Tag Archives: Joomla!

Defending Against the Ongoing Attack on Joomla! and WordPress

Be aware that there is a major attack underway aimed at WordPress and Joomla! websites. If you are having trouble accessing the admin system of your site, contact your web hosting company for support; they may have restricted access to help discourage the attack. This would also be a good time to change & beef up your passwords.

How secure is your admin access? One of the easiest changes you can make to boost security is to use a less common admin system username. The top five user names being targeted by attackers are admin, test, administrator, Admin, and root. Do not use those names! Set up something unusual for your admin system username — and a solid password.

The other half of the puzzle: Passwords. The most recent spate of attacks was using some heavy password cracking tools, and they are hard to escape, but not impossible. The bottom line: The longer the password the better (as long as it is not to be found in the dictionary). You can, however combine words. For example, pinkcloudfishmask is a better password than 8jk#BB simply because it is longer. Gibberish is NOT more secure than readable text, assuming your readable text string is not to be found in the dictionary. The top five passwords being attempted in the most recent attacks against WordPress and Joomla! sites were admin, 123456, 111111, 666666, and 12345678. Please be smart and do not make your site vulnerable to password hacks.

You can learn more about the recent cyber attacks aimed at WordPress and Joomla! website by going to: http://securitywatch.pcmag.com/none/310350-wordpress-joomla-sites-under-brute-force-password-attack

The Necessity of Patch Management

One aspect of site security is neglected more often than any other: Keeping your CMS software patched and up to date. We see this problem occur over and over again. Clients purchase websites with content management systems, then once we hand it off to them they do not keep it patched.

We’ll say it again: You must keep up with your website’s CMS software patches! A large number of Joomla! sites were recently compromised by a bot that specifically searched for a very commonly-installed extension which had been the subject of a security patch. The hackers knew that many people would have failed to install the path, so the bot looked for unpatched versions of the extension as a doorway into the site. It worked very well; a number of sites fell victim.

Your CMS software is no different than the software on your desktop, your notebook, your smart phone: There will be patches and maintenance releases and you must install them to keep your site safe from attackers. Also, don’t forget, many times those patches also bring with them new functionality or improved performance, so if you fail to take advantage of the upgrades, you may be missing out on enhancements that also add value to your site.

If you are not comfortable doing upgrades yourself, find someone to help, or contact us. Charges for this type of work are very low — unless of course you have neglected it for too long and you already have a problem — then it gets expensive!

The Lights Beyond LAMP

The 2009 Open Source CMS Market Share Report showed clearly the ongoing dominance of PHP-based content management systems. While the LAMP stack may be the leader in the arena of web content management, it is certainly not the only game in town. For the 2009 Open Source CMS Market Share Report we looked at not only the PHP-based systems, but also the Java and .NET-based systems.


The LAMP stack is populist in nature. Not only does the stack carry the cost advantages of open source, but there also exists a wide assortment of low-cost hosting and a ready (and growing) supply of developers. These characteristics create low barriers for entry and an attractive choice for individuals, hobbyists and small to medium sized enterprises.
While few would dispute that there are numerically more deployments of the common LAMP stack systems, it would be a mistake to assume that this is the only platform that matters. The web content management space is not homogenous. A hobbyist building a personal site, a small company building an online marketing presence, and a medium sized enterprise building a portal for customer relationship management are just three examples of widely disparate, yet common, uses. And while it is possible that all three of those groups might be looking at the same systems, it is more likely that those who require higher level functionality will look beyond the most common PHP-based systems. The argument becomes even more persuasive when you look at enterprise level clients.

For users who demand more functionality, higher security and more robust platforms, Java-based and .NET-based content management systems hold a strong attraction. Indeed, in the enterprise space, those platforms are more likely to be the first choice. Though it is certain that The Big Three — Joomla!, WordPress and Drupal — continue to improve their offerings and are more capable of supporting robust websites, I think it is fair to state that at this point in time few enterprise clients put them on their shortlist.


We included 4 Java-based systems in the survey: Alfresco, Jahia, Liferay and OpenCMS. Of the four, Alfresco topped the set in virtually all the metrics, in many cases ranking behind only The Big Three PHP systems. It was a very strong showing for a system that is not normally thought of in the context of web content management.

Alfresco had a strong lead in brand recognition and brand familiarity ratings. While Alfresco lead Liferay in many metrics, it did not do so across the board; Liferay also performed very well. Liferay showed significantly greater strength in third party support, website popularity metrics and social media prominence. Both Alfresco and Liferay ranked highly in the brand sentiment metrics, with Alfresco coming in third overall in the survey — one of the clear leaders in this key metric. Liferay was not far behind, coming in sixth overall.

Alfresco and Liferay lead OpenCms by a large margin in almost all categories and Jahia not only lagged relative to the other Java based systems, but was one of the weakest performers of the entire survey group. Most troubling for Jahia has to be the brand sentiment data which showed Jahia fourth from last in the survey set, with negative sentiment running very close to 50%.

In sum, from my perspective those interested in implementing Java-based open source content management systems for their web sites have a lot to cheer about. There exist several viable choices and at least two strong, growing players. This is a space that is set to grow and remain competitive in both the short to medium term.

