Joomla Is Dead!

Posted by on Mar 14, 2018 in Web Security

joomla is dead!This is a wake-up call for anyone who still has a Joomla website. Despite the fact that is rating the severity of this latest vulnerability as “Low”, it is in fact an extremely severe issue.

See announcement of this vulnerability here... See OWASP description of SQL Injection here..

SQL Injection allows hackers into your database. Like most CMS (content management systems), Joomla content is almost entirely in the database (exceptions are media like images & video).

Once in your database, a hacker can steal and corrupt (or delete) all your data. But not only that. Hackers can often elevate their access to the next level, with the goal of obtaining “root” level access and limitless power.

Hackers can install malware on your website which can then cause nightmares for your visitors. It’s not inconceivable that you, as the website owner, could be held liable for damages, much like a grocery store that fails to clean up a spill quickly and causes a customer to fall.

Joomla vulnerabilitiesWhat stands out to me about this particular vulnerability is that it has existed since 21 March 2016!* That’s right, as a Joomla user, you and your website’s visitors have been subjected to potentially awful problems for two years! And NOTHING has been done about it until now.

Think you’ve caught it in time? Think again! Malware may have been installed on your website months ago, without you noticing. It could be hurting you in search engines and ripping off your Joomla website visitors – without you or them ever noticing! (I can do a scan of your website to find any problems.)

How could such a basic threat as SQL Injection exist in a public domain CMS for two years, when supposedly hundreds of developer eyeballs scrutinize the code daily? Because there just aren’t nearly as many developers working on Joomla as before.

WordPress now powers about 1/3rd of all websites on the internet. Developers move where the action is. So now WordPress is getting the most development and Joomla, not so much.

If you’re still running a Joomla website, let this be a wake-up call! Call your developer and discuss things. If he or she seems to be wedded to Joomla, then talk to several other developers – and do it TODAY!

Or call me and I’ll save you money by converting your Joomla website to WordPress!

* Determination of 2 year span of vulnerability comes from aforementioned page dating this vulnerability from version 3.5.0 and their version history page showing that date as 21 March 2016.