abrodski — 2012-10-19T21:06:29-04:00 — #1
My question is this:
How secure, in general, Joomla 2.5.7 is IF a Joomla admin took all the necessary measures to protect his site? After all, there's also a server where Joomla physically resides (ie. hosting). Well, my hosting is one of the best for Joomla, but still...God knows what happens behind the curtain.
To put it simple, without paying a hacker to try to break into the site, is there a way to make sure it's safe?
I'm not talking about FBI or some wunderkind hackers here (those would surely crack any site), I'm asking about an average hacker (though not just some kid who only pretends to know all about hacking).
I'm aware about cloud services like what Qualys and alike offer.
Last, but not least...I'm not asking general public about their personal opinions (they vary), but only those who knows the subject well enough.
P.S. Almost forgot...Hosting environment vs. self-hosting at home, security-wise?
dklynn — 2012-10-20T04:54:28-04:00 — #2
Joomla 3 is the current version but they're still supporting some version of Joomla 2 (I'll leave that to you to check out). You also need to use VERY strong passwords (http://strongpasswordgenerator.com) to protect your admin directory.
I have a client who insisted on using Joomla (via another webmaster) so I secured Joomla-specialized hosting for him (apparently it uses more memory or CPU or ... whatever) and he got hacked (I'm sure he updated his Joomla installation). Apparently there was no malware installed but I recommended that he delete EVERYTHING and reinstall the latest version. After confirming that a maldet scan had detected no malware, I informed my client that, under normal circumstances, I would have terminated his account for failure to keep the CMS up to date because that is a major security concern to ALL accounts on the server.
No need for a wunderkind, all that's needed is a "script kiddie" who knows where to look for the latest exploits - your site could be dead in a mere matter of hours after release of an exploit.
All the more reason NOT to host at home! You cannot monitor 24/7/365¼ and, even if you could, you don't have the tools to monitor, block and repair the destriction wrought by any hacker, script kiddie or otherwise. Leave that to the professionals! I am so serious about this point that I won't even manage my own dedicated server - I leave that to the professional team at WebHostingBuzz!
eastcoast — 2012-10-21T13:58:57-04:00 — #3
My primary tip with regards to security and joomla .. is don't use joomla
(it has more exploits than pretty much all other cms combined)
If you must use it, put .htaccess authentication on the admin directory, install in a non-default path, lock down file read/write access permissions as strict as you can, reduce the amount of plugins you use, sign up for security alerts for joomla and any plugins you do use, keep it up to date, avoid shared hosting, avoid free themes unless you are 100% certain of the provenance. Read this and apply everything in there: http://docs.joomla.org/Security_Checklist/Joomla!_Setup