Any Joomla components which are not used are a security risk
A typical Joomla web design scenario is the following:
- Hear about the cool unlimited possibilities of Joomla
- Install Joomla and start experimenting with content. Fall in love with Joomla
- Discover 3rd party extensions. Go head over heels, and start installing each component which looks cool
- Realise that you have too many components installed, remove links to some components
- Go Live with site and site runs smootly for a few weeks / months
- Joomla gets hacked :(
What went wrong?
Typically, what happened is that some component had a vulnerability which was exploited to hack your website. Let's give an overview of the how and why of this happening.
Joomla and 3rd Party Components
The Joomla core has been proved to be quite stable, and Joomla sites that contain no 3rd party extensions rarely are vulnerable to hacking. Things are very different when it comes to 3rd party components though. There is a huge number of components on the official Joomla extensions directory, a good number of which are in alpha or beta stages (under development), and have not been fully tested. This means that these components may contain code problems which make them hackable. There are also quite a few components developed by people whose programming skills are "poor", and who do not follow code security recommendations. This results in some components being vulnerable.
So what happens when these components are installed. They sit quietly there ticking away like a bomb, performing their function but still ticking away. Then somebody discovers a vulnerability in a component you are using. There are simple ways and means of using Google to find files which are vulnerable on any site which contains these files (the practive is called Google Hacking). So using a simple query, a lot of people will be able to find your vulnerable site. It is therefore just a matter of time before your site is hacked via this problematic component.
Even though some components are not visible by most of your users, if you did not uninstall the component, then the code still exists on your website. Therefore any problems in these components still exist on your site, and can be exploited even if the actual component is not published / visible. Also maybe a new version which addresses a security issue is available but you forgot to apply it to your site, because you forgot that the component still exists on your site!
So what do I do?
- Use as few components as possible. This ensures that there are fewer possibilites of components being vulnerable.
- Uninstall completely any 3rd party components or other extensions which you are not using and which are not required for your site.
- Keep yourself subscribed to the Joomla Security Forum , and keep yourself updated with any new component vulnerabilities
- Always upgrade your components to the latest versions. New versions of components typically contain bug and security fixes.
- Use the Joomla Tools Suite to perform an Extensions Audit to determine which components you have installed, and check if there is a new version of the components installed. Remove any components which your site can live without.
- Be minimalistic - keep the number of components installed down to the barest minimum. Each additional components installed, is an additional risk.
How to choose your components
These are general recommendations, and may not apply in all cases.
- Try to avoid components which are in alpha or beta stages unless absolutely necessary. If they are still under development, make sure you subscribe to the author's newsletter when this exists, to ensure that any vulnerabilites are removed if they surface.
- Use popular components, marked as Hot or Editor's pick. These are usually stable components.
- Use commercial components when possible. When you have paid for a component, you expect a certain level of coding and service which is not always availabe in free components. Also, if a vulnerability is found, a fix will be issued and users notified in a much faster manner in commercial components.
- Use common sense. If you install a component which contains a lot of bugs, do not use it because this is a sign that the developer is careless. If their site looks careless and unmaintained, avoid the component.
Keep your Joomla! Lean
One thing that people love about many open-source CMSs like Joomla!, Wordpress or Drupal is the huge amount of components which can be used to augment the functionality of your site. However, people forget that one crucial thing:
Once you have a 3rd party component installed, few will have people have the inclination, know-how, ability or time to update. More so, many people wouldn't even know that they should be upgrading hence the increased risk.
There are more reasons why you should keep your CMS be it Joomla or otherwise, lean
A website with few components does not require much mainteance. The only thing you'll need to keep updated is the core. And obviously your content. But that's our point, focus your effort on the content you need to provide to your audience, not on effort required to make sure your website is still up and runnin.
3rd party components are likely to create conflicts and clashes which might mean going back to the author's of the software to resolve - if a resolution is available. Keep Joomla lean ensures fewer clashes between 3rd party code.
Easy Updates and Upgrades
Updates and upgrades are always a headache - or at least a concern. Will everything keep running smoothly after I'm done from this upgrade or update? If you have fewer components to upgrade and update, your life will be so much easier.
Each component you install increases the execution time, load time and response time of your website. And you need to keep this as low as possible especially if your website gets a lot of traffic. Keep to the core Joomla and will be as fast as it can possibly be.
The good add-ons and components usually don't come cheap. If your budget is limited, then sticking to the core as much as possible will decrease your costs. All the maintenance required will also increase your costs since you will need to keep abreast of what needs to be updated and what doesn't.