Brian's Blog Homepage
only a little bit pregnant
only a little bit pregnant

As many of you know I spend a considerable amount of my time fixing hacked websites and in the last two days there have been two very important postings for anyone who creates or runs a Joomla! web site.

Just as you can not be a little bit pregnant your website can not be a little bit secure or a little bit unsecure. 

There are many extensions available for Joomla that "claim" to secure your site and whilst some of them will indeed block certain types of hacks none of them will make your web site unhackable.

The only true unhackable web site is the one that is not connected to the internet

The Joomla Hacking Compendium (or: Hacking Joomla for Phun and Profit)

This is an in depth article by someone interested in exploiting joomla powered web sites. It is well written and full of some great insight.

The author stresses that whilst the core of Joomla is fundamentally secure the easy option for a hacker is to exploit vulnerabilities in extensions. He suggests that the Joomla team can't do anything about this but suggests several things that could be done which I have long advocated and hopefully some of which are in the works.

A good thing is that Joomla itself is mostly secure, while a sad fact is that so many Joomla components are vulnerable to attacks which could be prevented by applying simple filter mechanisms.

The main problem is that there are so many Joomla extensions authors who don't have a good security awareness and simply don*t know about potential flaws (or even worse: they just ignore them).

Joomla! Security Extension Comparison

Jeff Channell has conducted an analysis of the various "joomla security extensions" currently available and tests them all for their effectiveness at blocking a plethora of known attack vectors.

Whilst it is clear from Jeff's report that some of these extensions are better than others none of them are even close to being truly effective.

I think it's readily apparent at this point that no extension passed this test 100%, though I didn't really help things by using known-insecure extensions and an out of date Joomla! install.

(I'd suggest that doing that was a more real world test than otherwise and that as no extension passed more than 6 of the 10 tests they are as useful as a condom with a hole in it.)

A false sense of security

The biggest issue I have with all of these "joomla security extensions" is that they lull you into a false sense of security. They are not a replacement for good server and site management and it is my belief that the majority of people who install these extensions believe their sites to be 100% safe as a result.

This is clearly not true as can be seen from Jeff's report and the real world reports of users on the joomla security forum. I am not saying that these extensions are a complete waste of time and money (I will leave that to you to agree or disagree) but that they are only partially effective and you should not rely on them as your only means of ensuring your site is and stays secure.

I explained last year how even if you are religious in ensuring that you are always running the latest versions of Joomla and your extensions and that you update them as soon as a new version is released that is not enough. Ensuring that you are "up to date" is only part of your defences just as any of these security extensions are only a part of your defences.

J o o m l a !

Brian Teeman

Brian Teeman

Who is Brian?

As a co-founder of Joomla! and OpenSourceMatters Inc I've never been known to be lacking an opinion or being too afraid to express it.

Despite what some people might think I'm a shy and modest man who doesn't like to blow his own trumpet or boast about achievements.

Where is Brian?