The chart below shows the results of our query on brand familiarity to the survey group:

brand familiarity


.NET is not a platform most people traditionally associate with open source, but over the last couple of years that has begun to change. A large part of that credit has to go to DotNetNuke, who have been waving the open source flag and investing heavily in marketing to get that message out. Perhaps no other system in the survey has shown a more concerted marketing effort than DotNetNuke. That marketing has paid off in brand recognition and has opened the door for .NET as an open source alternative in the minds of many consumers.
This year’s survey found that DotNetNuke leads the .NET open source CMS race over the nearest rival, Umbraco, by a significant margin. However, the good news for DotNetNuke seems to stop right about there.

Our survey found an ongoing deterioration in DotNetNuke market interest; a slide that has continued across the last several years. The system also had one of the worst ratios of trial usage to actual usage, in other words, while they were successful in getting  prospects to try the system, they were less successfully in converting them into actual users. Most troubling of all were the numbers relating to brand sentiment. DotNetNuke finished last of the entire survey set in brand sentiment and was one of only two systems to show more negative than positive responses to the question “What is your general feeling about these companies or projects?” Further corroboration of this conclusion can be found at the Windows Web App Gallery which lists user rankings for four .Net-based content management systems. Of the four, DotNetNuke is ranked the lowest, lagging behind Umbraco, mojoPortal and Kentico CMS.

The chart below shows the results of the query to the survey group on brand sentiment: Do you feel positive or negative about the following brands/products?

brand sentiment

Aside from the brand sentiment metric, DotNetNuke lead Umbraco across the board. However, when you look at the trend in interest levels, there is a sharp contrast: Interest in Umbraco is strengthening. The improvement is slow but steady and the gap between the two systems seems to have closed significantly in the last 12 months. One has to wonder what would happen if Umbraco could match the marketing might of DotNetNuke.

In conclusion, the .NET-based open source CMS market is still wide open. DotNetNuke was certainly the early mover but seems struggling now to hold on to that advantage. The arrival of competing systems like Umbraco, and even more recently mojoPortal, shows that there is plenty of room for competition in this space and that things are only going to get more challenging for DotNetNuke.


The data underlying these conclusions can be found in the 2009 Open Source CMS Market Share Report, from water&stone and CMSWire. Download a free copy of the report at:http://www.cmswire.com/downloads/cms-market-share/
Note: This article originally appeared, in slightly different form, on CMSWire.com: http://www.cmswire.com/cms/web-cms/open-source-cms-market-lights-beyond-lamp-005849.php

50 Top Joomla! Extensions

With more than 4,000 Extensions in the Joomla! Extensions Directory, one of the most daunting aspects of selecting a Joomla! Extension is finding the right tool for the job. With thousands of Extensions to choose from, you are sometimes faced with multiple options that appear to achieve your goals. While there really is no subsitute for downloading things and trying them out yourself, in this article I provide a list of fifty Joomla! Extensions as a starting point for addressing common needs.

This article is excerpted from Ric Shreves’ upcoming title, the Joomla! Bible, from Wiley & Sons. That book is due for publication in early November and can be pre-ordered directly from the publisher at www.wiley.com. Watch this site across the coming months as we preview more from this new title. This article orignally appeared on the author’s site,RicShreves.net.

Note that this is not an endorsement of one particular Extension over another, but rather simply a list of resources to help you get started. The list includes both commercial and non-commercial Extensions. The Extensions are numbered for convenience only — not as an indicator or preference or popularity.

The Extensions have been grouped as follows:


:: A Word of Caution ::
The rate of change in the open source world can be daunting. Developers change, projects fork, some projects get abandoned. While this list may hae been accurate when compiled, it’s impossible to say which projects will remain vital in six months’ time. The list of extensions I provide will no doubt change over time. You should always keep this in mind when you are selecting extensions, and if business risk is an issue for you, then you need to do your own research and consider carefully which extensions you adopt.


If you want to sell online or add a product catalog to your site, you should probably consider installing a dedicated Extension to expand on the core system’s functionality.

[01] VirtueMart

I list only one Extension in this category as VirtueMart is far and away the leader. Not only does VirtueMart provide flexible ecommerce options, it also provides usable catalog managament, so whether you want to sell online or just showcase products, this one Extension can do it all.


The Extensions listed in this section all expand upon the systems default content management functionality. The list includes both Extensions to enhance existing Articles as well as several powerful tools for changing the nature of the Articles and the Article editing functionality.

[02] AllVideos Reloaded

This Component enables the embedding and display of videos on your website. The Component comes in multiple parts: a content plugin, an editor plugin, a system plugin and a module. Once installed you can display video files either inside of Articles or inside Module positions, or as a pop-up inside a light box. The most recent version also includes a utility to convert various video formats in .flv (flash video) files. This is a non-commercial extension.

[03] Attachments For Content Articles

This extension makes it easy to add attachments to your Articles. The attachments can be viewed or downloaded by your site visitors. The extension combines a Component for uploading and managing attachments and a Plugin for adding attachments to the site Articles. This is a non-commercial extension.

[04] Content Templater

Content Templater is a powerful extension that enables the creation of pre-defined, reusable templates for your Articles. If your site has multiple administrators, the use of content templates is one of the best ways to maintain a consistent appearance throughout the site. The extension allows you to create multiple templates which then appear inside the editor where they can be selected by the editor. The templates extend beyond content layout to include the other common attributes, including the title, alias, publishing settings, etc. This is a non-commercial extension.

[05] Custom Properties

The Custom Properties extension provides a way to attach tags to your Articles. The tags can then be used as aids to organization and navigation. Custom Properties opens up the Joomla! content hierarchy as the Extension makes it possible to associate multiple tags with a single Article and to search and view the Article by each of those tags. Elements included in the Extension give you the option to provide a dedicated search by tag and an option to generate a tag cloud. This is a non-commercial Extension.

