1. Set the right file and folder permissions according to the Joomla guide:

Once your site is configured and stable, write-protect critical directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site –> Global Configuration –> Server to set all folder and file permissions at once. Test third party extensions afterwards, and carefully review the code of any extension that has trouble with such settings. Note: Depending on your server’s permissions, you may need to temporarily reset to more open permissions when installing more extensions with the Joomla! installer.

2. Think twice before installing an extension – do you really need it? Most security vulnerabilities come from third party extensions. Especially ones that are pre-release or ones that have not been updated lately.
3. Upgrade to the latest stable version of Joomla. The core team is hard at work for the community partly addressing security bugs and issues found. If you run a site based on an old version of Joomla – you are at risk because the security issues are well documented and available for anyone by exploring the tracker.
4. Change your admin username. Very basic security tip that is recommended for almost every server out there.
5. Avoid shared servers. Virtual hosting is great if you are not in a position to afford a VPS or a full dedicated server, but it is not secure.
6. Protect your DB. Use a user other than the root, and do not allow connections from outside the machine. Even better, block the MySQL port completely.
7. Use an SSL. Simple, when you login and submit your username and password without an SSL, the information is not encrypted between you and the server. Potentially dangerous for packet sniffing exploits or in todays world, if you decide to work from a WiFi/Hot Spot.
8. Separate your development from the production server. Avoid unclean code or left overs that may leave a back door.

9. Remove unnecessary files from the site: remove the XML RPC server part of Joomla if you are not planning on using it. This service allows desktop applications to post directly to the site. Essentially providing access via this protocol. And if you just moved the site from another server delete the zipped files, since they contain your passwords in an unencrypted form!

10. Monitor the logs for hack attempts. Who is trying to login to the administrator section when I was eating my turkey? you get the idea…

Related Posts

• December 7, 2008 -- A list of CMS and eCommerce systems that officially support jQuery (2)
• September 5, 2008 -- Joomla vs Ektron (2)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• January 7, 2009 -- 2009, the year of Open Source Software (0)
• December 4, 2008 -- Can Magento and Typo3 be integrated? Yes, with TypoGento (0)
• October 29, 2008 -- Is Magento Commerce the new Joomla? (1)
• August 19, 2008 -- Hack attempt: SQL Injection Tagreting MS SQL Servers (0)
• August 19, 2008 -- 5 Missing Features Preventing Joomla! CMS from Entering the Enterprise CMS Market (3)

Joomla vs Ektron

Thoughts?

Related Posts

• December 7, 2008 -- A list of CMS and eCommerce systems that officially support jQuery (2)
• July 30, 2008 -- Ektron: Clarification on User Controls vs API (0)
• January 7, 2009 -- 2009, the year of Open Source Software (0)
• December 3, 2008 -- Securing Joomla! CMS based sites (0)
• October 6, 2008 -- Ektron CMS400 7.0 issues with .NET Framework 3.5 SP1 (2)
• July 16, 2009 -- Speed Optimized Websites Rank Higher with Search Engines (0)
• December 4, 2008 -- Can Magento and Typo3 be integrated? Yes, with TypoGento (0)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• November 3, 2008 -- jQuery Emerges as Most Popular Javascript Library for Web Development (2)
• October 31, 2008 -- How to Use Mod_Rewrite to Set a Canonical URL (0)

You’ll love Joomla! CMS because it is a great open source and free CMS with lots of features, stable releases, and it comes with a huge supporting community. Don’t get us wrong, we love Joomla CMS too and truly believe that this open source application is a big head start for any content based website. But since we used Joomla on many advanced Web 2.0 websites, we have found its limits, and sometimes struggled with those limits to a point of considering other systems or even using a framework instead. Let’s look closer at the missing features:

1. Directory or node base category structure

This is one of the biggest pain points with using Joomla or trying to explain how to use Joomla to new users. Joomla places all content items within sections and categories. Before Joomla 1.5, all content items were required to be in one of these sections and categories. In other words, the system was limited to a two level categorization and the categorization was enforced. In Joomla 1.5, it is not a requirement, however, if you wish to categorize the content items you must use this archaic system.

So, what’s missing? It needs a node based categorization. Similar to any folder structure out there in any operating system. You can create folders with content items in them and you have a nice flexible and fully comprehensible system. No more workarounds. This will then boost the use of any dynamic plugins that can rely on the folder structure for certain features. A great example is a News & Events section that is needed for almost every serious website: with flexible node system you can create a news folder and an events folder and place your articles there. If in the future you wish to add sub categories to your news – no problem! (with the current and the old system – you’ll have to rethink once you get to a certain depth level).

2. A Real Authorship Path and Publication Mechanism

Yes, it is true that users have multiple levels right out of the box in Joomla. But it lacks any sort of a mechanism that controls the workflow of the content item. Ideally, you will have one user that will add new content items and another that will have to approve before it goes live in a specific section. The publisher user will have the rights to publish only in his/her sections, etc. This is a basic feature in many enterprise content management systems.

3. Content Articles Versioning

In Joomla, once you made the change and hit that save button – there is no way to go back in time and undo your changes. Ideally, Joomla will save every instance of the content item and keep track of its versions. How it does it is not important, whether it uses SVN like versioning which efficiently saves only the diff values, or if it actually saves the entire content item every time a revision is made does not matter. The feature that is missing is the versioning itself.

4. Built In Separation Between ‘Live’ and ‘Staging’ Environments

For businesses that value their websites and understand the sensitivity of them, we always recommend setting up a staging environment. This is where all users, developers, and designers can see the latest revisions before it goes live. It provides another stage of error handling instead of working a fire drill on a regular basis. Many enterprise content management systems have this option as a built-in mechanism. From the same admin panel or work area, the admin presses a button and the latest version of the site is then ‘pushed’ live. We currently have linux scripts that do the job but there is no way for a non-developer to handle this case. Ideally, this needs to be from the admin panel of Joomla.

5. Document Management System (File Manager)

So, we all know that Joomla’s File Manager or ‘Media’ manager is a bit lacking. It has the basic functionality that assists with uploading files, moving, deleting them – but that’s it. A DMS (Document Management System) allows each user to manage their own document area, which in turn allows better handling of uploading and using files with drag and drop controls, and improved management interface for admins that can more easily handle large amount of folders and files.

Conclusion

Joomla CMS is a great open source CMS, no doubt. However, if the above five missing features are added, it will make it easier for us to be able to offer this CMS to the enterprise. For now, the commercial CMS spectrum is what we got to work with for enterprise level content management systems.

Related Posts

• December 3, 2008 -- Securing Joomla! CMS based sites (0)
• September 5, 2008 -- Joomla vs Ektron (2)