Any Joomla components which are not used are a security risk

A typical Joomla web design scenario is the following:

  • Hear about the cool unlimited possibilities of Joomla
  • Install Joomla and start experimenting with content. Fall in love with Joomla
  • Discover 3rd party extensions. Go head over heels, and start installing each component which looks cool
  • Realise that you have too many components installed, remove links to some components
  • Go Live with site and site runs smootly for a few weeks / months
  • Joomla gets hacked :(

What went wrong?


Typically, what happened is that some component had a vulnerability which was exploited to hack your website. Let's give an overview of the how and why of this happening.

Joomla and 3rd Party Components 

The Joomla core has been proved to be quite stable, and Joomla sites that contain no 3rd party extensions rarely are vulnerable to hacking. Things are very different when it comes to 3rd party components though. There is a huge number of components on the official Joomla extensions directory, a good number of which are in alpha or beta stages (under development), and have not been fully tested. This means that these components may contain code problems which make them hackable. There are also quite a few components developed by people whose programming skills are "poor", and who do not follow code security recommendations. This results in some components being vulnerable.

So what happens when these components are installed. They sit quietly there ticking away like a bomb, performing their function but still ticking away. Then somebody discovers a vulnerability in a component you are using. There are simple ways and means of using Google to find files which are vulnerable on any site which contains these files (the practive is called Google Hacking). So using a simple query, a lot of people will be able to find your vulnerable site. It is therefore just a matter of time before your site is hacked via this problematic component. 

Even though some components are not visible by most of your users, if you did not uninstall the component, then the code still exists on your website. Therefore any problems in these components still exist on your site, and can be exploited even if the actual component is not published / visible. Also maybe a new version which addresses a security issue is available but you forgot to apply it to your site, because you forgot that the component still exists on your site!

So what do I do?

  1. Use as few components as possible. This ensures that there are fewer possibilites of components being vulnerable.
  2. Uninstall completely any 3rd party components or other extensions which you are not using and which are not required for your site.
  3. Keep yourself subscribed to the Joomla Security Forum , and keep yourself updated with any new component vulnerabilities
  4. Always upgrade your components to the latest versions. New versions of components typically contain bug and security fixes.
  5. Use the Joomla Tools Suite to perform an Extensions Audit to determine which components you have installed, and check if there is a new version of the components installed. Remove any components which your site can live without.
  6. Be minimalistic - keep the number of components installed down to the barest minimum. Each additional components installed, is an additional risk.

How to choose your components

These are general recommendations, and may not apply in all cases. 

  1. Try to avoid components which are in alpha or beta stages unless absolutely necessary. If they are still under development, make sure you subscribe to the author's newsletter when this exists, to ensure that any vulnerabilites are removed if they surface.
  2. Use popular components, marked as Hot or Editor's pick. These are usually stable components.
  3. Use commercial components when possible. When you have paid for a component, you expect a certain level of coding and service which is not always availabe in free components. Also, if a vulnerability is found, a fix will be issued and users notified in a much faster manner in commercial components.
  4. Use common sense. If you install a component which contains a lot of bugs, do not use it because this is a sign that the developer is careless. If their site looks careless and unmaintained, avoid the component.

Keep your Joomla! Lean

One thing that people love about many open-source CMSs like Joomla!, Wordpress or Drupal is the huge amount of components which can be used to augment the functionality of your site. However, people forget that one crucial thing:


Each component you install decreases the risk of your website by multiple factors. The reality though is that people don't realise the risk they are running, and most of all the steps they need to mitigate this risk. If you are going to install a 3rd party component then you need to make that you keep a constant eye on it - you need to make sure it is patched and upgraded to the latest version - otherwise your website has a very increased risk of being hacked, defaced, deleted losing you time, data, reputation and many other side effects that come with a compromised website.

Once you have a 3rd party component installed, few will have people have the inclination, know-how, ability or time to update. More so, many people wouldn't even know that they should be upgrading hence the increased risk.

There are more reasons why you should keep your CMS be it Joomla or otherwise, lean

Low Maintenance

A website with few components does not require much mainteance. The only thing you'll need to keep updated is the core. And obviously your content. But that's our point, focus your effort on the content you need to provide to your audience, not on effort required to make sure your website is still up and runnin.

Fewer Clashes

3rd party components are likely to create conflicts and clashes which might mean going back to the author's of the software to resolve - if a resolution is available. Keep Joomla lean ensures fewer clashes between 3rd party code.

Easy Updates and Upgrades

Updates and upgrades are always a headache - or at least a concern. Will everything keep running smoothly after I'm done from this upgrade or update? If you have fewer components to upgrade and update, your life will be so much easier.

Faster Website

Each component you install increases the execution time, load time and response time of your website. And you need to keep this as low as possible especially if your website gets a lot of traffic. Keep to the core Joomla and will be as fast as it can possibly be.


The good add-ons and components usually don't come cheap. If your budget is limited, then sticking to the core as much as possible will decrease your costs. All the maintenance required will also increase your costs since you will need to keep abreast of what needs to be updated and what doesn't.



One more thing... Did you know that people who share useful stuff like this post look AWESOME too? ;-)
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!

Featured On

Inc Magazine Logo  

Sitepoint logo  

CSS Tricks logo   

webdesignerdepot logo   WPMU DEV logo   

and many more!



Get Started Now With Shutterstock




Best Rated Caching Plugin

Make your website faster 

Monstrous B-Day Party

CLICK HERE for discounts!

Monstrous bday party

How to make your website FAST!

Step-by-step - free email course, how to make your website load in less than 1 second 


The Outstanding HungryJPEG Bundles

AWESOMENESS! Bundles of premium font + graphic packs at more than 96% OFF!  Get a bundle for just $9 - ONLY!

The Hungry JPEG Awesome font bundles


Work with

CollectiveRay (formerly known as DART Creations) is interested in developing partnerships with mutual benefit. If you like the stuff we publish and would like to develop a relationship, we'd be happy to hear from you. Go on - drop us a line - we'd love to hear from you :-)


Disclosure: CollectiveRay is funded personally out of pure passion for helping people working with websites. We do however generate some income through recommendations of products. This means if you click on a link and purchase an item we link to, we will receive a small sum out of that sale. We usually partner with vendors to make your purchase cheaper than buying direct.

Popular Content

Joomla extensions to take your website to the NEXT level

Is your Joomla website reaching its full potential? We install many of these extensions on almost ALL of our Joomla sites - why don't you check them out our list of Joomla Extensions and see whether you can take your site to the next level?

who are we?

CollectiveRay is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run - a website for drone hobbyists.

David attard

Follow us on Social

Follow us on Facebook   Subscribe to our RSS Feed   Follow us on Twitter


Where are we hosted?

This site is proudly powered by FAST VPS InMotion Servers and given an insane speed thanks to StackPath CDN!

Web Hosting stackpath