[06] JCE

JCE is a WYSIWYG editor for your Joomla site. If you are looking for an alternative to the default editor, JCE is one option. The editor is extendable, allowing you to add in a file manager, a media manager and an image manager. This is a non-commercial Extension, however, some of the Extensions incur a fee.

[07] JomComment

JomComment enables user comments for your Articles. The system is Ajax-based, thereby avoiding page reloads, and supports templates and SPAM prevention. You can also configure the system to require that comments be moderated and approved prior to appearing on your site. There is an additional module available that allows you to display the most recent comments on the site in a module position. This is a commercial component.

[08] JoomlaFCK Editor

JoomlaFCK Editor is a port of the popular FCK Editor package. FCK is a powerful and easy to use WYSIWYG editor that gives you a strong alternative to Joomla’s default editor. The editor includes image uploading and management functions and a wide array of formatting tools and options. This is a non-commercial Extension.

[09] K2

K2 bills itself as the ultimate content construction kit for Joomla. It presents a major change in the way content items are handled in your Joomla! site. Using this Extension, you can create custom content types with custom fields. This makes it possible for you to break out of the restrictions of the default Joomla! three-tier content hierarchy and the limited content type. The Extension supports tagging as well as the inclusion of a variety of media formats. This is a non-commercial Extension.

[10] Labels

Labels provide a way to tag your Joomla! Articles and Contacts. The Labels can be used to impose organization on your site and to enhance user navigation. Using Labels, you can assign one Article to multiple classifications. The Labels can then be used as the basis for lists of Articles or they can be displayed independently as a Tag Cloud. This is a commercial Extension.

[11] MetaMod

The MetaMod Extension enhancing Module management. It allows you to add additional rules and logic for displaying Modules on your pages. You can set start and end date for Module publication and can trigger module display according to the appearance of text or metadata in an item. The newest version include geo-location filtering, making it possible to show visitors different content, based upon their IP address. One of the more useful features is the ability to hide modules once a user has logged in. This is a non-commercial Extension.

[12] News Show

News Show Pro is a content display Extension that allows you to display Articles in a wide variety of formats using a combination of Modules. The Extensions makes it easy to display multiple items on one page in a variety of formats and greatly eases the burden of managing them. Configuration options allow you to display Articles vertically or horizontally and to sort them and control their appearance by a variety of criteria. This is a non-commercial Extension.


The Extensions listed in this section are all intended to make managing th administration of your Joomla! site easier. They provide functionality you may well get already from other tools, but with these Extensions you are able to do the job directly from within the Joomla! admin system, thereby savings yourself time and effort.

[13] EXtplorer

eXtplorer is a file and FTP management component. It allows you to browse and manage files from within your Joomla! admin interface without the necessity of using an external FTP or file management client. You can search, browse, upload and download files on your server and you can create and extract archives and manage file permissions. This is a non-commercial Extension.

[14] Joomla! Tools Suite

The Joomla! Tools Suite Extension is intended to be installed independently of Joomla! in order to provide you with a fall back in the case of problems with the site and to allow you to assess and monitor the site’s health. Features include post installation health checks, installation assessment, security auditing, core-file modification auditing, file-system auditing, Extension reporting and database auditing facilities. This is a non-commercial Extension.

[15] JoomlaPack

JoomlaPack is a back-up component for Joomla!. It creates a full backup of a site in a single archive and can be restored by any Joomla! capable server, thereby providing not only basic back-up facility, but also an aid for site migration. It is flexible and customizable. This is a non-commercial Extension.


Joomla! search sometimes needs a little help. Here are two Extensions that enhance the site search experience.

[16] JXtended Finder

Finder is an advanced search engine for Joomla!, giving you a more powerful alternative to the default search functionality. In addition to full text search, the Extension also enables a variety of filters, including custom-defined filters. This is a commercial Extension.

[17] PixSearch

The PixSearch Module creates an Ajax-based search box that searches as you type and displays results immediately in a pop-up box. The search is similar to that seen on a number of sites and in the Mac OSX Spotlight search feature. This is a non-commercial Extension but it does require registration.


While the most recent version of Joomla! provides more flexibility in the Menu layouts, these two extensions make it easy to create great looking Menus in a variety of formats and styles.

[18] Extended Menu

Extended Menu extends the functionality of Joomla’s MainMenu Module. You will still have to use CSS to achieve the styling, but the configuration options make it very easy to change the menu orientation and to split and re-order the Menu. The Extension also enhances the ability to work with parent-child menu item relationships. This is a non-commercial Extension.

[19] SwMenu

swMenu is a set of Menu creation and management Extensions. You can create and integrate unlimited Menu Modules and achieve a wide variety of styling. There are commercial and non-commercial versions available on the developer’s site.


The default Joomla! system offers extremely limited options for form creation. The Extensions listed below address this issue by providing the ability to create complex forms on your Joomla! site.

[20] BfForms

An AJAX admin interface makes it easy to create complex forms. The Extension supports unlimited forms and fields and is Smarty Templates enabled. Forms created with this Extension support the Akismet and Mollom anti-SPAM systems, as well as IP banning and blacklists. Submit buttons and validation are also configurable. This is a commercial Extension.

[21] ChronoForms

ChronoForms is a great choice for those with HTML skills who want more control over their forms. With this Extension, you can create the form in your favorite HTML editor, then copy and paste it into the ChronoForms Component. There is also a drag and drop form creation interface for those who don’t want to do the work in HTML. The Extension also gives you to ability to create database tables and connect those to forms, thereby allowing you to capture form data in the DB. This is a non-commercial component, but does include a back link to the developer’s site. You can remove the back link for a fee.

