Misunderstanding: Joomla is unsafe

In this short series of blog articles I am going to talk about the misconceptions I have heard about Joomla in recent years. I try to assume the power of Joomla itself but will not be able to avoid making a comparison with other systems. In this series I start with the main reason why I still work with this CMS, security.

Security through predictability and centralization.

Out of my own interest, lately I look more and more in the code and the predictable way Joomla works is already an important indicator of security. All front and backend requests must go through an index.php file. Plugins are triggered in predictable ways. Joomla uses predictable directory names for extensions, media files, images and so on.

In Joomla, it is only possible for developers via JInput to access $_FILES, $_GET, $_POST and $_REQUEST superglobals when querying data. This prevents many attacks because there are centralized points to enforce security.

When I look at other systems, I see that predictability is lacking and structures are abandoned to "make it as easy as possible" for the user. This at the expense of security!

The Vulnerable Extensions List.

Does this mean there are never any poorly implemented extensions or templates? No it doesn't. On the Vulnerable Extensions List website(https://vel.joomla.org/live-vel) you can see a list of extensions where security problems have been found. It is wise to regularly check for extensions that you happen to use. Pay attention to the version number of the extension because in many cases there is already an update released that fixed this problem.

Joomla itself has had a number of security issues in the past, but the community is getting better and better at website security and faster at fixing problems in this area. This is in addition to the fact that the basic structure is already security conscious.

Joomla is not standing still.

It won't be long before we enjoy the new version of Joomla 4.x that the production team is working on. Versions 2 and 3 are secure, but improvements have been made to the MVC model and the overall structure. Many of the improvements, by the way, are already available in Joomla 3.8.

So why are Joomla Web sites being hacked anyway?

The CMS itself is a secure system to build your website with. 1 of the conditions to keep your website really safe, is that your software, both Joomla itself and all extensions, kept up to date. Over the past few years, I've cleaned up about 50 hacked websites and every one of them had the same problem. It was outdated!

So make sure to keep your website up-to-date and if you don't have the time or inclination to do that yourself, consider a maintenance contract so that together we can keep your Joomla website safe.