Joomla Security and Content Management

We unfortunately live in a less than perfect digital world. It seems every month, there is a new leak or hack with the personal information of thousands, sometimes millions, of peoples’ user information from various web sites and services. Joomla security has been no exception to this rule. In truth, there is no such thing as 100% security; we can only deter the so-called black hats of the hacker world for so long before they find the Achilles heel in the technology we use every day. All anyone can do is try to keep ahead of the curve and

Here at Bitstorm Connect, we use the Joomla Content Management System (CMS) on a lot of our web development and web design projects, both past and present. We do this for a number of reasons but most importantly: it’s free, it’s open source and widely supported by developers all over the world. As a result, we are always evaluating Joomla security and how to best approach it. That being said, we develop and host websites on many various platforms and have many clients running both WordPress, Drupal and more. It’s just a happen-stance of doing business and filling a niche we found within the markets we find ourselves in. The flexibility and the development environment that Joomla provides,  best serves our customer base. However, we want to address concerns brought up regarding Joomla security due to a string of security vulnerabilities, like such discovered in December 2015.

These two specific Joomla security hacks, however, weren’t targeted necessarily at Joomla but known vulnerabilities in PHP, the programming language Joomla was built on, adapted to hack Joomla security.  PHP is a server-side programming language (which is different from client-side languages like HTML and Javascript) that can be installed on a wide variety of servers. In fact, PHP powers the strong majority of modern content management systems that are used, including WordPress and Drupal, which means that there was potential for these systems to be hacked in addition to Joomla.  The PHP developers had actually issued updates to protect against these vulnerabilities back in September of 2015 but servers running older versions were susceptible. It created a perfect storm (and a lot of headaches) for system administrators world-wide but here at Bitstorm Connect, we were able to mitigate a lot of potential damage by testing and patching our servers early, a security practice that we feel every company should prioritize.

As we previously mentioned, there is no such thing as 100% security. WordPress is no exception, which recently had its own issues with a zero-day exploit.

Going the extra mile, Joomla patch in December 2015 not only addressed Joomla security, but also the PHP vulnerability itself. This is an important distinction to highlight because even if you were to now install this version (and later versions) of Joomla running on an older version of PHP, Joomla could no longer be exploited under these circumstances. Also in addition to patching version 3.5, the patch was adapted address Joomla security in versions 1.5 and 2.5 – legacy versions that were no longer supported officially by the Joomla project.

While continuously re-evaluating our options, we found that Joomla did everything within its power to exceed any and all expectations in terms of patching the security problems that arose. We find that we wear a lot of hats for our customers: we handle web development, graphic design and print services but ultimately we’re asked to do one thing: protect their brand. It’s a challenge we have strived to meet for every second that we have been in business. Because of that, Joomla’s continuous support still effectively supports the needs of our clients and will continue to do so heading into the future.

Also, if we’re not already helping you out with your Joomla security or any of the other services we offer, what are you waiting for?


Lonnie Waugh

March 1, 2017

#0day #cms #content management system #Drupal #exploit #hack #Joomla #PHP #security #web development #Wordpress