Joomla! Security, do you take it seriously like we do?

29 Comments

1. Toni Marie makes this comment

   2008-09-04 03:37:23

   I have been guilty of being lax about security in the past. I think the 1.5.6 security release was the wakeup call many of us needed. So many sites were unnecessarily defaced, even those of extension developers who should know better.
   
   I was fortunate in that my and my clients' sites were patched quickly and escaped exploit. I stumbled upon a new client recently who was equally lucky, but only because he had chosen not to index in Google yet and therefore escaped detection as unpatched.
   
   I have been stressing to everyone I come across the urgency of getting subscribed to the Security announcement feeds.

2. severdia makes this comment

   2008-09-04 05:25:16

   Security is a never-ending process. There is no such thing as 100% and never will be so the only thing one can do is to keep on top of updates. It may be a pain if you have many sites, but it's just part of the deal.

3. RW makes this comment

   2008-09-04 08:46:05

   To be fair to though, Joomla is a magnet for major security holes, it's not known for its 'great security'.
   
   "I think the 1.5.6 security release was the wakeup call many of us needed. "
   
   It's certainly a great reason to start looking for an alternative.

4. Darryn makes this comment

   2008-09-04 09:55:52

   Having only recently started to take an active part in the Joomla! forums, (especially the security forum since the release of 1.5.6) I whole heartedly agree with you. There are still 4/5 people a day posting the message 'HELP I've been hacked'. Security is a issue we all have whether it is for our own personal sites or our clients.

5. Kamal makes this comment

   2008-09-04 11:51:33

   I appreciate the concern, in case of security I always believe DO IT NOW.
   
   Small lax can cost dear.
   
   Kamal

6. Sauron makes this comment

   2008-09-04 13:10:18

   Half of the defense against hackers are ways of catching them.
   Why not make an action log where the IP of every site change is logged ? Sure experienced hackrs would use proxies and be hard to find, but some guys experimenting might be caught and scared off.

7. Greg makes this comment

   2008-09-04 15:27:10

   I think YOU should take the security more seriously like mambo team do or any OS software.
   Why not implement updates into backend, sending notifications to admins. There are many ways, don't blame the admins, do something to ease it.

8. amy.stephen makes this comment

   2008-09-04 23:36:21

   Sorry, Fishman, I deleted your comment. You must include a valid email address - that we will not share with others - in order for your comment to be printed. Thanks for understanding.

9. Teguh Eko Budiarto makes this comment

   2008-09-05 06:26:33

   Hello,
   I am very concerned that after several days ago my site got defaced and even after restoration I upgraded to Joomla 1.5.6, my site got defaced again today. Luckily the guy only changed the index.php to display his message. But I am sure he can repeat his action again easily since I do not know what to do to prevent it beside finding new patch for Joomla which is not available yet.

10. Claudia makes this comment

    2008-09-05 16:22:08

    Our website has been hacked and changed. Our joomla user name and password has changed. What can we do so that this does not happen in the future?
    
    Thanks, Claudia

11. brad makes this comment

    2008-09-05 22:28:20

    Claudia,
    I assume you have subscribed via the link I posted in this blog post? If you need further help, please post on the forum.

12. RW makes this comment

    2008-09-06 00:09:47

    In Dries Buytaert's 2008 State of Drupal presentation, he revealed that only 37% Drupal 6 sites are on the very latest release (6.4). This statistic is recorded by the core Update Status module that alerts administrators within their site as soon as updates are available, on top of this admins can also get security announcements via email and there are various RSS feeds. I wouldn't be surprised if this figure was similar for Joomla sites.

13. kapd makes this comment

    2008-09-06 05:30:26

    Joomla forum was earlier using smf which has a feature to show in the admin panel the latest version available and the version you are using, Even a warning message to update your smf to latest release. Joomla can also add that feature to alert webmasters.

14. Blender makes this comment

    2008-09-09 11:59:48

    Joomla is so easy to install and manage that even people who dont’t know anything about php, mysql and security in general will use it.
    That’s allways gonna be a problem. If you got hacked running 1.5.5 and got hacked again after updating to 1.5.6 then you have to look for hackerfiles (check with filist.php for example).

15. mark makes this comment

    2008-09-10 09:28:05

    " is already subscribed to the mailing list of Joomla! Security News"
    
    But I got no email re the 1.5.7 patch. I only found out when I visited Joomla.org.
    
