SSL Labs ScoreHSTS Preloaded

Securing Joomla

Article Index

When looking at Joomla from a security standpoint, it is interesting to note that when included in a comparison of the top 3 CMS platforms - Joomla is the shining star! Before diving into the things that can make Joomla more secure, let's have a look at the market share of the top 3 platforms and the security vulnerabilities of those same 3 platforms for the past 6 years.

It's interesting to view these statistics and learn that the most popular CMS is the least secure. While making their platform more user friendly, they have also made it less secure. This target rich environment has become an infested swamp of hacked sites.

CMS Market Share

  • Wordpress: 58%
  • Joomla: 7%
  • Drupal: 4%

CMS Market Share from W3Techs

CVE Reported Vulnerabilities in 6 years

  • Wordpress: 136
  • Drupal: 103
  • Joomla: 88

CVE Vulnerabilities site

Looking at these numbers, it's clear that Wordpress is much less secure than both Joomla and Drupal. The reason for Wordpress popularity is 2 part - the platform is dead simple for site administrators and it is (optionally) a hosted platform, allowing people to have a website hosted by Wordpress in just a few minutes. In terms of features and flexibility, Joomla and Drupal both beat Wordpress hands down. In terms of security - Joomla beats both Drupal and Wordpress.

A personal anecdote: A few years ago, I was approached to build a website and a mobile app by a client. The app was much more important, so I completed that task first. When it came time to build the website, I was informed that an investor demanded that a particular developer build the site. I was disappointed, but there was little I could do. The new site was built on Wordpress and within a few months the site was hacked and sent out thousands of spam and virus emails. This hack caused their domain to be added to several spam RBLs (Realtime Black List) and severely impacted their business.

As I was not involved with the website, I have no information on how the site was hacked. I can only offer advise to those seeking a website and that's what this article is. The first piece of advise I'll offer - if you're going to hire someone, make sure they know what they're doing. Your website is an extension of your business and deserves as much attention to detail as the rest of your business.

I like this quote from former Connecticut Governor Jodi Rell:

At the end of the day, the goals are simple: safety and security.

Jodi Rell