The Joomla! Community Portal ™

Community Blog

Fri

24

Oct

2008

Security and Joomla
Written by Ron Severdia   
Friday, 24 October 2008 23:17

Over a thousand posts in the Security Forum shows an active interest in security, especially when it comes to protecting your own site. Some posts are people that have had their outdated installations hacked, some posts are Dev and Security Teams giving general advice on how to protect oneself, and some are just users curious to learn more. Overall, there's a great interest in discussion around security.

 
The Joomla teams have repeatedly voiced how important security is. If Joomla isn't secure, then credibility can be lost. With less credibility, users will turn to other solutions for their needs. Once lost, credibility and trust take time to regain. So an ounce of prevention can be worth a pound of cure.
 
Security is not black or white. While you may or may not have heard the phrase "there's no such thing as 100% secure," it's definitely true when it comes to software—you can never be 100% secure or even 100% unsecure. Joomla is no exception.
 
Keeping Joomla users secure has been a daily exercise since day one. To best handle this, the Joomla Core Team recently created the Joomla Security Strike Team. Besides performing their own auditing, they look at each and every single report that comes in from users. Imagine what a tall task that is. Also imagine how many false reports come in or reports on an outdated install that already existed. It's a very time-consuming and detailed process, but completely necessary to keep Joomla as rock solid as it can be.
 
Users need to keep firmly in mind that security doesn't stop there. You, as the user, need to be aware of any vulnerabilities a third-party extension can cause. With almost 4000 "tidbits of goodiness" in the JED, it's hard to resist all those wonderful extensions that enable you to do just about anything you can imagine. But there's some due diligence when using third-party extensions. Check the developer's Web site thoroughly. Is there a support forum? Are users experiencing serious issues? Is there a reasonable response time from the developer? Naturally, whenever you use a new extension on your site, you're first testing it on a "sandbox" site (a duplicate of your live site for testing), right? You have a system for backups, right?
 
To say that Joomla is not secure is to say that it's always sunny in California. It's a generalization that's just not true. If your site was hacked, you'd immediately think "That damn Joomla!" because the culprit may not be initially apparent. Only after you've verified all third-party extensions and updated to the latest version of Joomla can you THEN point a finger at the Joomla Security Strike Team. But if you're not doing both of these things on a regular basis, then you're leaving yourself open and there's nobody to blame but yourself.
 
Security is a process, not a state.
 
 

Tue

21

Oct

2008

Joomla! Member of the Month... what next?
Written by Ken Crowder   
Tuesday, 21 October 2008 18:07

Over the last couple months the Global Moderators have discussed what to do with the Joomla! Member of the Month award. As a group, we came up with some great ideas on how to improve it and more importantly, get more participation. We love being able to reward community members who help out in the community. We have found that there are a couple problems with the current process and would like to ask all of you to help us think this through. 226,357 heads are better than 7.

 

Read more...
 

Mon

20

Oct

2008

A Reminder for All JED Developers
Written by Steve Burge   
Monday, 20 October 2008 15:11

After conversations with several developers, we'd like to provide a little clarification for people with listings in the JED.

Essentially all the rules break down to two simple dos and don'ts:

Two Things You Can Do

  1. Reply to a review. If you want to reply directly to a reviewer, click "Reply". Please don't ask us for a reviewer's contact details as we cannot give that out. However, you can give the reviewer a way to contact you.
  2. Report a review. If you think a review is incorrect and want to ask for its removal, click "Report" and explain why. Our rules for reviews are here.

Two Things You Can't Do

  1. Don't don't touch your extension listings in any way, except "reply and "report". Please don't submit reviews, don't vote, don't click "Is this review helpful?".
  2. Don't touch any other extension in your category. After all, there's little difference between voting 0/5 for a rival and voting 5/5 for yourself.

Please make sure that everyone else who works with your follows these rules. Violating them may lead to a warning or suspension.

What Should I Do If I've Broken These Rules?

If you've clicked "Is this review helpful?" a few times, don't worry about it. However, if you've reviewed your own extension or one of your rivals, you may want to email us via This e-mail address is being protected from spambots. You need JavaScript enabled to view it .


I hope this clears things up. We don't enjoy suspending developer's listings, but we do it to help two groups:

  1. Other Developers. Put yourself in the shoes of a developer whose rivals keep giving themselves 5/5 votes.
  2. Extension users. Its great to get fair, unbiased feedback from other people who have used the extension.

