Text Size

Which Content Management System is the most secure: Joomla, Wordpress, or something else?

When you ask a simple question, there isn't always a simple answer. Asking which CMS is the most secure seems like a reasonable question, but it's one with no easy answer.This question is particularly vexing because it is usually posed by senior management, and it's particularly difficult to answer in a concise, non-technical way.

I have heard it in every possible variation. Is Joomla more secure than Wordpress; is Wordpress more secure than Drupal; is open source more secure than closed-source proprietary code; and so on. Here's the best non-technical answer I have:

Every web facing application will have vulnerabilities at one point or another. The most critical factor in the security of a web application isn't the application itself, but rather the security and maintenance of the software and the server environment on which it is running. The next most important factor is how the developers of the application respond to security issues. The quality of the application software is also important, but surprisingly far less critical than the first two factors.

That answer is pretty unsatisfying when someone wants to hear "X is certainly more secure than Y", but it's the best I've been able to come up with. Here's why:

Read more: Which Content Management System is the most secure: Joomla, Wordpress, or something else?

Supporting Joomla 1.5 When Your Host Moves to PHP 5.4

Secure old door

PHP 5.3 has passed its End of Life support period. This means that there will be no more updates to the 5.3 series, even if serious security flaws are found. That's a signal that any minimally competent hosting company should move at least to PHP 5.4, or even 5.5. Hosts have been warning that the days of 5.3 were numbered, and now a lot of people running Joomla 1.5 have been told to upgrade or find another host. The problem is that Joomla 1.5 under PHP 5.4 is a mess. The core code throws hundred of warning messages for every page, and the occasional serious error. Extensions are even worse. If you're lucky, your Joomla 1.5 site is barely recognizable, if you're unlucky, all you get is a white screen (fondly known as the White Page of Death because a PHP Fatal Error has occurred and stopped page processing).

So what do you do? The right thing to do is upgrade Joomla, build a new site, update the look, get your site mobile friendly, and take advantage of the huge number of major features that have been added to Joomla since 1.5. A lot has changed since 2007, and Joomla has done a pretty good job of keeping pace. Its easy to say upgrade but its not so easy to do. First off, the migration path from 1.5 is not the easiest. Then there's the issue of budget. Not many small businesses have allocated funds for a website redevelopment, and few have the time to take a good look at how they want to update their site and refresh their image.

Meanwhile your host is about to force an upgrade and your site is going to break. What do you do? Find a host that understands. With the right security defenses, a host can isolate your site from others on the same server, let you run an older version of PHP, which means you can still run 1.5. With good backups, a host can provide insurance against having your site hacked -- and let there be no question about it, both Joomla 1.5 and PHP 5.3 have security vulnerabilities. The best defenses available merely minimize the risk, but there's no way to reduce it to zero. Over at Abivia we've gone to great lengths to help keep our older customer's sites working for them, but if you are still running Joomla 1.5, its time to start planning for an upgrade. Its an investment that will pay off over time.

Image used under a CC license. Credit: Pero Kvrzica.

When Should You Upgrade Your Joomla 1.5 Site

Rails: end of the line

According to W3Techs, as of the beginning of July 2013, 63% of all Joomla sites are running version 1.x. Of these, some 92% are running version 1.5. That works out to a rather large 58% of all Joomla sites running 1.5! The other 5% are mostly version 1.6 and 1.7. [Aside: if your site is one of those 5% please just upgrade now. It's not going to be that painful and you are a sitting duck for hackers. By "now" I mean stop reading this and go upgrade. Seriously.]

So why is the number so high? There are usually a long list of factors, and most of them are valid. Here are the ones I hear regularly:

Read more: When Should You Upgrade Your Joomla 1.5 Site

Optimizing Web Crawlers for Shared Hosts

Spider image copyright Gio Diaz. Used under a CC-SA license.

Recently I've seen some of our shared servers getting bogged down when web crawlers start processing some large sites. What these sites have in common is that they have sections that need longer database queries to compose a page. For example, one of these sites has a large database for a directory.

From the hosting perspective, a slow shared server is a distressing prospect. It's fine if one site with inefficient queries takes longer to load, but it's not fine when that load affects other sites on the same server. It's pretty common for hosting companies (at least those few who monitor this sort of thing) to react by booting the problematic site, usually recommending a dedicated or virtual server in the process. But this can be impractical or grossly unfair. Why should a web site that has accumulated a large database of information but that has low overall traffic be forced into a much more expensive hosting plan just because of the way web crawlers work?

Read more: Optimizing Web Crawlers for Shared Hosts

Joomla Security: Beware the Forgotten Installation

A sphere within a sphere; installations within installations

It's common practice for developers to put test or new development sites in a subdomain. Most hosting control panels, notably cPanel, default the root directory of the subdomain to a subdirectory of the main site, so if I was going to create a "test" subdomain, cPanel will suggest "/home/youracct/public_html/test" as the root directory (youracct is the name of your hosting account). The problem is that these test installations are soon forgotten and can become a major security risk.

Let's say your client — let's call them client.com — finally has the budget to get off the old Joomla 1.5 site you built years ago. You create a subdomain to hold that shiny new web site. Maybe you call it "new.client.com", or being a leading edge kind of person maybe it's "joomla31.client.com" (Joomla 3.1 will be here very shortly). If you use the default directory and don't password protect it, anyone can see the new site by accessing the subdirectory. Entering client.com/joomla31/ exposes the new site to the world. If you used "new" it's an easy guess. There's a also good chance that backups of your main site are also now a lot bigger (you are backing up the site, right?) because they include also include the new version.

You work away on your spanking new Joomla 3.1.0 site and a few weeks later it's ready for launch. If you have the site in a subdirectory, you make a backup there and restore the new site in the web root. Over time you update the new site, applying security updates, fixing a vulnerable extension... everything is running smoothly. Then months later despite thinking you've done everything right, the site is hacked! What happened?

Read more: Joomla Security: Beware the Forgotten Installation