Security issues with Joomla extensions

Joomla is a very popular content management system that is heavily used around the world. Extensions allow to include additional functionality in a Joomla website but they can also pose a security risk.

If you own a Joomla website you might want to add certain functionality to your website such as offering a shop, including a newsletter or showing some pictures in a photo gallery. Joomla is very modular and allows you to install extensions on your website to include additional functionality.

However, with every extension that you install on your website you potentially increase the attack surface of your website. Worst case you install an extension on your website which has a vulnerability. If someone exploits the vulnerability your site gets hacked, data could be leaked and your site could impose a threat to site visitors.

There are a couple of rules to follow when installing Joomla extensions on your website: You whould not only keep your Joomla up to date and have it properly configured but you should also review the Joomla extensions from time to time. Remove unused extensions, use latest releases of Joomla extensions and maybe switch to a different extension if not maintenance is provided from the extension developer.

Use latest releases and proper configuration

Not only for the Joomla core you should use versions that are properly maintained but the same holds for Joomla extensions: Don't use old extensions or extensions that are not maintained anymore. Update your Joomla extensions regularly, especially if security vulnerabilities are fixed. You should monitor your Joomla extensions and check for updates from time to time. If there are any configuration options for Joomla extensions you should also review thos from a security perspective.

Use trustworthy Joomla extensions only

The question arises which Joomla extensions you can trust and from which sources you should install extensions? I would always encourage you to check the release history of a Joomla extension to get some understanding of how actively the extension is developed. It is also worth to check the developer of the extension in more detail: How does the development team respond to security concerns? Was there any security issue in the past already and how was it handled by the developer?

If you have some knowledge of PHP you might be able to quickly check through the code and see if the extension follows best practices. To give some example: There is always the risk of SQL injections and it is worth to check how the extension accesses the database and whether user input is properly checked and sanitized.

Remove unused Joomla extensions

From time to time you should review the extensions that are installed on your Joomla website and check if they are still needed. Every extension that you install on your website can be considered a security risk. By having tons of unused extensions on your site you increase the attack surface for a hacker.

There are various reasons for having unused  Joomla extensions on your site: Sometimes website owners install various extensions on their site to try out and see which of the extensions fits their use case best. There is also the option that extensions were installed for a certain functionality that was later deprecated on the site.

Anyway, you should regularly go through the Joomla extensions on your website and check if components, modules or plugins are still needed. If you find an extension that is not required anymore, simply uninstall it. The less extensions you have on your site the less to worry about.

Replace Joomla extensions

Change is always happening, also in the Joomla ecosystem. New extensions appear and support for other extensions is discontinued. From time to time you may face situations where it pays of to migrate from one Joomla extension to another one to keep code up to date and reduce security risks.

Unfortunately this might mean that you need to migrate data from one Joomla extension to another extension which could mean some manual work. You might also need a custom script that can handle the migration.

Do you need help with securing your Joomla installation? Please do not hesitate to contact us!