 

 

Mon

13

Oct

2008

An old friend comes of age
Written by Wilco Jansen   
Monday, 13 October 2008 22:01

We are often asked the question when we will officially stop supporting Joomla 1.0.x and, given the huge install-base, it's not an easy question to answer. We know that the code originates from several years ago and is certainly showing its age (Mambo 4.5.2 was released in early 2005, but the codebase originates partly from 4.5, released in December 2003). To recap our short history, the Joomla Project originated from a fork of the Mambo Project on August 17, 2005. Shortly thereafter, Joomla 1.0 was released on September 16, 2005 and was an improved version of Mambo 4.5.3 (you can still find that code in subversion). The announcement of the Alpha version of Joomla 1.1 was made on October 27, 2005 and this version was later on renamed Joomla 1.5. What began as a minor update turned out to be a full re-write of the codebase and the current version of Joomla was released on January 22, 2008.

Since then, seven versions of Joomla 1.5 have been released. Download numbers and usage have increased exponentially, evidenced by nearly 7 million downloads. In January 2008, just 15% of newly posted extensions were Joomla 1.5 native and that percentage has recently soared to 73%. The adoption rate of Joomla 1.5, by both users and developers alike, has occured at an amazing rate and demonstrates an untold level of commitment to the Joomla Project on both sides.

But now it's time to say our farewells to our old friend Joomla 1.0. As of July 22, 2009, the Joomla 1.0.x series will no longer be supported. As a user, is it required that you upgrade from Joomla 1.0.x? Absolutely not since security upgrades will be supported until this date. But if you're a user who hasn't yet upgraded to Joomla 1.5, you should do so in order to start reaping the benefits the latest version has to offer. If you're a developer in that small minority who hasn't yet become Joomla 1.5 native, this is your last call to join the majority of developers who have already discovered the power and ease of the Joomla 1.5 series.

In the meantime, we are working diligently on Joomla 1.6 (with its new ACL), which promises to be the most exciting release for Joomla yet.

 

 

Mon

13

Oct

2008

Joomla!days are great!
Written by Wilco Jansen   
Monday, 13 October 2008 19:47

This past weekend I attended the Hungarian Joomla! Day, and it was an amazing experience. The Hungarian community started in 2006 with a "forum party," and the first Joomla!day was organized in 2007. The Joomla! Day was organized by the Joomla! User Association Hungary. From experience I know that organizing such an event is a lot of work. This year's event event was organized by Tibor Tóth, Annamari Bán and József Tamás Herczeg, and they created a very professional event with an interesting program.

The Hungarian Joomla!day organizers with Wilco

Around 100 people came to the Joomla! Day that was fully sold out. The program started with a presentation of Szabolcs Bán from the Free Software Foundation Hungary entitled "Introduction to the World of Free Software". After the initial session Tibor explained in non-techno-geek terms why people should look for MVC aware extensions. Both sessions where given in Hungarian so the details were a mystery for me ;-)

After the break Johan Janssens gave a presentation about Search Engine optimization and what you can do to get a good ranking in search engines. After the lunch Sándor Nagy, a representant of the Hungarian government, explained how the government is looking at implementation of open source. Johan then had a second session about his multi-lingual extension. The day ended with a session about the use of openid by Zoltán Gyurkó.

I was asked to end the day with an "ask whatever you want to ask" session. My personal experience is that at the end of a conference day everyone is getting pretty tired, so I decided to ask everyone to make a circle, so I would not end up in front-of the attendees but being in the middle...this for sure woke everyone up :-P The first question was: "When will ACL be included in Joomla!"...I was joking around that I never had this question before. I explained that this feature will be included in 1.6 but there is no date set for the release of a beta or release candidate. We promised to send an update as soon as possible on the status of version 1.6. A series of questions where asked: "Will a cron feature be added in the core?", "Can JED search options be improved?", "How do you make a living?", "If there are great extensions out there, will they be included in the core?...just too much for this blog post.

I ended my session with an announcement of the end-of-life moment of Joomla! 1.0.x. I will share the details of this announcement in a separate blog to make this news official. The Hungarian community is a great example of what this project is all about, great inspiring people. Tibor had a big surprise for Johan and me. We where granted life time membership to the Hungarian User Association as honoured members. I always feel privileged to be invited to Joomla!days, but this really is one of the biggest presents I have received since I joined the Joomla! community. I am honoured, proud and consider myself extremely lucky with my visit to this great Joomla! Day.

On the picture you see (from left to right) Annamari, Tibor, myself and Tamás. I am showing the official paper with my life time membership, it will have a prominent place in my home!

 

 


Page 131 of 146