Any Joomla components which are not used are a security risk
A typical Joomla web design scenario is the following:
- Hear about the cool unlimited possibilities of Joomla
- Install Joomla and start experimenting with content. Fall in love with Joomla
- Discover 3rd party extensions. Go head over heels, and start installing each component which looks cool
- Realise that you have too many components installed, remove links to some components
- Go Live with site and site runs smootly for a few weeks / months
- Joomla gets hacked :(
What went wrong?
Typically, what happened is that some component had a vulnerability which was exploited to hack your website. Let's give an overview of the how and why of this happening.
Joomla and 3rd Party Components
The Joomla core has been proved to be quite stable, and Joomla sites that contain no 3rd party extensions rarely are vulnerable to hacking. Things are very different when it comes to 3rd party components though. There is a huge number of components on the official Joomla extensions directory, a good number of which are in alpha or beta stages (under development), and have not been fully tested. This means that these components may contain code problems which make them hackable. There are also quite a few components developed by people whose programming skills are "poor", and who do not follow code security recommendations. This results in some components being vulnerable.
So what happens when these components are installed. They sit quietly there ticking away like a bomb, performing their function but still ticking away. Then somebody discovers a vulnerability in a component you are using. There are simple ways and means of using Google to find files which are vulnerable on any site which contains these files (the practive is called Google Hacking). So using a simple query, a lot of people will be able to find your vulnerable site. It is therefore just a matter of time before your site is hacked via this problematic component.
Even though some components are not visible by most of your users, if you did not uninstall the component, then the code still exists on your website. Therefore any problems in these components still exist on your site, and can be exploited even if the actual component is not published / visible. Also maybe a new version which addresses a security issue is available but you forgot to apply it to your site, because you forgot that the component still exists on your site!
So what do I do?
- Use as few components as possible. This ensures that there are fewer possibilites of components being vulnerable.
- Uninstall completely any 3rd party components or other extensions which you are not using and which are not required for your site.
- Keep yourself subscribed to the Joomla Security Forum , and keep yourself updated with any new component vulnerabilities
- Always upgrade your components to the latest versions. New versions of components typically contain bug and security fixes.
- Use the Joomla Tools Suite to perform an Extensions Audit to determine which components you have installed, and check if there is a new version of the components installed. Remove any components which your site can live without.
- Be minimalistic - keep the number of components installed down to the barest minimum. Each additional components installed, is an additional risk.
How to choose your components
These are general recommendations, and may not apply in all cases.
- Try to avoid components which are in alpha or beta stages unless absolutely necessary. If they are still under development, make sure you subscribe to the author's newsletter when this exists, to ensure that any vulnerabilites are removed if they surface.
- Use popular components, marked as Hot or Editor's pick. These are usually stable components.
- Use commercial components when possible. When you have paid for a component, you expect a certain level of coding and service which is not always availabe in free components. Also, if a vulnerability is found, a fix will be issued and users notified in a much faster manner in commercial components.
- Use common sense. If you install a component which contains a lot of bugs, do not use it because this is a sign that the developer is careless. If their site looks careless and unmaintained, avoid the component.