[22] RSform!Pro

RSForm! Pro is an AJAX-enabled form builder. The Extension supports a wide variety of fields and input types and allows you to create forms without any HTML knowledge. Data gathered with the forms can be exported to CSV format. This is a commercial Extension.


Galleries are one of the most commonly-requested Extensions to Joomla! Perhaps then it is not surprising that there are a large number of options in this area. The list below includes both full-featured galleries and simple slideshow components.

[23] Expose

Expose creates Flash-based slideshows. The size is adjustable and the resulting slideshow is search engine friendly. The Component includes album management and various configuration options that allow you to create attractive slideshows. This is a non-commercial Extension.

[24] Frontpage Slideshow

Frontpage Slideshow creates JavaScript and CSS-based slideshows. One of the most powerful features of this Extension is the ability to integrate text with images to create PowerPoint-type slides. Configuration options give you a great deal of control over the timing, display triggers and transitions. This is a commercial Extension.

[25] Phoca Photo Gallery

The Phoca Component provides an image gallery that also includes slideshow functionality. The Extension provides a large number of options for controlling the catalog categories and the images they contain. Images can be displayed using a variety of techniques, including light boxes, slideshows or standard page views. The gallery supports images and videos and is search engine friendly. There are a number of Modules and themes available to extend the functionality of this Component. This is a non-commercial Extension.

[26] RokSlideshow

RokSlideshow is a JavaScript-powered slideshow Module. The Extension provides a choice of six customizable transition types and thirty wipe and push transitions. You can add titles, captions and control font size and colors. This is a non-commercial Extension.

[27] RSGallery2

RSGallery provides an easy to customize gallery component. The Extension’s use of a separate Template system means you can modify the presentation significantly without hacking the core files. The Extension includes not only image and category management but also a slideshow functionality. RSGallery supports image download and integrates well with Community Builder. This is a non-commercial Extension.


If you want to create a categorized listing of companies, products or other items or services, then these directory Extensions will help you create a professional and functional site.

[28] Mosets Tree

The Mosets Tree Extension enables the creation of a Yahoo! style directory on your site. The system provides all the features you normally associate with online directories including unlimited categories and sub-categories, the ability to browse the listings and the ability to search for listings. Listing fields are customizable and the Extension supports the creation of custom fields. This Extension is used to power the official Joomla! Extensions Directory. This is a commercial Extension.

[29] SOBI2

The SigSiu Online Business Index Extension allows you to create complex directories. The directory listings can be maintained by either the site administrator or by the registered users. The system offers a number of fields for listings and it is possible to create custom fields. The core Extension is non-commercial but many of the additional modules you will want — like search — are commercial.


Threaded discussion forms have moved way past the old BBD format. Joomla! has several excellent forum Extensions. Here are two of the best.

[30] CcBoard

The ccBoard forum provides complete forum functionality with a wide variety of options. You can create moderated or unmoderated forums, and allow guest postings or force user registration. The Extension also supports user karma, bad word filtering, SPAM filters, and more. This is a non-commercial Extension.

[31] Kunena

The Kunena Extension is a fork of the popular Fireboard Forum Component. This is a full-featured forum supporting all common features, including threaded discussions, multiple categories, user management, moderation, avatars and much more. This is a non-commercial Extension.


File Exchanges provide a way for you to exchange documents or other files with your site visitors.

[32] DocMan

DocMan is a document management and file exchange Extension. You can manage documents and files in multiple categories and subcategories and give users permission to upload, download or edit documents. The system supports multiple group permissions that allow you to show specific files to only specific groups. A search system is integrated. This is a non-commercial Extension.


While the Lnaguage Packs in Joomla! enable the system messages in multiple languages, they do nothing about the Articles and other content. If you want to display a fully multi-lingual site you will need to install a multi-lingual content extensions to help you manage the translations. The dominant Extension is Joom!Fish.

[33] Joom!Fish

The Joom!Fish Extension enables multi-lingual content management on your Joomla! site. With this Extension you can run your front-end content in multiple languages and allow users to switch easily between languages. The newest version supports routing to assist with your search marketing efforts and to build consistency into the URL structures. The core Extension is free of charge but some enhancements are now commercial.


Joomla! provides SEF URLs as part of the Global Configuration options, but for those of you who want to do more, you should consider these Extensions.

[34] Artio JoomSEF

This SEF Extension re-writes your Joomla! URLs to be search engine friendly. The Extension handles multi-lingual sites and works with both the Apache web server and the IIS web server. The system allows you to customize the URL strings and supports multiple URL formats. JoomSEF goes beyond just SEF URLs, adding in support for expanded metatags and customizable error pages. This is a non-commercial Extension but does include a back link to the developer’s site. The back link can be removed for a fee.

[35] JooMap

Joomap is a sitemap component that generates both front-end site maps for your site visitors and XML sitemaps for the search engines. Note also the Xmap Extension, discussed below. This is a non-commercial Extension.

[36] Sh404SEF

This Extension generates search engine friendly URLs and also provides management for titles and meta tags. There are additional plugins available for this Extension to provide support for many other common Extensions, like VirtueMart, Fireboard and Community Builder. This is a non-commercial Extension.

[37] Xmap

Xmap is based on Joomap, discussed above. The two Extensions are very similar and both produce front-end user site maps and XML site maps. You should review both to determine your preference. This is anon-commercial Extension.


