Secure Joomla

Joomla is safe!! - you can heard in every forums. Is indeed safe enough? Yes, the core Joomla, if properly configured and deployed is a reasonably secure environment. The difference can be made by several factors. and first of these factors is YOU, the webmaster. But there are others, like the hosting environment, the addons used, and couple of others. Watch your back! And keep your site safe!

Server Settings

Joomla specifies certain settings that are recommended for proper functioning of the system. A list of the recommended and actual settings is displayed when you install Joomla. One of the recommended settings is to have 'Display Errors' switched on. This is very useful when developing and debugging a site, but there is a security vulnerability in PHP (not Joomla, but the language in which Joomla was written) which may allow cross-site-scripting attacks when the display errors option is enabled, if you have a script which produces an error.

Vulnerable extensions list

Even most of security-conscientious Joomla webmasters aren't knowing the existence of this list, maintained at Joomla docs site. There are listed all components with known security problems, and very important to know, the items once appeared on the list aren't removed when the problem is fixed, because large majority of Joomla webmasters aren't upgrading their site as new versions are coming out for the add-ons used. So worth checking, even if the components you use are listed on GREEN - aka fixed -, you may run in trouble, because hackers are knowing the list - and are pro-actively seeking Joomla sites using the insecure add-ons. So you will become easily a target even if you have the secure version...

Bookmark this link!

Vulnerable extensions list


File and folder permissions

This is a key security issue, but unfortunately many of the Joomla site-owners need guidance on this.

First, let's see what you should know:

Joomla is a typical LAMP (Linux/Apache/MySQL/PHP) application, even if runs on many other platforms too. The entire access rights "philosophy" is relying on the native environment's settings.

Register Globals

Many of you probably had seen already the red warning in Joomla's admin interface, that you need to have the Register Globals set to "on", otherwise your site is exposed to security treats.

And also many of you haven't a clue how to do it...

So, let's see what an average webmaster can do about this problem.