Joomla Security Problems: How to Keep Your Website Safe

Joomla security problems: internet with Joomla logoJoomla Security Problems Start with Versions

Got Joomla security problems? Well, I hope not! But Joomla recently deprecated version 1.5.x. That means they no longer support that version. This also means that if you are still using version 1.5, then you will likely not know about any security vulnerabilities until they strike your website. Ouch!

The best way to prevent that is to upgrade your Joomla version right away. You currently have available version 2.5 (the next long-term support [LTS] version) and version 3.0.

Joomla decided with version 2.5 to make their LTS versions all x.5. Using the LTS version may not reduce the number of upgrades you have to perform in the next 12 months. You’re always going to have to perform the upgrade when Joomla releases each one. That comes with the territory. It’s either that, or risk your site being vandalised or worse with Joomla security problems that could give you nightmares.

How to Check Which Version of Joomla You’re Using

A wise man told me many years ago, “The only dumb question is one that is never asked.” It’s okay not to know simple things. Ask and you will receive, right? In order to find your Joomla version number, go to your admin section (any page) and scroll to the bottom. The current version number should be there.

Alternatively, you can look at the contents of your version.php file (found in the includes or libraries/joomla folder). Simple.

You can go to the Joomla website to find out the latest stable version that is available. By all means, keep your Joomla updated, right now, with the latest 2.5.x or 3.0.x version.

Business meeting discussing Joomla security problems

You need to discuss how you’re going to handle potential Joomla security problems before they bite you.

Joomla is a Juicy Target for Hackers

Joomla security problems can be blamed partly on Joomla’s popularity. Increasingly, Joomla is a leading CMS, second only to WordPress. That makes it a target for unscrupulous crooks bent on no good. The more victims a hacker has that use a particular kind of software, the easier it is for them to make money off of their hard work.

An industrious and creative hacker could find a new vulnerability for Joomla and exploit it on all Joomla websites of the appropriate versions. But how does a site visitor know you’re using Joomla?

Easy!

A hacker can determine if your site uses Joomla by checking the Generator Meta. And they don’t even have to do this manually. They can program a robot (web crawling software) to create a list of all Joomla sites by looking for this Meta. You can right click on a web page and select “View Page Source” (or something similar) in order to view the source code. For instance, the following is from www.Linux.com:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

Oh, for shame, Linux! You’re still using an outdated version of Joomla for your website. One can hope they fix that before any more Joomla security problems strike version 1.5.x, because Joomla is no longer any help on such issues. No more security patches for that version.

All the other Joomla websites I checked did not have the version number listed. Good for Joomla. That will make the hackers work a bit harder.

Some sites will reveal more information by typing in “/administrator” right after the URL to get the Joomla admin log-in page. Some versions have a different Joomla banner graphic. The site, www.usjoomlaforce.com, currently has this problem. All other sites I checked had blocked this behaviour.

Adding “?tp=1″ after the home page URL will reveal some very interesting behaviour for most Joomla sites. In fact, the only one which didn’t look like a page editor’s nightmare after tacking on this bit of code was www.joomla.org. Somehow, they’ve programmed their site to block this behaviour, too.

Webmaster stressed over Joomla security problems

Don’t let Joomla security problems get out of hand.

Help! We’ve Been Hacked

If you have Joomla security problems, like a site that has been hacked or defaced, Joomla gives a list of recommendations to put an immediate stop to the problem and to ensure that it doesn’t come back to bite you again. Some hackers add back doors to their hacks so that, even after cleaning, the hacker can still get into your site to do damage. Here’s Joomla’s help on this:

http://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

 

What to Look For

When it comes to any software vulnerabilities, including Joomla security problems, there’s no sure fire way to know what to look for. If we knew in advance what vulnerabilities hackers would use, then programmers would plug them up before they became a problem.

Here’s a couple of articles that could help you prevent any problems from happening:

http://magazine.joomla.org/issues/issue-jan-2013/item/1032-how-secure-is-your-joomla-website

And particularly helpful is Joomla’s security checklist:

http://docs.joomla.org/Security_Checklist

If you need any help with upgrades or other website issues, please let us know. That’s why we created our Web Circle website.

And if you have any questions or comments about this article, please let us know. And stay safe!

About Alex

Alex Retzlaff is the owner of A Website Designer and Web Circle.

Follow us at:
Twitter @webcircle
Facebook /webcircle
Web Circle website

11 Responses to “Joomla Security Problems: How to Keep Your Website Safe”

  1. Hugo Goncalves January 23, 2013 at 1:37 am #

    I have been hacked several times with Joomla. I tried everything at the time and still kept being hacked. Maybe the hackers had a back door that I did not know of…

  2. Alex January 23, 2013 at 10:23 pm #

    Hi Hugo. I understand the frustration. The Joomla site includes tips on cleansing your system of any such “back doors.” Hopefully that won’t be a problem in the future.

  3. Tushar January 25, 2013 at 8:02 pm #

    That’s good case study on why Joomla is being targeted by hackers and the security mechanisms to prevent it form happening.

  4. Sean Nicholson February 3, 2013 at 9:54 am #

    Great tips and resources. I think the best guidance is to just do everything you can to keep your Joomla (or any other CMS) up to date with the latest security patches. The developers work hard to find and close those holes, so we just have to keep up with them.

    Thanks for the great tips!

    –Sean

  5. Rod "Carl" Martin Jr February 3, 2013 at 5:35 pm #

    Thanks, Sean. Good points. Their developers are there to help us. We just have to let them do that.

  6. Arun February 6, 2013 at 9:32 pm #

    My website used to get hacked during the initial days. The main reason was the file permissions were writable and one of the plugins that I installed had a backdoor.

  7. Alex February 6, 2013 at 11:37 pm #

    Hi Arun, and ouch! I hope you got that one plugged quickly.

  8. Mottaret February 12, 2013 at 4:16 am #

    Never really got on with Joomla, although WordPress is a prime target for hackers now so everyone using a CMS needs to be on their toes…

  9. Alex February 13, 2013 at 1:35 am #

    Hi Mottaret. I agree with you there. Security issues are a constantly moving target for hackers.

  10. hamayon February 15, 2013 at 6:16 pm #

    Among all of the blogging software, Blogger is very good for its tight security system ( as its a part of Google ), then WordPress comes in safety, in WordPress we can use a lot of tips and plugins to make the security tight. All of the other blogging platform ( which are known good ) have little bit poor security, So we have choose best blogging software from the first day.

  11. Rod "Carl" Martin Jr February 17, 2013 at 7:31 pm #

    Hi Hamayon. We appreciate your input. Sharing such information helps us all.

Leave a Reply