Thu 16 Oct 2008 |
Hosting Companies with Joomla Users: Listen up!
Written by Brad Baker
Not that long ago, I posted on this subject with my blog: Hosting providers - Isn't it time? It was nice to see in the comments that some providers actually took on board the free advice and took steps to better secure their servers.
However, by and large it seems still, far too many hosting providers just do not care about security. This is not the place to name and shame them, but I'm talking about huge hosting providers still running outdated installs of php4 for example.
Further, one of the most common responses hosting companies give to the users when their site is hacked, is "It's Joomla's fault". How illogical it this for example, when the user is running Joomla 1.5.0 (an out of date version that was patched long ago)? If you are a host and one of your clients sites is hacked, think before you lay blame. Why do so many of you automatically blame Joomla and not the client who never kept their site updated?
If you want to make a difference, educate yourself with an hour or so of you time and find out how simple it is to keep up to date. Don't you want smarter users, who run more secure websites and thus reduce your support time cleaning up phishing scams, spam mailers and hacked websites?
Maybe publish our security feed somewhere on your site, do you know the link?: http://feeds.joomla.org/JoomlaSecurityNews Subscription via email is also available from that page.
As I recently posted in the Security Forum "Security is very important, but seriously it's not that hard." This applies both to Joomla as well as the hosting setups that people run.
So join me as we sing together:
- "php4 is no more, we don't run it at all!"
- "suphp is for me, especially when I want security!"
- "backups are my friend, we take them even on the weekend!"
- "we keep our software up to date, vulnerabilities are what we hate!"
Finally. You don't have to listen to me, afterall, what would I know, you may say, however, next time a user posts about their sites being compromised due to a poor hosting configuration you might lose a customer when someone points out that the blame may in fact lie with you, their host and not with Joomla at all.
2008-10-16 21:44:55
2008-10-16 23:53:17
A question I posed in the forums here, and have asked around the server-admin communities, is should we be running suhosin (what many feel is a php security enhancement) when it conflicts with the flash uploader for J? Some have suggested that turning off session encryption is an answer, but in Brad's fervent call for better security on hosts, I am interested in what the community feels here... Is suhosin a viable security enhancement, and given that it conflicts with the Flash uploader, should we 'make it work' anyway?
2008-10-17 00:08:27
2008-10-17 01:39:13
2008-10-17 05:07:30
We are proud to state that we fulfill all the points stated above. All of our servers are equipped with PHP4&5, suPHP/suEXEC, Offsite Daily Backups, etc.
The only thing that we do not currently do is to update our client's Joomla site automatically as this may break some extensions deployed by their site. We only help them upgrade when requested.
2008-10-17 05:29:39
2008-10-17 08:27:03
2008-10-17 08:47:08
I can't see it in my configuration.
2008-10-17 14:20:08
2008-10-17 17:58:17
I know my hosting company (www.cartika.com) has disabled the flash uploader because they consider it a security vulnerability. It's really a pain, especially cause my clients don't know how to use an FTP client. However, if it keeps the site from being hacked, I don't mind.
2008-10-17 23:25:13
2008-10-18 13:51:28
If these installers are not keeping up to date then newcomers will be getting hacked while doing the installation. That isn't a great way to begin your Joomla experience.
2008-10-18 19:20:19
As for the others.. why don't you email them this blog post
2008-10-20 16:07:43
In spite of a "one-click" upgrade available to all our customers who used our "one-click" installer, far too many of our customers just don't do it. Like James, above, we don't *force* their upgrades (due to potential extensions/components issues, etc.), so there are always those running versions with know security issues.
I don't know how to get the message across to these users. Any suggestions are most welcome.
2008-10-20 16:43:04
2008-10-20 20:11:16
Developers and designers should keep this in mind when finding a host to put their clients site on. Don't just find them a cheap host, setup Joomla, and walk away. Remember, if they could manage updates and stuff, they would not have needed you to begin with.
Instead, try to find a reliable host that can take care of that client for you when you are done.
2008-10-20 20:13:22
For those Joomla users that don't keep up with updates (most of them), I do it for them with the explanation that there is a risk of extensions breaking and in that case there may be a charge if the fix takes a lot of time. (one reason why I try to keep number of extensions to a minimum on a site.) KISS.
Patching is mandatory, or should be, for all scripts, not just Joomla. Users need to know that one insecure site on a server has the potential to disrupt all on the server.
Security makes all of our jobs appear harder, but in the long run it is saving us from the horror of hacking and greater calamities.
2008-10-20 21:55:12
2008-10-21 05:41:11
Thanks for the laugh
2008-10-21 09:32:33
Even though we have all measures you mentioned in place on our environment, it is still hard to keep Joomla up to date manually. When you host e.g. over 20 Joomla (which is just a little bit), there is no automatic way to remotely check if all the installs on your server are up-to-date compared to latest J releases.
2008-10-22 09:40:00
There are still tons of software out there that was built on PHP4 should we kill all those web sites and tell them sorry you are out of luck? No it would not be good for them nor would it make any sense.
As far as the rest of his rant. PHPglobals on is not insecure. It is only insecure if you have a programmer that is too lazy to code his product correctly and sanitize his input. Which it seems the Joomla project is one of the worst at. It only matters if the programmer is too stupid or too lazy to write his code in the correct way so he depends on the server admin to secure his script for him, and if that is the case chances are he took short cuts in other places and will get hacked some other way. There are tons, pages after pages on the web on how to properly write code that sanitizes inputs. But it is easier to write one simple line than 3 lines that do it properly.
2008-10-28 16:18:30
Ever client from us, has the possibility to update his joomla version trough our update software for joomla. One Click and the lastest joomla version will be automatically installed!
Whatever, till today, there was never a joomla site hacked on our servers.
2008-10-29 04:55:14
So I dont think a simple call to action to hosting companies will have much effect if they need the same amount of pushing to fix security issues. I must say alot has changed and things are 1000% better in terms of the way the Joomla teams treats security which is excellent.
2008-10-29 04:55:58
1. Why does Joomla not allow you to change/set the "admin" username during install.
2. Why does Joomla still hardwire the administration side into a folder called administrator that cannot be easily shifted/renamed.
These 2 things wave a redflag for hackers (they now know where to try and hack into the backend and what the administrators username. All they need to do is hack around the authentication.
There is a well known fact in parking lots, when you park your car do not leave your valuables in view otherwise there is a chance the car will get broken into.
These 2 flaws are part of Joomla's valuables.