    This seems like a problem.
    
    Could you please fix the email subscriptions to security newsletters.
    
    Thank you

16. Dave makes this comment

    2008-09-10 15:34:54

    How much help do you think an Commercial extension such as jFirewall might help with security, as well as keeping up-to-date and watching out for unsecure extensions?

17. Michelle makes this comment

    2008-09-10 17:03:15

    We just had one of our sites hacked - very big wakeup call.
    
    Thanks for this!

18. brad makes this comment

    2008-09-10 21:23:41

    Commercial extensions such as jFirewall are not really going to help with this issue. Keeping your version up to date and your hosting setup as secure as possible is the best course of action.

19. joe makes this comment

    2008-09-11 16:30:19

    My company is still using joomla 1.0.13a, is it safe enough? Should I upgrade to 1.0.15 or migrate to 1.5.7? I've done that migration but not sure about whether I should use it. Please help me, thank you.

20. Stefan makes this comment

    2008-09-12 17:36:30

    PLEASE DO NOT GIVE ANY INFORMATION ABOUT VULNERABILITIES THAT YOU MAY FIND. JUST PROVIDE HOT FIX (As Microsoft does)
    
    Because all the junior hackers pass their time testing if our joomla sites are uptodate. The biggest vulnerability is providing them details of how to crack the site. This happened during our holidays, and to say the truth it very very wired !

21. Nick Kotarski makes this comment

    2008-09-12 18:13:05

    I don't think that Joomla 1.0.13a is not secure enough.
    Given that 1.0.14 fixed this:
    

    Quote:

    SECURITY [HIGH] Fixed CSRF issue allowing portal compromise - Administrator components.

    
    and 1.0.15 fixed:
    

    Quote:

    SECURITY [HIGH] Fixed remote file inclusion vulnerability.

    
    So I think that you should upgrade SOON.
    
    Nick

22. amy.stephen makes this comment

    2008-09-13 00:15:55

    @Joe - The answer is 1.5.7. I have no doubt whatsoever, at all, not even a little bit.

23. James makes this comment

    2008-09-16 01:47:54

    Well, the wicked never sleep and they enjoy making others miserable. I have had my site hacked once a few months back and it was not fun. You can never be safe enough and I am glad to see you guys started the security strike team.
    
    
    
    I have added to my RSS and now am doing a transfer over to Joomla 1.5.7.
    
    thanks for the great work.
    
    James

24. wedphp makes this comment

    2008-09-17 16:41:16

    Hi, Please never disclose any info of bug/hacks else hacker can use to hacks site.Thanks

25. tsimpo makes this comment

    2008-09-18 21:16:55

    I believe that everybody should update immediately when a patch is released.
    
    But, if someone has 100 clients running joomla and need to apply a patch for each one at once a month this will 1200 ftp transfers a year.
    
    Probably may exists an easier way I don't know for mass updating, but I think it's a lot of time for updating.

26. aden makes this comment

    2008-09-21 14:29:03

    that's right about we must upgrade our site if you all got trouble later.[img][/img]

27. David makes this comment

    2008-09-22 20:59:31

    I have a Joomla website and recently got this message when I tried to log on to the homepage and this under the Joomla logo. Neither my username or password would work:
    
    
    Hacked ByRossi ~ Turkish Hacker
    Hacked ByRossi ~ Turkish Hacker
    
    Username
    
    
    Password
    
    
    Remember Me

28. Neri makes this comment

    2008-09-23 16:19:53

    Coming from the world of banking, I learned one important lesson. Security must be addressed in layers. From basic common sense, such as moving away from general user names (admin, support), stringent passwords, maintenance, to ssl for protecting sensitive data. Disaster recovery planning and risk mediation should also be a part of the mix. Websites are also affected by the elements, power outages, and unnatural disaster. How you recover is as important as keeping secure.

29. Joshua Alexander makes this comment

    2009-11-07 18:35:59

    This is the reason I'm looking at other CMS systems. I looked at joomla first and have heard nothing but complaints regarding security. I looked at dotnetnuke and heard nothing but complaints regarding ongoing costs. I am looking at Drupal but they don't have the same features or enough free templates. Has any CMS system got it right yet.
    Joshua Alexander