If you want to breakout of the limited Joomla! user manager and group access privileges, you will need to look at installing a third party Extension. Similarly, if you are integrating other software systems that require login access, you should consider a third party Extension to provide single log in for your users.

[38] JACLPlus

JACLPlus enables you to break out of the default Joomla! Access Control Rules and create custom groups and permissions. This system also included the ability to assign users to multiple groups. Note that this Extension requires that your server use the Zend Optimizer. This is a commercial Extension.

[39] Jfusion

If your site integrates additional systems that require login, Jfusion allows your users to log in only one time to access all systems. Systems supported include phpBB, Vbulletin, Magento, SimpleMachines Forum and Moodle. This is a non-commercial Extension.

[40] JUGA

JUGA provides enhanced access control to Joomla! Articles and Components. Also enables you to create unlimited numbers of user groups and control user assignment within groups. One of the key features allows you to hide Menu Items and Modules based on a user’s group membership. The Extension has a dual licensing scheme with the basic version non-commercial. Basic version, however, lacks many of the key features. A complete version is available for a fee.


Web 2.0 functionality is widely in demand. In this section are listed several Extensions that help build community and stimulate user interaction.

[41] AddThis Social Bookmarking

Integrates the AddThis social bookmarking button to your site. This is a non-commercial Extension.

[42] Community Builder

Community Builder is an entire suite of Components and Modules that enable you to turn Joomla! into a community website with user pages and a high degree of user interactivity. There are a large number of Modules and Plugins available for Community Builder and integration of the Extension is widely supported by other common Extensions. This is a non-commercial Extension, but it does require registration to download.

[43] JomSocial

The JomSocial Extension enables you to turn your Joomla! installation into a full blown social networking engine. The Extension is still relatively young, but the current release is feature rich and shows a great deal of promise. It is certainly your easiest, fastest route to a social networking website.

[44] JReviews


JReviews is a powerful Extension that lets you create a reviews and ratings website with Joomla! The system is customizable and can even be used as an alternative method for handling your Joomla! content items, with custom structure and fields. This is a commercial Extension.

[45] MyBlog

MyBlog provides greatly enhanced blogging functionality for Joomla! The default Joomla! system allows you to create blog-type layouts, buy MyBlog gives you true blogging functionality with a wide range of common features. Includes RSS feeds, Technorati pings, Trackbacks and support for multiple bloggers. Integrates with both Community Builder and JomSocial. This is a commercial Extension.

[46] Plugin Googlemaps

plugin Googlemaps is a Joomla! Plugin that integrates Google Map functionality. Not only does it allow users to view Google Maps, but also includes support for MKL files and marker placement. Directions are integrated and can appear in popup or lightbox. This is a non-commercial Extension.

[47] Tweetme

Tweetme is a simple Extension that adds a Tweet This button to your Articles and items. This is a non-commercial Extension.


If you want to run ads on your site at anything more than a basic level, you will need to look to an Extension to provide you with greater functionality than Joomla’s basic Banner Manager.

[48] AdSense Module

The AdSense Module allows you to place single or multiple Google AdSense units on the pages of your Joomla! site. The Extension supports the various Google options as well as the ability to randomize ad colors and to block ads from being displayed to certain IP addresses. This is a non-commercial Extension.

[49] Easy AdSense For Joomla

Allows you to run one or more Google AdSense units on your pages. This simple Extension provides control over all key variables plus the ability to block an unlimited number of IPs and to use alternative messages when ads are not displayed. This is a non-commercial Extension.

[50] IJoomla Ad Agency

iJoomla Ad Agency is a full-featured banner and ad management system for Joomla! You can run single ads, campaigns or packages. The system also supports breaking pages into zones for the purpose of managing ads and rates. Supports a wide range of ad formats and sizes. This is a commercial Extension.

Securing the Joomla! Core

Security is not one single thing; it is a process, a set of steps that need to be taken in order to achieve a result. The process begins with your server settings and the Joomla! core files. If you fail to make this base level of the system secure, than additional steps are at the very least of limited effectiveness, at the very worst — they are pointless. Note as well, the first step towards assuring your site’s integrity is also one of the easiest: Only install the most recent version of the Joomla! core file packages found at the official download site, JoomlaCode.org. Do not download and install core file archives from other sites, as you cannot be certain of their origins, completeness, or integrity.


This article is excerpted from Ric Shreves’ upcoming title, the Joomla! Bible, from Wiley & Sons. That book is due for publication in early November and can be pre-ordered directly from the publisher at www.wiley.com. Watch this site across the coming months as we preview more from this new title. This article originally appeared on the author’s site,RicShreves.net.



There are several steps you can take to enhance the security of the directories and files on your server. The first step is adjusting the permissions to be as strict as possible without impairing use of the site. Write-protect your critical directories. As a general rule, set the directory permissions to 755 and the file permissions to 644 using either FTP or the options in the Global Configuration Manager. Note that this is best done after you have fully completed your installation of the core and all Extensions. It is possible that you may have to make these setting more permissive if you need to install Extensions in the future.

There’s a good discussion of how to set file permissions and what they all mean on the Joomla! docs site — visit the resource to learn more.

