Are You Selling Fear or Solutions?

Written by Steve Burge

We received an email this morning from Phil-Taylor.com listing security holes in various Joomla components.

I have an awful lot of respect for Phil and his work developing Mambo and now his components. However, I think the tone of the latest email could have been improved. People are understandably jumpy when it comes to security and I think he could have done a better job of pointing people towards freely available solutions rather than to his new security site.

There have always been third-party components with vulnerabilities and I've not seen any evidence that security exploits are increasing. What may be increasing is the number of hacker attacks. Some major Joomla sites are being attacked every 60-90 seconds. However, thats not much different from a computer plugged in to the internet.

Its not that difficult to secure your site. Here's how...

Where to get started with Joomla Security

Download, install and run Joomla HISA. HISA stands for Joomla! Health, Installation and Security Audit and will help you pinpoint and solve a lot of permission and security problems. Click here to download and click here to read more about HISA.

Make sure register_globals is OFF. If your host won't let you, its time to move. If you're on GoDaddy, instructions are here.

Make sure you have an .htaccess file that includes lines that block common exploits. Click here to download a copy of ours. Read more at Joomla.org.

What to do if you use an extension on Phil Taylor's list?

DocMan and School Info. It may be worth being safer than sorry. If you feel comfortable doing this, backup the files and then delete them from the server. Restore them when a patch is available. The Docman site is here and an update is in the works.

Slideshow. Phil provided the link to the site which has an update.

iJoomla Magazine. An update is already available. Head over to iJoomla.com.

How to Recover from ANY hack

Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Backup. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day. Every Day.

There are various Joomla components available to allow you to do this.

Theres a backup recovery procedure available at Joomla.org.

Set as favorite

Free Weekly Joomla Tutorials

Your Comments (9)

Fabien Lanselle

August 24, 2007

Hello Steve,
a security release is available on our website for NeoRecruit. I'm also very disappointed by this kind of communication...
It's not fair at all to send this kind of message without contacting directly the project team... smilies/angry.gif

Judy

August 24, 2007

I tried HISA on 1.0.13 and had too many error message. Is there an update for HISA in the works?

DART Creations

August 24, 2007

I agree a 100% that this is not the way that things should be done. Personally, I am quite concerned about security, and try to keep abreast with all security information coming out from many sources.

An idea I've been contemplating is the setting up of a 3rd Part QA team as part of the Joomla core team, which would have the responsibility of doing a QA on certain components thus approving them as "mostly secure".

If not, maybe a Dev/QA process should be developed such that only components who comply to this process, and basic security standards would be accepted as "Joomla approved" extensions.

This would be a major step in ensuring that Joomla is not perceived as an easily hackable CMS...

Amy Stephen

August 25, 2007

Agreed. Enough of this type of blogging. Sadly, this is not the first time, either. Mysteriously, many of these incorrect blogs just disappear after the initial flurry of panic ensues.

We should all help - diagnose problems - submit patches, if we have the talent - get it communicated properly. But, no more standing on the front porch of your blog letting Google alerts carry what frequently turns out to be FALSE information to the unsuspecting masses. Such DRAMA! And, for what goal? To sell your security services at the expense of someone else's reputation? NO MORE!

I was here looking for a link and am so glad I stopped by.

Brian Teeman

August 26, 2007

Judy a new version of HISA that supports 1.0.13 is now available

Frank

August 26, 2007

... how annoying his emails are. It is only to support his business - which is not wrong basically - but he, the godfather of all joomla and mambo and should be more careful with announcements.

Shaifful

October 25, 2007

Hi Steve, I have download your sample of the htaccess files, but when i open it nothing showing up - nada, empty.
Can you give another sample for download?

Thanks

Steve Burge

October 25, 2007

Hi Shaifful

The link works for me here. Try www.alledia.com/htaccesscopy.zip

Bill Andre

December 11, 2007

Hi and thanks for the interesting post.

When I try to download the sample .htaccess file, it is coming up blank for me too.