I don’t have much to post about lately, it seems, but the drama that’s unfolded since there was a security breach on one of my websites. As soon as I thought it was taken care of, an .htaccess error allowed the exploit to recreate itself – and let’s just say I’m on thin ice with my hosting company and preparing for a speedy recover in case I’m forced to move 🙁
What’s really behind all of this? A naive enthusiasm that once inspired me to install Joomla as a content management system. On the one hand, as my first website, it set me on a very interesting, profitable, and rewarding career path – and on the other hand, its been almost impossible to work with, secure, and optimize.
Installing Joomla isn’t that tough – especially using one click and scripted installs like Dreamhost, Bluehost, and a number of other popular hosts provide. I’m not even sure why I picked it – it was recommended as being powerful and flexible – and no one warned me that it was unecessarily complicated and counter-intuitive.
The first sign of trouble is entering the administration screen. Dozen of buttons and dozens of menu choices are labeled in the software’s own unique jargon and editing components often requires redundant actions. The only way to ever be sure what you just changed is to have another browser or tab ready to refresh the page you’re looking at. Don’t mistake the colorful icons for a graphical design interface – templates still need to be handled in PHP and the interface makes it difficult to make even minor changes to what information is provided in the menus, headers, and in the content sections.
Adding on Nightmares
Of course, if you want to enjoy the functionality of comments, search engine friendly URLs, or even Google Adsense ads, you’ll need to install 3rd party modules, mambots, and addons. And although the core version of Joomla is free, many of the best addons & modules cost money. If you’re really serious about going down the Joomla road, you could easily spend $100-$200 just for patches and tweaks designed to achieve your CMS goals.
Now, the very worst part about these addons is that they’re the primary source of malware infections and server hijackings. Unlike the core software, the modules aren’t collaboratively developed and publicly tested. Many module authors pop some code up on the market and vanish (although one would suspect they are still collecting their paychecks). In the meantime, every committed black-hatter and rising script-kiddie is scouring these files for vulnerabilities and potential exploits.
If you’re lucky, a vulnerability will be spotted before it hits you. But then, you’ve still got the unlucky task of disabling some part of your website’s functionality until a new version of that mod is released or a replacemnt becomes available.
Goodbye, Good Riddance
The Joomla install on my hosting account is gone – I’ve saved a copy of the files and database to my local hard drive but at the moment I think I’d rather cut my losses and start that domain again from scratch. As my first website, it was always a bit rough around the edges and it never managed to develop a real revenue model. The simple fact that it was on Joomla made it nearly impossible for me to customize the structure and placement of data and prevented problems from being solved.
If you want to publish content rapidly and encourage comments, use WordPress. If you want to focus on peer-to-peer discussion, get a forum like SMF of PHPBB2.
Will this be the final chapter in the security drama of the last few weeks or will the legacy of Joomla come back to haunt me once more? The mail servers are practically locked down now and the offending CMS has been completely eradicated – but I still wouldn’t be surprised if Joomla managed to harass me yet again.
I read this just in time… bout to give Joomla a shot too!
— Thanks for the Intel.