There are a number of other steps you may want to consider taking, however you should note that each of these has a trade-off, either in terms of increased admin overhead or other limitations:

  • Move the configuration.php file outside of the public HTML directory on your server and rename it. Place a new configuration.php file in the public HTML directory pointing to the new file. Make sure your new file is not writable in order to avoid it being overwritten by the Global Configuration Manager. Note that making this change will force you to modify the new configuration file manually, rather than by using the Global Configuration Manager. For more information on how to set this up, see,http://docs.joomla.org/Security_and_Performance_FAQs
  • Use .htaccess to block direct access to critical files. Note this is only applicable to servers using the Apache web server and webhosts that allow you to modify .htaccess. Make sure you backup your old .htaccess file before you try this in case you experience problems and need to restore the old file.
  • Change the default log path. Hackers sometimes look to the log files as a way to identify what Extensions you have installed, in hopes of finding an Extension that has a known vulnerability they can exploit. To help deter this bit of information fishing, alter the log path settings in the Global Configuration Manager.
  • Change the default temp directory. The contents of the temp directory can also provide information you may not wish to disclose about your site. You can alter the temp directory settings in the Global Configuration Manager.


Humans are your most common point of security policy failure. Admin passwords should be changed often. The default user name that is produced for the administrator during the installation process should also be changed immediately after the system is set up. Leaving the default user name as “admin” gives a hacker one half of the answer to the puzzle they need to solve to gain access to your site. (Note that some commentators go further and recommend that you create a new superadministrator account and delete the one that was auto-created by the Joomla! installer.) Hopefully it goes without say, but passwords should also be as secure as practicable.

In addition to controlling the access to your admin system, you need to be sensitive to the access issues that relate to your database. If you have control over the access privileges to the user accounts on your MySQL database, make sure that all accounts are set with limited access.


If you don’t need it now and you don’t intend to use it, get rid of it. Logical targets for deletion include: unused Templates and Extensions you have installed then decided not to use. Go further and disable unused core components as well. Not only does this make the site more secure (by removing one more potential access point) but it also removes unnecessary clutter from the admin interface.

If you have copied archive files to your server during the course of installation, make sure you get rid of those. Don’t forget the installation directory — don’t simply re-name the installation directory, delete it! Another candidate for deletion is the system’s XML-RPC server. If you are not using this functionality, delete it. It is located in the Joomla! root in the directory named xmlrpc/


In an ideal world, we would all have our own dedicated servers where we could control every aspect of the system. In the real world, shared hosting is the reality for many users. Shared hosting, though certainly more cost effective than a dedicated host, involves trade offs in terms of security and access privileges. Your goal should be to make the host set up as secure as possible, regardless of whether it is dedicated or shared. Exactly what you are able to do with your server varies, but you should consider the following:

  • Use Secure FTP, if available. This helps avoid the possibility that someone can determine your username and password while you are in the process of a file transfer.
  • If possible, use PHP 5. While both PHP4 and 5 are supported by Joomla!, PHP 5 is the superior solution and PHP 4 is being phased out.
  • Make sure your server does not have Register Globals enabled. Joomla! does not need it and it is a security risk.
  • If the mod_security module is installed on your Apache web server, use it. It acts as an embedded web application firewall and provides significant protection against many common attacks. Learn more about how to use it.
  • Turn safe mode off. Safe mode is not necessary for Joomla! and may cause problems with some Extensions.
  • Set Magic Quotes GPC to On.
  • Don’t use PHP allow_url_fopen. Set this option to Off.
  • Use PHP open_basedir. Set this option to On.


The Joomla! Team and Community have created and maintain a number of useful security resources.

Name of resource URL
Security Checklist: Getting Started http://docs.joomla.org/Security_Checklist_1_-_Getting_Started
Security Checklist: Hosting and Server Setup http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup
Security Checklist: Testing and Development http://docs.joomla.org/Security_Checklist_3_-_Testing_and_Development
Security Checklist: Joomla Setup http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setup
Security Checklist: Site Administration http://docs.joomla.org/Security_Checklist_5_-_Site_Administration
Security Checklist: Site Recovery http://docs.joomla.org/Security_Checklist_6_-_Site_Recovery
Joomla Security Strike Team Contact Form http://developer.joomla.org/security/contact-the-team.html
Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs
Automatic Email Notification System http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
Security RSS Feed http://feeds.joomla.org/JoomlaSecurityNews
Joomla! 1.5 Security Forum http://forum.joomla.org/viewforum.php?f=432
Vulnerable Extensions List http://docs.joomla.org/Vulnerable_Extensions_List
Security Announcements for Joomla! Developers http://developer.joomla.org/security/news.html
Joomla! Developers Security Articles and Tutorials http://developer.joomla.org/security/articles-tutorials.html

Front-end Content Management in Joomla!

If you have ever worked with the front end content management workflow in the default Joomla! system, you will appreciate that, straight out of the box, it is not as user-friendly as you might like it to be (indeed, some might say that is a generous description!). Nonetheless, it remains a powerful tool when properly configured — and when the team using it is adequately trained.

This article is excerpted from Ric Shreves’ upcoming title, the Joomla! Bible, from Wiley & Sons. That book is due for publication in early November and can be pre-ordered directly from the publisher at www.wiley.com. Watch this site across the coming months as we preview more from this new title. This article orignally appeared on the author’s site,RicShreves.net.

From a workflow perspective, one of the most frustrating limitations of the front end content management system is the lack of an effective, configurable notifications and tracking system. The more complex your content structures are, the more significant this limitation becomes.

The problem is purely a practical one: As Authors contribute Articles, the Editors have to be notified, then the Editors have to find the contributed Articles and edit them. Once the Articles are edited, the Editors need to notify the Publisher who again has to find the Articles and publish them.

