Choose your extensions carefully

Choose your extensions wisely - one basic rule when you develop a Joomla site. And same applies to you, weekend webmasters! Your site is a sitting duck, waiting for hackers (especially script kiddies. Well, easy to say it, but what can be seen as "wise" choice here?

Well, let's try to put together a list with most important factors - strictly security wise - you must have in mind when you choose a Joomla extension to use:

Avoid extensions with encrypted source-code

You can’t fix bugs in encrypted source-code yourself, and you’ll be left at the mercy of the extension producer should something bad surface. This is mostly a personal preference, but the experience says, that probing around in people’s code both to learn and to get a general feeling for the actual quality of the software you are running is a good practice. Not to mention, that you often need to tweak things here and there, add functionality, fix discovered problem, etc. In my humble opinion is contrary to the spirit of Open Source movement to distribute encrypted code. Not only my experience says, that you can make money from freely distributed code too. And having access to the code gives me the peace of mind I need when I develop a site - and ask someone to pay me for that. I supposed to be in full control, don't you?

Avoid dead extensions

If a extension’s homepage is returning a 404 error, or hasn’t been updated in ages, it’s a good indicator that you should check out if this extension is still being maintained or not, before you decide to install it. check, if there is a support forum or any other, living way to contact the developers or the community using the extension. You can experiment with newcomers, but is better to stick with extensions with a large, active user-base. There are high chances, that these extensions have ironed out the eventual security (and other programming) issues. Don't forget that this is one of driving forces in the Open source movement: each user is a potential security tester!

Avoid poorly written extensions

At the beginning Mambo and the early Joomla versions where plagued by the so called "spaghetti-coding", poorly written PHP code. Started with Joomla 1.5 the Joomla core team pushed for better coding practices, but Joomla 1.5 still allowed the use of so called "legacy" add-ons. The situation is improving every day, but the bad news is, that there are out in the market lot of (mainly commercial) extensions with poorly written code. Stick to extensions with fresh code. Never start to develop a Joomla site with an outdated version, use the latest Joomla with the latest extensions for it.

And Update. Then update, and lastly, check, if everything is up to date evil