So you work with Joomla? Maybe you're a creative designer, developer, or even run a Joomla site of your own. Or perhaps you're considering using Joomla for your next online project.
I get it. You're consumed with worry and concern. And the issue: Joomla's security.
I'm a web development expert, I specialize in content management systems, and I've been working with Joomla since its release in 2005. And since this is such a widely-discussed issue, I thought I'd address it.
In this blog post, I'm going to draw on both my professional knowledge, and my personal experiences, to directly address the subject of Joomla security.
Why The Concern?
It’s understandable that you might be concerned about the security of Joomla. After all, historically the CMS has seemingly had recurring issues with security.
As an experienced web developer, with over twenty years working with content management systems, I can definitely testify that many developers are hesitant of using Joomla for the projects, because of their fears regarding its security.
And I can’t blame them.
There has indeed been some real security scares in Joomla’s time. But is it really as bad as they say?
Is Joomla truly insecure, and where does this insecurity come from? Also, why exactly is Joomla so insecure, given that it’s competing content management systems seem to be to manage okay?
What’s wrong with Joomla?
These are all highly emotive, yet valid questions. In this blog post, my aim is to thoroughly explore the realities of the matter, so that you can determine the appropriateness of Joomla for your online projects, particularly from a security and stability perspective.
After all, security is big news today, and it is increasingly being recognized as an imperative asset to websites and servers all over the world.
Make no mistake: ensuring the integrity of your Joomla website is more important today than it has ever been before.
Hackers and malicious users are more prevalent than they have ever been, and the damage they can do today can pack a lot more punch than in years gone by. One of my friends had his entire server overtaken by an insecure WordPress installation!
Given my experience with Joomla and other open-source content management systems, I thought I’d give both my personal and professional opinions on the subject.
Let’s get right in.
Joomla's Security Issues: Addressed
So, of course, you’re keen to understand the nitty-gritty of the Joomla CMS and its security. And I think that’s understandable.
It’s reasonable for any webmaster to have a certain level of concern regarding the security of the site, or perhaps many sites, that they manage. And of course, the online security and integrity of any business is of paramount importance.
But I think it’s going to be quite important for us to discuss the true, root cause of the concerns surrounding Joomla’s security as a platform.
Since the CMS has been the subject of such a negative reputation in this regard, I think it’s really important for Joomla developers and site managers alike, to understand exactly what the causes for insecure Joomla installations is.
After all, there is no real basis to Joomla’s security concerns if you don’t fully understand the exact reason and nature of the issues.
Let’s explore the kind of security problems that can potentially arise, why they do arise, and exactly what you should do to prevent these from becoming mission-critical Joomla security vulnerabilities.
In fact, my personal view of the situation is quite simple. And in fact, the security issues regarding Joomla might be of quite a surprise to you.
Many developers, and even experts in content management systems themselves don’t fully understand the real cause of Joomla’s fluctuating reputation with security.
Is Joomla Secure, or Not?
It’s a question that’s been hotly debated, especially over time, as later versions of Joomla have been released.
As far as I’m concerned, there are a few key reasons that, quite honestly, should spark security worries for those using Joomla.
But I don’t think you’d expect them.
Let’s take a look at all the hype. It’s very clear that many professionals in the web development industry perceive Joomla to be insecure. In fact, one of my very own colleagues held this view, which you can read more on here.
It’s very clear that Joomla’s reputation with security has been fragile, for a number of years. Just take a look at some of these discussions on the topic:
- https://www.quora.com/How-secure-is-a-Joomla-site-What-extension-is-better-for-safety
- https://forum.joomla.org/viewtopic.php?t=956488
- https://forum.joomla.org/viewtopic.php?t=296466
There’s no question. Web developers have concerns. And those concerns are major!
But why?
Well, as I’ve mentioned, it really comes down to public perception. And that, my friend, can be simply reduced to a case of poor PR on Joomla’s part. I don’t think they’ve invested enough in maintaining the integrity of the CMS’s reputation through the few security vulnerabilities that the CMS has seen.
This, in turn, creates mass pandemonium and a global sense of panic amongst the Joomla community.
And of course, since news travels fast, rumors and hear-say are in the hands of even non-Joomla experts, and the problem just grows from there.
Oh, Joomla. Hopefully, their public relations get better with time. But the gossip surrounding the security of Joomla doesn’t actually hold any weight in real, factual terms.
Let’s take a look at the stats.
I ran a quick search using Google Trends (which is a great tool, I might add!).
Principally, I wanted to know what kind of statistics Google holds on the matter. Now that's definitely something raw and tangible.
According to Google, searches for the phrase "Joomla bug" is at an all-time low. Remember that Joomla was only released in 2005, which is why you aren't seeing anything until after the year 2004.
Take a look for yourself, right here:
Obviously, this analysis from Google Trends only covers users searching for bugs related to Joomla.
But one would logically assume that an exploit is indeed a bug, right? Exactly.
Joomla users are experiencing far less difficulties with the content management system today, in comparison to any single year before!
Of course, this is just one result. So I wanted to see if I could replicate it. We need to be able to confirm that Joomla is indeed secure, and as we all know, bugs don't necessarily indicate a major security vulnerability.
So, indeed, I tried again. This time I used another search phrase. Here's what I got for "Joomla exploit":
It's a little less clear cut than Trends' previous result, for sure. But still, we can definitely see that over time there have been a lot fewer users searching for Joomla exploits. Theoretically, that's a good thing, since it means there aren't really any to be found.
Hackers and script kiddies aren't targeting Joomla today, in quite the same way they once were.
Why?
Because by now, Joomla has had sufficient time to mature, and is quite a strong CMS.
If this evidence isn't satisfying you still—there's more...