While relying on notifications is fine up to a point, if you want another way to add some more certainty to the process and make it easier to deal with once the Editors and Publishers are actually working inside the system, you may want to consider the following – it’s one way I’ve found that seems to improve on the default approach.

Basically, the essence of this approach involves the creation of a Content Section and two Content Categories that are specifically for the use of the front-end content management team. Here’s how to set it up:

1. Create a new Section, name it “Submissions.”

2. Set the Access Level for the Section named “Submissions” to Special.

3. Create two new Categories inside the new Section. Name these two new Categories “To be Edited” and “To be Published.”

4. Next, create a new Menu Item on the User Menu. Select the Menu Item Type toCategory List Layout. Name the new Item “To be Edited,” and select in the Basic Parameters the Category “To be Edited.”

5. Finally, create another new Menu Item on the User Menu. Select the Menu Item TypeCategory List Layout. Name the new Item “To be Published,” and select in the Basic Parameters the Category “To be Published.”

All the tools are in place, now you need to instruct your team on how to use them.

  • Instruct the Authors to assign all new Articles to the Category named “To be Edited.”
  • Instruct the Editors to check the “To be Edited” Menu Item each time they log in. Once they complete their edits on the pending Articles, the Editors must re-assign the Articles to the Category named “To be Published.”
  • Instruct the Publishers to check the “To be Published” Menu Item every time they log in. The Publishers can then assign the pending Articles to the proper Sections and Categories and publish the Articles.

This approach has two main advantages. First, it makes the editing process easier to manage, as all the Articles appear in the same place and move logically from station to station in the workflow. Second, you gain the ability to set a specific template to the entire front-end content management work flow by associating that template with front end content management Menu Items. (For example, a nice wide template makes it easier to use the editing window, and a lightweight, clean template without unnecessary graphics or module assignments can speed your work.)

While this is not the only way to crack this problem, it’s easy to set up and simple to remember and train against. Have you found another solution? If so, please share it using the comment controls on this article.

Joomla! Performance Tips

The struggle for optimal site performance is a battle all web designers & site owners face from time to time. You see a lot of sites on the web that load slowly or perform poorly. While some sites have hosting issues, most are simply built without performance in mind. Joomla!, in and of itself, is neutral in terms of site performance; it’s how you configure it and what you do with it that creates — or prevents — solid site performance.


This article is excerpted from Ric Shreves’ upcoming title, the Joomla! Bible, from Wiley & Sons. That book is due for publication in early November and can be pre-ordered directly from the publisher at www.wiley.com. Watch this site across the coming months as we preview more from this new title. This article orignally appeared on the author’s site,RicShreves.net.


This article is an excerpt from the chapter on Site Performance, and it includes information about content and technical issues that impact site performance. As performance factors are not purely Joomla! issues, many of the tips (particularly in the content section) are applicable to any website. Note that Joomla’s caching controls are not discussed in this text below, as the first portion of the chapter (not shown here) deals with Joomla! caching in some detail.


Everything that is on the pages of your website has an impact on the site’s performance. If you build large pages with large files, the page will load more slowly than a smaller, lighter page. While the pages your Joomla! site generates from Components are largely beyond your control, you can have a significant impact on your Articles pages. If you work smart and keep in mind the need to build lean pages, you can serve web pages to your visitors more quickly as well as reduce the burden on your server. Never forget, it all adds up. If you have multiple visitors on your site simultaneously, the page each is viewing contributes to the load. Saving a few kilobyte in file size here and there can add up quickly.

Here is a list of issues and tips you should consider when creating content for your site:

Avoid Large Files

This is most commonly an issues with graphical files inserted into Articles. Optimize your images to keep file sizes down to reasonable levels. As image file size is at least partially a by-product of the physical dimensions of the image files (width and height), it is hard to say what is right for your site, however a reasonable goal is to keep your images under 50K in size. If your images are too large to achieve that goal without a loss in quality, you may want to consider whether you need to display images that large on the page, or perhaps you should consider whether a better course would be to display a smaller image, a thumbnail, that is clickable to open a larger image. Note also that for the web, image resolution of 72 dpi is sufficient; anything higher is overkill and unlikely to be reflected in the user’s monitor. If you are using the Firefox web browser, there are two free add-ons that can help you diagnose and solve performance problems. The YSlow and Firebug add-ons include tools that help you identify the sizes of all the files on any particular web page. This is a great way to identify problem areas and bottlenecks. YSlow also provides suggestions for improving performance. Get both extensions fromhttps://addons.mozilla.org

Save Images In The Right Format

Closely related to the point above is this issue: use the right image format for the content you need to display. The most common formats for web use are .jpg (or .jpeg), .gif and .png. Use .jpg for photos and anything that requires smooth transition from color to color or large amounts of detail. Use .gif or .png for anything that is primarily large blocks of color or black and white. For example, photos are best saved as .jpgs. A chart or a graphical illustration is best served as a .gif or .png. Given a choice between .png and .gif, prefer .png as it produces a smaller file and is copyright-free. Choose .gifs if you need animation, as .png does not support this, or if the file is very small, in which case .gif often produces a smaller file. Tip: .png files can be created either interlaced or non-interlaced. Interlaced files provide progressive rendering, that is, they render little by little on the screen, starting out fuzzy and getting clearer. Avoid interlaced .pngs. They are larger in size and they confuse some users.

Don’t Re-Size Images

Upload your image in the actual size that it will be displayed. Do not, in particular, upload files larger than what is needed then force them to re-size into a smaller display. Forcing the images to a new size not only fails to save file size, as the file size remains constant, but it also forces the system to do additional work to re-size the image dimensions.

