It used to be that we could go months, and potentially even more than a year with out a serious security issue on any of the Joomla sites we manage. But those days have changed ... or have they?
What's been happening
Years ago there were times when there were security concerns within the core Joomla CMS system. What is happening now is not related to the core, but to many of the popular 3rd-party extensions that many of us rely upon for day-to-day functionality beyond what the core offers.
In just the past few weeks we've seen security issue with extensions like these:
- SP Page Builder
- Helix (Template framework)
- DP Calendar
- Phoca Download
- RS Files
- JCE Editor (multiple issues)
- PageBuilder CK
- eDocman
- Event Booking
And those are just the more common extensions that have needed patching, with one of these being actively compromised in the wild.
And if you know Joomla extensions well, you will notice that many of these are extensions that are used on a good majority of Joomla sites. So the issue are effecting large groups of Joomla sites, not just a few sites here and there. And you'll likely see lots of posts on forums where Joomla site managers hang out commenting on how much time they have spent just managing all these security issues in the past few weeks.
In many cases, the vulnerabilities have been identified before they have been exploited. The developers have released a patch, and no harm has been done. But for some (like JCE) there are widespread reports of compromised sites because the extension wasn't updated before it got compromised.
Why is this happening?
First, the responsibility for secure code must be placed on the developers of the code. It is somewhat easy to write a Joomla component, plugin or module. However, it is even easier to write one that is not secure. It requires intentionality when creating any custom Joomla code to make sure that it is secure. Joomla gives you lots of tools and examples, but the developer has to make sure it is secure before shipping.
Second, the responsibility then shifts to the person managing the Joomla site. Even when developers are intentional at securing their custom code, there are times that things can still slip through. When this happens, and the responsible developer releases a security update, it does no good if the site manager doesn't install that update. Too many times Joomla sites are created as 'set and forget' by business owners or less experienced web designers. You can't blame the developer if they released a fix for a problem that you didn't implement.
The bottom line is that it takes both the developer and the site manager to ensure that everything is secure, and stays secure.
How can you be sure your site is always secure?
The reality, especially over the past few weeks, is that if you are not well-versed in Joomla, or are actively monitoring both your web site/s and the ever changing security updates for every extension you have installed, you can't keep it secure. And if you are someone who just checks your web site/s every week or less frequently, you are most likely going to get hacked, and more likely sooner than later at this point.
There are a number of different tools and services out there that will help you with this process. These can help you keep updated on changes and do some form of mitigation when security issues come up. However, there is still no real good 3rd-party 'service' that will actually fully manage your web site. For that you either need to become a Joomla guru on your own, or hire that out - to an employee that you pay to get trained, or to a company that provides these services.
We can handle this for you
We've been managing Joomla sites for over 20 years. We work with some of the top tools and services in the industry, but we also have direct knowledge and experience in helping to keep Joomla sites secure and functioning amid all the security vulnerabilities.
We monitor your site 24/7/365 to make sure it remains up-and-running, and we can make sure that updates are made when critical vulnerabilities happen. We can even help you if your site has already been hit with one of these vulnerabilities.
And we not only keep your site running, we can create custom secure components when you need custom functionality on your site, or update the look and feel of the site if it has become a bit outdated.
Let's talk about getting and keeping your site secured !
Schedule a free phone call so that we can talk about your site and any questions you might have about the process.
But do it now, BEFORE your site gets hacked (or hacked even worse than it already is).
