeds.joomla.org/JoomlaSecurityNews
and also {deleted}
Last edited by Per Yngve Berg on Sat Aug 13, 2011 1:31 pm, edited 4 times in total.
Reason: link to exploit site containing hacks and methods removed


Locked

Return to “Security in Joomla! 1.5”