Joomla, Open Source CMS and Cyber-security

If you've a website then you’ll very likely use a CMS – Content Management System – to both populate your website with content (imagery, text, video,…) and (to a degree) apply maintenance.  

The three largest at present, in terms of user base are WordPress, Drupal and Joomla, all of which are based on the programming language, PHP.

Open source platforms versus paid license solutions are always attractive to companies looking to control their bottom line, but do they represent a significant saving? 

We have written about the broader issues of open source, Silence of the Squirrels platforms – of the three named above, Joomla best fits that description – and some of the potential pitfalls of relying upon them.  However, there are other matters beyond the survival of the platform itself, see Cautionary Web Tale of Unfolding Doom and Despair, Reputation Restored from a Backup, that demand your attention if your online presence rests upon Joomla.

Maintaining the ongoing security of your installation is paramount, and we will explain below the legal fallout of failing to do so.  Based on PHP, and relying on MySQL databases, Joomla is potentially ripe for hacking.  We published a series of Insights regarding PHP , How one of the Pillars of the Web might be about to fall down and why it is critical to any business to keep on top of this, but the combination of components that make up Joomla all present potential security problems.  There are some excellent resources to help you stay abreast of Joomla vulnerabilities as they arise and Joomla will do their best to stay ahead of any problems, but can you?

Open source software is popular because it often costs nothing, or relatively little, compared to proprietary offerings.  

That doesn’t mean that it is inherently poorer than paid-for solutions, far from it, but it does bring other headaches; primarily that of management, security and stability.  

While you may not pay for the platform per se, you will end up paying to have it managed and maintained.  Inspire support many clients for whom it is critical that they have a stable and secure online presence that continues to send enquiries and function.

Of course, it’s true that you can deploy and manage Joomla on your own, the question is: should you? 

The benefits are obvious:

• Immediate control over all web-based issues, no waiting for a third party to make the changes you want.
• Cost – the software cost little if anything and you are spending either your own time or the time of employees you already pay for to keep it in tip-top condition.

The drawbacks may be less apparent:

• What do you do when the changes do not work? And your online presence disappears?
• Are you or your staff capable of getting the best out of the platform?
• Do you have to spend money on training?  Are you employing someone to work solely on your website, are they upto date with the latest intricacies?  
• Do they have other duties and if so, how do they split their time?  Is that an efficient use of that resource?  
• Are you comfortable that your liabilities as a business owner are being fully addressed and protected?

Do you have the time to read through all the notifications and to decide which are actually important to your implementation or double check that you are fully up to date?

It might seem a little esoteric but ensuring the security of your website and data is critical – as a business owner you are directly responsible under DPA (Data Protection Act) 2017 and the GDPR (General Data Protection Regulations) for the security of any data you process.  

The member of staff charged with maintaining the site isn’t responsible in law, nor is a third-party agency tasked with the same task. 
 

The responsibility cannot be offloaded; it's yours.  

Are you confident that everything that needs to be done is being done?

While all three of the CMS mentioned have suffered from security flaws, the weaknesses found in Joomla can be judged to be serious especially when the combination of PHP (programming language) and MySQL (database) deployed are not monitored or fully patched. When not maintained criminals can target both Administrator (webmaster) privileges and the underlying MySQL database structures. These attacks most likely do not end in a vandalised website with graffiti but instead lead to data theft as they enable a malicious actor to eavesdrop or redirect your data to a different destination.  This is a major headache for your Data Controller.
 

Who is this "Controller"?

The Data Protection Act 2017 defines a controller as 
"… the person that decides how and why to collect and use the data. This will usually be an organisation but can be an individual (e.g. a sole trader). If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law".

Even if you outsource your web hosting and management, your responsibilities in law are unchanged.  

Does your outsource partner keep fully up to date with developments and patches?  

Do they understand the sometimes-critical importance of keeping PHP up to date as well?  

These are questions that need to be asked more than once. Indeed relying on the idea that if there is a breach which is down to a technical error or omission, that you bear no accountability for is false.  Yes you have passed the responsibility to the 3rd Party, but thinking this is now someone else’s problem and up to them to fix is not a legal loophole/

Your legal accountability is unchanged and if the breach is sufficiently large or important that the Information Commissioners Office (ICO) becomes involved “It wasn’t me” is simply no defence.

Should all of this affect your decision to deploy open source software?  

It's a cost-benefit question: does the benefit of deploying open-source software, either managed or in-house, override the potential pitfalls and liabilities?  

If the answer is no, or if you aren’t sure, it may be a good time to re-assess your CMS deployment.  As the data controller, you need to ensure your organisation’s compliance with both the Data Protection Act 2017 and the underlying GDPR.  The work to ensure adherence to the law will be ongoing if only because the application – Joomla – and the underlying platform – PHP – will both evolve continuously.

Inspire wrote a series of articles about the substantial issues surrounding PHP last year in the lead up to the retirement, (deprecation) of PHP 5.5 and 5.6. 

A year later this issue is still very prevalent and it’s well worth looking at again to understand the importance of your PHP version on your web deployment.

Taking care of business.

What can you do?  

Like so many potential problems of this nature, management of resources is key.  If you keep everything in house you need to be sure that the department or individual is keeping on top of any issues that might affect you.  You need to ensure that they are properly resourced.  If outsourced, then you are less concerned with the resourcing, but the questions remain – are they fully on top of everything at all times?

At Inspire we take a proactive approach

At Inspire we take our clients online presence very seriously.  

We make it our business to understand the complex inter-relationships that exist in a seemingly straightforward deployment.  This knowledge allows us to not only advise on the best way to achieve maximum return on your investment in terms of response and flexibility but also to reassure you that we are constantly monitoring all relevant sub-systems, keeping you and your systems safe.  

Not all web providers are the same and we pride ourselves on being different.  

If you have any concerns or just want to see what the best looks like, contact us for a free consultation.