The Joomla project has announced fixes for an urgent Joomla security issue affecting version 1.5 and greater. These updates follow on from a similar security announcement in the Spring.

So, if you have maintained a Joomla site built within the last six or seven years, you likely have an urgent security issue to fix.

Read on for help fixing your specific version of Joomla. 

Backup first

Before proceeding, be sure to perform and test a backup of your full site — database and files — should you run into troubles updating.

Joomla 3

If you are running Joomla 3, simply login to the backend of your site and navigate to the Joomla updater at the following URL:

administrator/index.php?option=com_joomlaupdate

Once there, follow the on-screen instructions to perform the update. Be sure you are updating to at least Joomla 3.1.5, the most recent version at the time of this writing.

Note: There is not specific updater for the Joomla 3.0 series, so performing this update will automatically move you to the 3.1 series if you are not already there.

Of course, if you use Watchful to manage your portfolio of Joomla websites, you can update them all to version 3.1.5 with just a click or two.

Joomla 2.5

Like Joomla 3, you can update your Joomla 2.5 sites from either the backend of your site or from your Watchful Dashboard. 

Be sure you are updating to at least Joomla 2.5.14, the most recent version at the time of this writing.

Joomla 1.6 and 1.7

There is absolutely no support for these versions of Joomla.

No patches have been released to address the issue mentioned above and they each have a number of other important security issues that make these versions of Joomla a very large risk for use on production web sites.

Users with Joomla 1.6/1.7 should migrate their sites to Joomla 2 or Joomla 3 immediately.

Joomla 1.5

Joomla 1.5 reached its end of life in the Fall of 2012 and as such we no longer support it. However, patch files were released for Joomla 1.5 that could be applied manually by FTP. 

Our colleagues at Anything Digital (co-owners of Watchful) released a patch file that makes it easier for webmasters. You can apply this patch file through the standard Joomla extension installer.

You can find the full details for this Joomla security update, including the free download, on the Anything Digital blog.

Joomla 1.0/Mambo

There are no security patches for these CMS versions to address the security issue described above. If you are still using Joomla 1.0 or Mambo, you should migrate immediately to Joomla 2 or Joomla 3. 

Release cycles and Joomla security

If all of these versions and releases are making your head spin, you are in good company! Many casual Joomla users are confused about Joomla’s version numbering and release cycle since it has changed often through Joomla’s history.

Recently however, Joomla has adopted an effective 2-year release cycle in which a “stable” version is supported for 2 years. For example, the next “stable” or Long Term Support release for Joomla 3 (incidentally, version 3.5) is scheduled for Q2 2014 and will be supported through Q2 2016 (and likely 6 months after that).

Once you understand the basics of the release cycle, it should be clear that urgent Joomla security issues are addressed by releasing new builds for all supported versions. As of this writing, the officially supported versions of Joomla are 2.5 and Joomla 3.1.