I then ran a third search. This time, I stuck "Joomla hack" into Google Trends. This is what I got back:
As you can see, whilst there have been past periods where Joomla's struggled in this regard, it would genuinely appear that Joomla has recovered from the security woes that once caused so many sleepless nights.
So, what can we take away from this?
Today, Joomla as a CMS is far more secure than it's ever been. Joomla security is at an all-time high. So, just as I've done, I'd suggest that the wider community starts leaving these kinds of concerns in the past.
And as far as I'm concerned, the past is exactly where they belong.
How Does Joomla Stand With Security Now?
You’ll no doubt find this surprising. But today, Joomla is one of the most secure open-source content management systems available online.
Do you know who the worst culprit is? WordPress accounts for the most frequently exploited CMS-powered websites. And not by a small amount, either. According to ZDNet, 90% of all hacked CMS websites are powered by WordPress.
I appreciate that this might be much to your surprise, but in fact, Joomla is really, really secure.
Core native Joomla is indeed near-impossible for an attacker to exploit corrupt.
Over the long duration of maturation that Joomla has seen, in its near-fifteen years since the initial release in 2005, it has steadily grown significantly in strength. From a security standpoint, the CMS is much safer to use than its frequently-hacked counterpart, WordPress.
WordPress maintains a terrible reputation for security amongst web development professionals, and is by far the easiest target for attacks.
Joomla is significantly more secure than WordPress. On the other side of the spectrum, you have Drupal. Anyone in the CMS market will know that Drupal is often referred to as the most secure open source CMS. And while that certainly rings true, Joomla follows close behind.
The dramatic number of compromised WordPress sites, though, is a little stifling to say the least. It’s definitely not good for PR. But this is besides the point, I’m aiming to stick to Joomla’s security in this post. And so, let’s go back to Joomla:
What Does The Future Look Like For Joomla Security?
It’s hard to say.
Joomla definitely holds a very promising future, particularly with the impending release of version 4 (we’re really excited).
Something that Joomla is going to have to manage though, is integrating better management of the security of third-party extensions. Joomla remains a secure CMS.
In many ways, it’s always been a secure CMS. Sure, it’s experienced some challenges with the core security — though these have been very infrequent, and few and far between.
With the upcoming release of Joomla 4, many additional security considerations are also in the process of being implemented. And this, for sure, will bolster the content management systems native security even more. For one, Joomla 4 requires PHP 7 or higher.
And given that many earlier versions of PHP are now largely unsupported, receiving little to no security updates, this is great news for Joomla.
By requiring website administrators and developers to utilize the far-superior PHP 7(+), Joomla is strategically eliminating all potential security vulnerabilities relating to running an earlier, unsupported PHP version.
This is a smart move.
Indeed, as Joomla core itself remains highly secure, the upgraded requirements for use of modern, up to date frameworks instantly promises reduced risk of potential vulnerabilities.
It’s likely the case that many website owners simply don’t realize the importance of keeping server applications and frameworks updated to the latest, secure versions.
And it’s easy to neglect, quite honestly. After all, if your site continues to work, why would you pay attention to invisible, and therefore seemingly insignificant details, such as the security and integrity of the web server’s PHP version?
It definitely makes a lot of sense for Joomla to enforce stronger minimum operating requirements. It’s a strategic move, and one that will likely act as a major influencer in the stability and security of Joomla sites, as more continued to be developed in the future.
Overall, my message to Joomla would be to extrapolate this policy, enforcing far stricter requirements for the CMS’s deployment, running, and developing.
In many ways, only Joomla as an organization can be held responsible for the seeming lack of due diligence in regards to the security of its popular third-party extensions and extendable solutions.
Ultimately, since the historical security controversy surrounding Joomla has been far less to do with the security of Joomla core, and says far more about the practices of Joomla site owners and the developers of certain third-party extensions for the CMS, the solution lies here.
You could see it in one of two ways, really:
- It’s either the fault of Joomla, as an organization, and relates to a lack of diligence with regards to the regulation and quality assurance testing of extensions provided by third-party vendors and developers, or;
- The fault lies in the hands of Joomla site administrators, who neglect Joomla best-practices, often utilizing a broad number of extensions (and indeed, often excessively and unnecessarily), and should therefore be held accountable to take responsibility when their otherwise secure Joomla installation, becomes compromised.
Since the blame (for want of a better word) doesn’t actually lie with Joomla (in its bare, unextended form), there’s definitely a case for pointing the finger at negligent members of the community as a whole.
I think it’s important to remember just how profit-driven Joomla’s ecosystem is, and how it’s become a particularly lucrative market for third-party extension developers and vendors.
Premium extensions (in the form of either components, modules, or plugins) dominate Joomla’s commercial ecosystem, even more so, I’d say, than premium templates do.
My personal theory for this relates quite closely to just how volunteer-driven the Joomla community is.
As we all know, the Joomla project (or in other words, the CMS itself) is one-hundred percent volunteer driven. All of the development, implementation of new features, and subsequent deprecation of outdated ones, is based solely on the contribution of a team of global volunteers.
And because Joomla rose to popularity so quickly, many third party developers were keen to make a quick buck.
And Joomla’s community-driven ecosystem allowed this, essentially paving the way for developers of all ethics and credentials to contribute to the overwhelming diaspora of third-party Joomla extensions.
Conclusion
It's had its fair share of historical security issues — but that's all they are: historical. Joomla's more secure in 2019 than it's ever been.
Keep your installation up to date, don't neglect your third-party extensions, and practice good website administration and development practices.
If you require assistance with the security of your Joomla site, you can always get help and advice here. If you've been hacked, check this out.
So, what do you think? How do you manage the security of your Joomla site in 2019?