Joomla security vulnerability affects one in three websites
This week the Joomla project released an important update for its 3.6 series: Joomla 3.6.4.
Since this version included a patch for an important security issue, Joomla published an announcement a few days prior stating the exact release date and time to help users prepare and plan for the update.
As a service that helps people update their Joomla (and soon WordPress) sites, we here at Watchful had a front-row seat to this process. Akeeba and JCE coordinated updates with Joomla 3.6.4 release, resulting in significant observed activity from extension developers.
As soon as Joomla 3.6.4 was released, Watchful users began logging in and updating their sites using our 1-click updater.
Update patterns varied widely with some Watchers updating just Joomla. Some customers updated hundreds of sites at once while others took the more cautious approach of updating Joomla as well as any extensions one site at a time.
Since there was so much update activity this week and website security has never been more prominent in the news and blogosphere, we decided to look at adoption rates for various Joomla versions and some Joomla extensions. Below is a summary of what we found.
Series 3 is most popular amongst Joomla Professionals
Our analysis revealed that 82% of Watchful sites use Joomla 3.0 or newer, with only 3% still on Joomla 1.5. This is an encouraging trend since Joomla 1 and 2 are both unsupported, end-of-life softwares.
It’s worth mentioning that Watchful launched with support for Joomla 1.5, despite it being already considered obsolete. Further, it does not support remote updates so Watchful’s appeal for owners of these older sites is lower. As a result, Joomla 1.5 installs in the wild are much, much higher than represented in our analysis.
Despite this caveat, most Joomla professionals — currently our primary client base — have migrated the majority of their Joomla 1.5 site to more recent versions, with 15% of sites running Joomla 2.
Fig. 1. Joomla series distribution for Watchful users.
Joomla 3.6 is the most popular version in the series
When we focus on Joomla 3, nearly 90% of users are running Joomla 3.6.x. In contrast, only 0.5% are using Joomla 3.3, 3.2, 3.1 and 3.0 (Joomla 3.0/3 in the chart below).
This is a great trend and it suggests that updating within the Joomla 3 series has not been problematic.
Fig. 2. Joomla 3 version distribution for Watchful users.
Joomla 3.6.4 adoption rates are very high
Looking at Joomla 3.6 we see that 84% of users have adopted version 3.6.4 in just 96 hours. The remarkably high adoption rate among professional Joomla users (Watchers) highlights their exceptional engagement compared to the average user. As you can see from the official Joomla Usage Statistics, only 20% of Joomla 3.6 sites are currently running the latest version.
With this striking difference in mind, it would be interesting to know whether the Joomla update email notification feature released in Joomla 3.5 has affected adoption rates for Joomla updates.
Fig. 3. Joomla 3.6 version distribution for Watchful users.
25% of Joomla 3 sites are using vulnerable core software
While the data above paint an encouraging picture of Joomla 3 update adoption, a further analysis reveals a dangerous truth: only 75% of Joomla 3 sites are using the most recent and most secure version. In other words, one in four sites may be compromised through known exploits.
Adoption of the most recent versions for Joomla 1.5 and 2 series are much higher — 91% and 94% respectively. This is not that surprising given the age of these releases. But considering these version are no longer supported and known exploits have been in the wild for some time, these sites must be included in our overall analysis of vulnerable sites.
If we combine all the data, we found that only 62% of sites managed in Watchful are running the most recent version of Joomla (version 3.6.4 as of this writing).
Fig. 4. Proportion of Joomla sites with the most recent version installed.
Joomla extension update rates are lower than core updates
We also looked at adoption rates for popular Joomla extensions such as Akeeba Backup, Admin Tools, and the content editor JCE.
As shown below, less than 70% of sites using Akeeba Backup are not using the current version. This is true for both the Core (free) version and the Pro version.
The free extension JCE and as well as Core and Pro versions of Admin Tools showed lower adoption rates for the most recent version, though it should be noted that each of these extensions had a new release coordinated with the release of Joomla 3.6.4, so adoption rates will likely go up in the coming days.
Fig. 5. Proportion of Joomla sites with the most recent versions of popular extensions installed.
More awareness of the importance of updates is needed
All in all, the data paint a mixed picture for the security of web sites built on Joomla. While adoption of the most recent version of Joomla 3.6 is high, overall, at least one in three sites remain vulnerable as they are running outdated software.
And based on our preliminary analysis of a few popular extensions, it is reasonable to conclude that this number is much higher as extensions do not get updated as frequently as the Joomla core.
Finally, we found that the adoption of Joomla updates is much higher among Joomla professionals using Watchful compared to the general public.
Considering all these factors, we conclude that updating Joomla is a serious problem for the community at large. To address the problem, coordinated awareness campaigns from the Joomla project, Joomla agencies, web hosts, and Joomla users is urgently needed.
Here’s what you can do:
- Review our security resources for Joomla.
- Ask your friends and colleagues if they’ve checked their Joomla sites for updates, and post links to update resources on your social media channels.
- Discuss Joomla updates at your next Joomla User Group meetup and ask the attendees what versions of Joomla they are updating.
- If you own a web hosting company, send an update notice to your customers.
- If you work for a Joomla agency or a web hosting company, encourage your supervisor to send an update notice to your customers.
- If you are a volunteer for the social media team in the Joomla project, coordinate a series of social media posts over the next month to update users who follow the official Joomla accounts.
- If you are a moderator on the Joomla forums, send a message to the nearly 700,000 members to let them know about updates
- If you volunteer on the Joomla extension directory:
- send email notices to all the developers and ask them to spread the word to their mailing lists.
- strictly enforce the use of the Joomla updater for all extensions listed in the directory.