Joomla has had around 138 reported vulnerabilities since 2006 with a wide range of severities. While this is not uncommon for software of any sort, these issues do present a very real threat to Joomla users.
The particular vulnerabilities that may affect you depend on the version of Joomla you are using and any extensions or customizations you may have. However, it can be helpful to understand what types of threats you should be aware of.
Joomla Vulnerability Statistics
Joomla accounts for around 4.1% of the content management system market share and 2.5% of attacks on websites. These attacks are spread across a range of methods. You can see a rough breakdown of the types of attacks faced by Joomla sites based on information taken from CVE reports below:
Below are a few of the most severe vulnerabilities from the last few years. These vulnerabilities were exploited by hackers launching a wide range of attacks.
- CVE-2018-6376—an issue affecting v3.8.3 and lower that enables SQL injection due to faulty type casting in the Hathor post install message.
- CVE-2018-15882—an issue affecting v3.8.11 and lower which enabled .phar files to be uploaded to Joomla without going through the file upload filter. This vulnerability enables attackers to upload malware or reverse shells.
- CVE-2018-17856—an issue affecting v3.8.12 and lower that allows the execution of arbitrary code due to a misconfiguration of access control lists that enabled admin users to modify com_joomlaupdate.
- CVE-2019-10945—an issue affecting v3.9.4 and lower in which folder parameters are not properly sanitized by the Media Manager component. This vulnerability enables attackers to perform actions outside of the component’s root directory.
- CVE-2019-12765—an issue affecting v3.9.6 and lower in which CSV exports performed with com_actionslogs are vulnerable to CSV injection.
You can see a more complete list of Joomla vulnerabilities on the CVE details site.
Top Joomla Security Vulnerabilities and How to Resolve Them
Below are some of the top vulnerabilities affecting Joomla sites and how you can manage them.
1. Ignoring Joomla updates
Keeping your Joomla site up-to-date is the first step to ensuring that your data and users remain secure. This is especially important when you consider that most security issues faced by Joomla sites are public knowledge. If you do not address a vulnerability as soon as it is made public, you are inviting attackers to easily exploit vulnerabilities.
To reduce your risks, you should be applying patches and updating versions as soon as possible. This helps you ensure that known vulnerabilities are eliminated. It can also help you avoid zero day attacks. These attacks occur when an unknown vulnerability is exploited. While by definition patches are not available for these attacks, updates often include general security improvements that can help eliminate vulnerabilities before the issue is discovered by hackers.
2. Self-hosting
When self-hosting a site you are responsible for managing all of the security and maintenance that are provided if you host on Joomla.com or a third-party host. This includes managing your domain, servers, and Joomla updates. It also means correctly configuring, monitoring, and updating server software and operations.
If you are not prepared for these responsibilities you should consider an alternative to self-hosting. If this means going with a third-party hard, make sure you do due diligence in choosing a host that guarantees security and update services.
3. No security testing
It is extremely important to perform ongoing security testing of your Joomla website or web application, to identify security vulnerabilities. Application security tools such as Dynamic Application Security Testing (DAST) can hit your Joomla site with simulated malicious traffic, and see how it responds. They can quickly detect that your website is vulnerable to specific attacks, and give you instructions on how to remediate these vulnerabilities.
4. Legacy components
If your site has been running for a while you likely have some legacy files, code, or plugins that are no longer needed. Even if a component isn’t being used it can still present a security risk. This is particularly true if you forget that it’s there in the first place.
To avoid these risks, take time to periodically audit your site for unnecessary directories, files, extensions, users, staging directories, etc. Once you have an inventory, make a backup of your site. This way, if something goes wrong in your eliminations you can always restore and try again. Then, you can begin removing those components that are not in use. If you aren’t sure you can try removing items and then thoroughly test your site to ensure that all functionality remains.
5. Third party extensions
Third-party extensions are great for extending your site capabilities and adding features to your sites. However, not all extensions are created equally. If extensions are created with poor security practices, vulnerabilities are created. When you then use these extensions in your site, those vulnerabilities become yours as well.
Another issue is that extensions can be infected with malware or malicious code. This can happen because of the original developer or because an outside party modifies and rehosts the extension.
To avoid these issues, you need to carefully assess any extensions you're using and make sure to install extensions from the original source. You can check the Joomla Vulnerable Extensions List for an indication of which to avoid.
It’s also a good idea to test extensions you’re considering in a staging environment before including them in your live site. This enables you to test your site with the added functionality using tools like Joomlatools Vagrant box.
6. Weak credential practices
Weak or reused passwords are an invitation to hackers to take control of your site. To avoid this, make sure you are using secure passwords with a mixture of uppercase and lowercase letters, numbers, and special characters. You should also periodically change your password to ensure that even if hackers do have access, it isn’t persistent.
Additionally, make sure to change your username from the default “admin”. This makes it hard for attackers because they have to determine both parts of your credentials. You can also use plugins, such as Adminexile, to secure your administrative backend.
7. No backups
If you do not have any site backups you have no recovery plan. If something goes wrong, from a bad plugin to an attack, you may be stuck building your site from scratch. To avoid this, periodically create backups of your site and store those backups outside of your site directories.
For greater security, you can even take backups from multiple sources. For example, having your host back up your site in addition to creating backups manually or with the help of an extension.
8. File and directory permissions
Controlling file and directory permissions for your site helps you ensure that only authorized users or components are allowed to access your backend structures. It is especially important to carefully control write permissions since these can enable an attacker to modify your site at will.
In general, recommend secure permissions include:
- Directories set to 755—restricts write to owners and only allows read and execution by others.
- Files set to 644—restricts write to owners and only allows read by others.
- PHP set to 444—restricts any writes to the file and only allows read.
- No 777 permissions—if set, this enables anyone to write, read, or execute files.
9. Unencrypted communication
You should encrypt all communications on your site if possible. Running a site on HTTPS helps protect your information, your user’s information, and is preferred by Google rankings. To switch to HTTPS from HTTP, you need to set up SSL encryption. This means getting a signed certificate, for example from Let’s Encrypt, and installing it on your server.
After your certificate is installed you can test your SSL configuration using SSL Server Test. This can help you ensure that installed and configuration went smoothly and provide feedback for possible performance improvements.
Conclusion
Securing websites is a critical part of the viability of online sites. That means that work does not end when you set up and publish a site. You need to continually monitor your site, identify vulnerabilities, detect threats, and mitigate as needed. The tips provided in this article should be your starting point. There are many more security practices you can adopt, some of which are explained in the official Joomla! Security documentation.
Oldest comments (2)
While permissions of 755 and 644 are often mentioned, for web sites it is often better to use 750 and 640. Most web sites share a server with a number of others. Ideally, each site is run as a distinct user (for example by the use of PHP-FPM). It is best to prevent sites reading other sites, in case a site is compromised. With permissions of 755 and 644, the hacker can read every site's files. Use of 750 and 640 prevents this. It isn't the final answer to security - nothing is - but it is a positive step.
To ease the regular creation of LetsEncrypt wild card SSL certificates, I provide a helpful automation mechanism. This renews certificates automatically as they near expiry.