There is a difference between hosting that allows you to install Joomla and hosting that offers real Joomla hosting. To qualify for that hosting, a host must know Joomla inside out, and be prepared to walk the extra mile to optimize their servers for Joomla. One of the ‘hot topics’ regarding Joomla is Security. We reached out to a selection of renowned Joomla hosters, and asked them how they handle their security. Unfortunately we only received an answer from SiteGround.com.
If we receive an answer from the other hoster(s) we will make sure to publish their answers in a later blog posts. Hosters that would like to present their approach can always send their answers to joomlaandmore@toralkolabs.net
SiteGround on Security and how they handle Joomla
SiteGround is a rising star on the Joomla firmanent. People keep singing their praises, saying they take security seriously. You can read more about that on their website. They also take marketing seriously, so we were presently surprised to see they were the first (and, admittedly only) host to reply to us. You can find the answers, as provided by Marina Yordanova below.
Text in Italics are comments about why we asked the question.
Many hosts claim to be safe, but are often lacking in that department. We asked what measures the hosters took to secure their servers and your sites.
JandMore: What measures do you take to increase the security on your servers? What do you change / offer for Joomla, specifically?
Marina Yordanova, SiteGround Marketing Dept.: Besides the usual service updates (kernel, control panel, apache, PHP, MySQL etc), firewall and spam filtering that every security-oriented web hosts should have, especially for Joomla we apply several additional security measurements:
1) We have an inhouse-developed Joomla Auto-Updater that updates Joomla versions soon after the new ones are released to the public. As you probably know minor releases often address security issues and having our customers’ Joomlas automatically updated is a very important step in increasing the overall Joomla security on our servers.
2) We secure each and every Joomla installed through our system from XSS attacks, SQL injections and file inclusion etc. by adding our own Joomla security plugin jHackGuard to it. We have also made this plugin available for general usage and it can be downloaded for free on our website (http://www.siteground.com/joomla-hosting/joomla-extensions/ver1.5/jhack.htm) and on JED (http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/13233).
3) The next thing we do in order to protect our customers accounts is to isolate them from other accounts on the same servers. We have developed a unique isolation system setup which helps us stop the spreading of infected files from one vulnerable Joomla installation to the next. This way we manage to generate an environment for the websites on our shared servers that’s as secure as dedicated solutions and still easily affordable even for small website owners.
The next thing we do to protect our customers is to isolate them.. This way his way we manage to generate an environment for the websites on our shared servers that’s as secure as dedicated solutions and still easily affordable even for small website owners.
4) Our Joomla specialists monitor on a daily basis security bulletins and are timely informed if some Joomla core or plugin threats appear. If we find something that makes Joomla vulnerable and can be easily exploited, we invest extra time to research or even invent ourselves a solution and apply it on a server level before the Joomla’s on our servers get affected. You can read more about our Security In and Out’s on our blog: http://blog.siteground.com/siteground-security/
5) There is one more thing we do to improve Joomla security, that’s not related to our servers but to our customers actually – we try to educate them about Joomla security and how to make the best out of their Joomla experience. We have already conducted some webinars and podcasts on different Joomla topics including security (http://blog.siteground.com/joomla-security-webinar/) and after seeing the great response, we plan on releasing more.
JandMore: Does SiteGround actively monitor sites for problems? And how does SiteGround respond when they discover a problem?
Marina Yordaneva, SiteGround Marketing Dept.: We provide website scanning as an additional service in partnership with a company that is specialized in finding malicious content, so every customer can take advantage of this service and be warned if something is found.
On top of that we do perform mass scans whenever there is a reason to believe there might be an event that has affected multiple sites. If we find problems we contact the sites owners with instructions how to clean up their installations. We also provide website cleanup by our professionals as an additional service.
JandMore: If a Joomla problem (or exploit) is discovered, does SiteGround react? Do you take additional matters, on a server level or otherwise, to protect websites?
On several occasions we have applied servers level fixes to protect our Joomla users, but also have published helpful information for non-customers in our blog.
Yes, in fact we believe that this is one of the most important parts of our Joomla security policy. Whenever any serious vulnerability that has the potential to hurt multiple users is discovered we react immediately and apply server level fix even before an official fix is releasedby Joomla or the vulnerable plugin developers. On several occasions we have applied servers level fixes to protect our Joomla users, but also have published helpful information for non-customers in our blog. Here are few examples of blog posts describing such exploits and our solutions:
http://blog.siteground.com/joomla-extplorer-vulnerability/
http://blog.siteground.com/joomla-vulnerability/
http://blog.siteground.com/jce-vulnerability/
Conclusion
We would like to thank Marina Yordanova and SiteGround.com for answering our questions.
If you are a “Joomla Hoster” and would like to be featured as well, don’t hesitate to contact us with an answer to the questions above.