Keep Your Code Clean

If you are copying and pasting text into your WYSIWYG editor, pay careful attention to the code that results. While the system will do its best to eliminate unneeded tags and redundant code, it is always best to look at it yourself and make sure that no redundant tags and inline style definitions have found their way into your page formatting. One of the worst culprits in this area is text copied from older versions of Microsoft Word. The clean up option on the default WYSIWYG browser can help, but a manual check is always the best solution. Note also that valid code renders faster, so it is always a good idea to validate your HTML and CSS.

Avoid Tables

To the extent practicable, use CSS to format your page layouts. Tables slow things down as the whole table needs to be assembled before the contents are rendered. Tables also have implications for accessibility. Complex tabular data may require the use of tables, but as a general rule, CSS is the better way to go.

Use Image Rotators Conservatively

Image rotators are Modules that provide a rotating image inside a Module position on your page. A popular technique you see on many websites today is the use of a rotating image on the header of the page. The rotator works like a slideshow, displaying a series of images as the visitor is looking at the page. The problem is that many of the Extensions that provide this functionality require all the images to load before the rotation occurs. This means that a large amount of data is loaded for the page, some of which may be completely pointless as the user has already clicked and moved on before the image displays. If you have to use an image rotator, keep the image sizes small and do not load too many images into the sequence; three images in rotation will perform much better than four, five or six images. If front page performance is a key concern, keep image rotators off the front page.

Use Wrappers Reluctantly

Wrappers are used to display a web page inside of your web page. This means that the Wrapper contents have to fetched and displayed inside your page. By definition this increases the number of HTTP requests that have to be made to complete the page, thereby increasing the loading time of the page. Where the web page you are wrapping is located on another server, the display of the Wrapper content will depend upon the performance of the remote system and upon the quality of your connection to that server. All of these factors add up to a greater risk of disruption and to increases in page loading time. If, on the other hand, the wrapped content is kept on your server, the risk decreases dramatically, but the delay factor remains. If front page performance is a key concern, keep wrappers off the front page.

Limit Use Of Animation

Animation files tend to be larger in size and must load in their entirety before they function properly. Accordingly, limit the use of animation on your page to keep page file size down.

Limit Use Of Flash

Flash files can be quite large in size and they keep your visitors waiting as they spool in to play. If you must use Flash on your pages, use only Flash elements inside the page, rather than use Flash for the entire page content area. Also plan your Flash so that there are not long delays for your viewers.

Don’t Stream Video Until Requested

If you wish to give users access to video files, do not stream the video until requested by the user. While this does mean that users who want to view the video have to wait for it, it does not force all the users to endure slow page loading while a file they may never view eats up their bandwidth.


This section looks at various techniques you can use to tweak the performance of your Joomla! site. Not all of these suggestions will be suitable for your site, but certainly some of them will be applicable.

Use Server Side Compression

Joomla! support the server side compression protocol GZIP. If your server supports GZIP, enable this option in the Global Configuration Manager as it can result in some significant performance improvements. The GZIP Page Compression options are located on the Server tab in the Global Configuration Manager.

If You Don’t Use It, Disable It

Disable all Components, Modules and Plugins that you are not using. Even if you are not displaying the output on the page, the system is likely doing at least some of the processing associated with the feature.

Minify Your CSS And JavaScript

Minification is the process of reducing the size of CSS selectors and JavaScript by reducing unnecessary spaces and characters. While minifying a single selector saves only a small amount, it all adds up and minifying the entire CSS can result in a meaningful savings. This is a tedious manual process, so if you want to employ this technique I suggest you use one of the many tools designed to make this easier. Run a Google search for “minify CSS” and “minify JavaScript” for lists of options. The Joomla! Extensions Directory also lists several Extensions that can compress your CSS and JavaScript.

Be Careful With Google Analytics

Google Analytics, though a wonderful and useful service, can slow down your site. Every page that includes the Analytics code increases your load time as the Analytics script causes the system to wait while it contacts the Google servers. The impact of this varies greatly depending on the time of day, the traffic on your site and the location of your servers.

Be Selective About Your Template

Your Template developer can have a significant impact on your site performance. Many of the lovely Templates I see in circulation rely heavily upon images to achieve their look and feel. The size of the Templates and the number of HTTP requests they generate are not optimal. Select carefully your Template. Look at the file size, and the quality of the code. You want to select Templates that use CSS, not tables, and those that prefer system text to image usage. Be particularly careful of Templates that use images for the menus, rather than system text and CSS. Not only do these Templates have a negative impact on site performance, but they also tend to be less than optimal from the perspective of both SEO and accessibility.

Be Selective About Extensions

Some third party Extensions are incredibly resource-intensive. When you are comparing Components, Modules or Plugins, use YSlow to compare the impact on your page performance and check resource usage on your server. Don’t forget that small differences in performance can balloon into big differences when the site experiences spikes in traffic.

Skip Live Stat Reporting

Components or Modules that produce live real-time statistics on your site can be significant drains on site performance. If you don’t have a compelling need for real-time statistics, skip them.

Disable SEF URLs

Though this may not be an option for many of you, if your goal is performance above all else, disable the SEF URLs option. The conversion of your native URLs into Aliases causes a performance hit.

Optimize Your Database

One of the main performance bottlenecks for any content management system is the database server. To improve performance, you should periodically optimize the database tables. Optimization is performed from within phpMyAdmin. To learn more about this process, visit the MySQL website.