IMHO, Joomla! 1.6 is not less or more secure than its predecessor. Some things have been improved, security-wise, but there have also been some major reckless implementations as well. Out from the top of my head:
- The new joomla.xml file is a huge security hole. No problem if you use .htaccess rules which prevent direct access to rogue XML files, though.
- The ability to move around core directories (like the libraries directory) was advertised as a security feature, but it is a security counter-feature. Why? Let's say that you move your libraries directory to an off-site location. Then, an upgrade comes out, e.g. Joomla! 1.6.1. The normal upgrade method (followed indiscriminately by third party updaters and the Joomla! core itself) is to simply extract the upgrade package to the site's root. As a result you have two security issues:
1. Any changed files in the libraries directory have not been written, which may break or degrade the security of your site
2. The rogue files in the unprotected and partial libraries directory under your site's root could in theory be exploited. Dead code is a bad thing to leave on a server, let alone without the site administrator knowing about it.
- Joomla! insists on using URL fopen() wrappers for downloading data. If you want the extension updates, core update and extensions installation over HTTP(S) to work, you have to enable them. However, they can also be exploited by malicious hackers in RFI (remote file inclusion) attacks. So you have to choose between security and convenience when you could have had both, i.e. by Joomla! falling back to cURL if the URL fopen() wrappers are not available.
Joomla! 1.5.x will be maintained until April 2012. Joomla! 1.6, on the other hand, is a short term release, supported until 1.7 is released. Moreover, Joomla! 1.6 is not stable yet. It's made General Availability, yes, but it is by no means stable. Moreover, it has vast changes compared to 1.5, despite what the Production Leadership Teams says (obviously, these guys have never tried to maintain a real world component which is even slightly more complex than "Hello, World"...). As a result the most important extensions are not yet available for Joomla! 1.6.
All and all Joomla! 1.6 is less stable and has less third-party software available than its predecessor. We all know that the reason to use Joomla! is stability and third-party (non-core) software, so there's not a cat's chance in hell of migrating this site to Joomla! 1.6 in the very near future. I have better things to do than trying to beat an unstable system into submission. That said, I continue to support all the misguided individuals who think that building a live site with Joomla! 1.6.0 is possible, by making my own software fully compatible with this version of the CMS.
If you ask me, I'd wait for a stable Joomla! 1.7 (yes, one point seven) release before migrating my site.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
