Is Joomla a Secure Platform for a Business?
Published by Evil Bee Sunday, 22 July 2007 14:44
Joomla and other content management systems often get a swift kick in their binary crotch when a site gets hacked. Here's a comment from a professional host admin, the guy who is responsible for server security...
"The installed Joomla is trivially crackable"
Here's the problem: Joomla, WHEN properly installed with the most current version is very secure. The key there: "properly installed" which implies more than just making sure the most current security patches/ upgrades have been applied.
What is common in almost all Joomla sites of any size: Multiple components are installed to boost functionality. Editors, image galleries, forums, shopping carts... all these need to be just as secure as Joomla, as one hole is all that's needed.
When we first started getting reports of hacks a year ago, it was mostly overwriting the configuration.php file which resulted in simple defacement. As long as you had a good copy of that file, the fix was in place in a few minutes.
However, as the number of components grew, so did the rate at which developers installed them. While Joomla does a very good job of reviewing code before posting it on their extensions directory, that is not a stamp of approval that application is fully secure. (They sweep the code for the mandatory includsion of
defined( '_VALID_MOS' ) or die( 'Restricted access' );
However, recently the attacks are much more sophisticated. Perl scripted worms and others are PHP variants like “Redworm” along with file browsing and alteration tools are showing up. Perl worms are very nasty because they can give hackers full remote control of the attacked site making your site a platform for conducting further evil.
Some Thoughts On This Topic
1. As a developer, you should have an install sheet that goes along with the finished site. Make it crystal clear to the owner that MAINTENANCE is required if they care about uptime.
Also, you should install all sites with SEO enabled so you have some default .htaccess protection. Here's an example:
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
This and a handful of other RewriteConds are "included" if you use SEO friendly within Joomla as they're part of the default htaccess.txt file.
2. Someone needs to keep track of all components installed and periodically review new releases to determine if any installed code has security holes. This is usually included in a maintenance contract as upgrading components is not always click-click simple.
3. If a site is hacked, and there is no maintenance contract in place, then the owner has full responsibility. If you have a sliding glass door installed on your deck and someone puts a baseball through it, you don't call the installer to complain. Same thing applies here.
4. As a customer, make sure you know what you have and that you have a plan that YOUR BUSINESS will execute when someone calls to say, "Our site has been hacked."
If you care about your site, have a real backup/restore plan in place. This must be designed by a propellerhead and done in concert with your hosting company.
One last important item: If you're on a shared host and they include a backup service, this is not adequate. If your site is hacked and they (your host) deem it a threat, your site will be deleted. End of story. It's then up to the holder of the maintenance contract to resume business via the well documented business resumption plan.
Joomla is a very secure platform, but like every other content management system out there, that only is true when it's properly maintained.