These days, to say that security isn't a hot topic is to say that the economy isn't either. In a recent post, I remarked on how active the Joomla Security Forum is and how a few months ago, the Joomla Project created a new security team (the JSST). It's hard to call it the "topic du jour" because it's something we should all be thinking about on a regular basis, not just a passing fad. It is in this environment, I received a copy of Tom Canavan's second Joomla book titled Joomla Web Security.

The first chapter is an overview of basic terminology and how the user can find a host that suits their needs. Canavan recommends following his eleven steps for a successful site architecture when setting up their site. One of these steps tells the reader that if they need custom developed extensions for their site, they should go to the JCD-A Web site—an organization for developer advocacy formed by developers who don't want to adhere to Joomla's GPL licensing. This is a disturbing indication of how far out of touch the author is with the Joomla community—not to mention there are a number of very good resources for finding a Joomla developer, but this is not one.

There are a number of Joomla-specific sections which are quite helpful for the average site administrator. If you haven't been introduced to tools like Joomla Tools Suite and HISA (Health, Installation, and Security Audit), there are some good tips. Likewise if you want some guidance setting up SSL (now renamed TLS) on your site, this could be helpful. Additionally, there's a chapter devoted to using .htaccess and php.ini, but I question the necessity when more information than a book could hold in freely available online (even a generator that will create files for you automatically).

The rest of the book covers things like tools, tricks the "bad guys" use, how SQL injections work, and remote file inclusions. But none of those things are Joomla-specific so the advice is generally for all server administrators. In fact, a small portion of the book is specific to Joomla, which left me wondering why it was titled Joomla Web Security instead of just Web Security. In spite of what the preface states, the book's content sends mixed messages as to whom it's for. It's not really for Joomla users/admins to secure their site since the content is so thin in that area. It's not for server administrators since they would surely know 99% of what's there to even get their jobs.

I searched for security information in the book that wasn't already in prominent areas on the Joomla Web site:

Joomla Administrators Security Checklist

Top 10 Stupidest Administrator Tricks

Vulnerable Extensions List

Security and Performance FAQs

There are also automatic security notifications on the download page. But I couldn't seem to find any bit of information in this area that wasn't easily accessible and, in some cases, more thorough.

I believe there's a middle ground of Joomla site administrators that want to become server administrators and need a "Server Admin 101" primer as it pertains to Joomla, but I'm not wholly convinced it's worth the $40 price tag. For me, it just seems things like reporting a break-in to your hosting company, creating regular backups, and testing on a development server before deploying on a live server are just plain common sense. But maybe Canavan is banking on a lack of that—and he may be right.

Title: Joomla Web Security

Author: Tom Canavan

Publisher: Packt Publishing

Publication Date: October 2008