Joomla a 92% insecure cms application ?

Comment by ssnobben on August 11, 2010 at 4:02am

Spot on Nicholas. Thats what this is about.!

Joomla should have this automatic update system for its core a n d 3pds that could be taken care of from Rochen servers. Joomla have to be careful about its rumour about being secure or insecure CMS don't we all think so?

Comment by Arunas Mazeika on August 11, 2010 at 6:41am

I agree with you Nicholas. A simple procedure like clicking a button to upgrade is more likely to convince users to go ahead and do it.

Most of the time, I think that people is afraid to just "break their sites" by proceeding with a "manual" upgrade, they are afraid to do something wrong, and besides, in their minds they say to themselves: the site is working flawlessly anyways !.

Even me, I'm a little reluctant to upgrades (not security ones of course !), since I think everyone of us have had a bad experience while upgrading something in the past :).

Not everybody understand or is informed about what the consequences of not applying security patches, and most importantly, not everybody is looking for them, so you need to "rub an update message to their face" as Nicholas just said.

Comment by Brian "Sully" Sullivan on August 15, 2010 at 8:57pm

This is the kind of bothersome statistic I wish the PLT would take more seriously. Yes, it's based on a tendentious model. Yes, if you keep Joomla! up-to-date you can virtually eliminate core front-end vulnerabilities. Yes, if you check the VEL and use only reputable extensions you can eliminate most of the rest. And yes, if you take the ordinary precautions to frustrate a hacker they'll move on.

But on Brian's blog I've seen our lead programmer argue that there's no value in randomizing the default user id for SuperAdministrators. And I used Joomla! for three years before I stumbled upon Sam Moffat's update component. And the install script hides the option to change the database prefix and even assuming you do discover it, it doesn't explain how or why it ought not be jos_.

I have to sell Joomla! to my customers. I have to convince them it's secure, stable, well-supported and capable of meeting their needs. And my competitors constantly claim Joomla! is inherently insecure. Here's an excerpt of an email from a developer to a prospective client of mine whose Joomla! 1.0.x site had been hacked and needed migration & security:

"Sorry to get this to you just before your vacation, I just saw this email now. I have actually been pretty busy with the job market this past week and have had almost no time to respond to email. You should be fine in the meantime, but I would definitely send this error on to whoever "secured" your site. Whoever is doing your development, I would see if they can move you to the newest version of Joomla (1.5) or to a more secure platform overall such as Wordpress or Drupal."

I did not get the job.

Nevermind that the developer is obviously ridiculously uninformed. The fact is I have to sell against stupid statistics like this every day, and until the Joomla! user experience emphasizes security and makes it super-easy for the non-professional to minimize common attack vector threats, I am fighting an uphill battle. As are you, if you're in a market like mine (Washington, DC) which is dominated by Drupal. We have got to make Joomla! more idiot proof so we can make a better living.

Comment by ssnobben on August 16, 2010 at 2:57am

Thanks Brian for setting words on this real world problems and the implications of what it means for Joomla.

This is was is all about - the trust long term.

Its very difficult to stop this statement once you got it. Its like that in my country they laugh at Joomla bcs of its security standards and thats bcs Joomla sites have been hacked here. = 90% closed market

And I think this is a common story problem about how it is for many web site developers that are not a "core" skilled developer or a super experienced web guru and long term Joomla expert how to set up and update your web site.

You have to fight alone against many of these conditions that are spreading these Joomla insecure rumours. That is very hard to argue against if you dont have support also from the Joomla update system that also can show how Joomla really are taking care and help with these updates quickly.

@Jacques Rentzke
A better questions would be why a large % of Joomla and Drupal web sites don't get updated.

Agree. But why dont web sites get updated so it can better stop these rumours and make all Joomla users more happy then?

A better question is: What can we do to make it more easy and automatic secure to update Joomla for them? Updating the core automatic from back-end is one and obvious core dev task to solve isnt it?

Shouldn't that be obligatory and its not needed a Nobel prize to understand that and make that a number 1 priority after 5 years of development?

Comment by ssnobben on August 16, 2010 at 3:16am

Here is a blog that rant about Joomla security all the time in his Drupal comments (Sweden) http://www.mkse.com/category/cms/joomla-cms/

Comment by Jo Snow on August 16, 2010 at 6:53am

Congrats....This post is #4 on google for search term Joomla insecure.

Putting aside whether Joomla is secure or not - this blog title is a wonderful advertisement for Wordpress or Drupal.


Good Job nobody here relies on Joomla for a living (sarcasm).

Just as many users don't bother to update Joomla - they won't bother to read all these comments - end result - even if Joomla is relatively secure - many people won't get past the title.

Sort of reminds me of one of the Joomla Gods who recently had a post titled Top Ten Joomla Extensions- of course the article had nothing to do with this - he was just desperate for the hits.

Now in that situation it didn't create any harm (he never had any credibility anway :joke:)- but this Mac fanboy like title certainly could.

I am not suggesting this was your intent....and maybe I'm just being an old grouch - but if we are going to seriously discuss controversial topics about our CMS, we don't need inflammatory headlines to initiate the conversation.

( side note - who in their right mind would update within the first week of release - well me....twice since 15 ..and boy did I pay for that - now I wait at least 10 days.

If ever there is an automated option I will turn it off - at least until I am confident that these updates are tested before being releasd in the wild )

Comment by ssnobben on August 16, 2010 at 7:44am

The attention is good if not every one understand the importance and the correlation of updating Joomla to latest version and the security issues related to older Joomla versions.

If you are not confident that these updates are tested when will you ever update then? Dont you trust them? I do and they working well but it should be an updated system so all Joomla web site owners more easily can make those updates frequently automatically or by pushing and update button in back-end. There are already 3pds that doing this so why cant we do the same with Joomla core?

Comment by Brian "Sully" Sullivan on August 16, 2010 at 8:48am

If this article is now high on the list for "joomla insecure" that's great, because it points out that Joomla! isn't insecure and Joomla! professionals would like to improve the ability of non-professionals to easily secure Joomla!. I'll bet it says things more positively and accurately than the other three ahead of it.

Comment by Jo Snow on August 16, 2010 at 3:30pm

@ Brian

Number 1 on that search - proves that these type of headlines are'nt necessary

@Nick

Thats my whole and only point... Most people do not read the whole article.... Now whether they are prejudiced or morons is your call.

Probably like those morons or prejudiced people that don't install an extension because of reviews by a couple of idiots who didn't bother to read the install notes.

Not sure what your point is about google and the hell of a lot of many, but the ranking has absolutely no bearing on its usefulness. (Remember I am talking specifically about the headline)

One thing I know, having read many of your articles is that you make an effort to be accurate and even when your conveying intense enthusiasm you manage to do so without these type of headlines or statements.

I love both your work and Joomla (hmm some times I really hate Joomla) - as for free speech, I never attempted to prohibit it - rather, to point out in the fashion of the headline, my exasperation with all these numnut crys for attention.

As for ssnobben - Ive seen and interacted with him on many different forums- in my book he's a great guy. (In fact I friended him a few days ago)

This was not supposed to be personal....just a rant against inane headlines.

Comment by ssnobben on August 17, 2010 at 1:18am

"...it points out that Joomla! isn't insecure and Joomla! professionals would like to improve the ability of non-professionals to easily secure Joomla!"

Exactly. Thats how I look at it. Brian and I understand each other. Bless you! lol

If you are not a Joomla professional your self, hire someone that can take care of it.

Its n o t Joomla it self that is insecure its the people that are in control of updating the new Joomla versions that are the problem.

The question is how can we help others non-professionals so make it easy and fast to secure Joomla so Joomla it self dont get this stupid rumours.

I have had tons of attacks on my Joomla site during 4-5 years and got one problem during these years that was my own fault.

Comment

• ‹ Previous
• 1
• 2
• Next ›
• Page