- add an firewall/antivirus app in joomla core scanning each item uploaded 2 joomla.
- all plugs & components in extensions should be re-evaluated and check if they are safe.
- developers should be punished if they make unsafe plugins or components. Dev's P or C is only accepted if it contains the required security features.
- /administrator in the back end. should be linked 2 yor webhost or whatever you specify it 2 be. The backend should also be switch off automatically when you logout, I turn my off by going 2 webhost renaming administrator 2 adXXXministraXXtor or what have you. what we should have is the admin folder being transfered 2 another joomla folder each when you log out.
-_jos should dissapear hackers actually teach us, that everything that we make standard is an vunerabilty so lets not make anything standard.
-Hackers use the address bar so lets make joomla addresses "menu, plugin or component" dependend, if anything else is typed in the address bar 1 gets a warning and 1's ip gelogged and get shown his or her ip is logged if they try like 3 times joomla bans them and you get a message in back end saying so.
-Joomla should also have a "write button" when you press on this you can write,change, update yor site when you log out it's autoswitched 2 "read only" And I MEAN EVERYTHING IN JOOMLA IS THEN "READ ONLY"
-you should also be able 2 make the username look like astrix instead of it being readable, we can even get Secretive by adding a keyscrambler.
_Ok that's it I'm going 2 sleep safe
Andrew's comment is spot on.
Most third party Joomla extensions are written poorly. No one wants to spend the time to evaluate them.
I think something that would reduce the security holes would be a database API with prepared statements, in fact requires it.
While I agree with the administrator folder name being a nuisance, but the rest of this is pretty useless. Changing this will still never prevent a hack even if its possible. You want people to stop being able to access this folder, use .htaccess and apache access control.
Write button? come on. This does nothing to prevent a hack. You should seriously research computer security before posting such rubbish.
_jos can disappear if you change it during the install process.
Every request to your webserver is already (most likely) logged by IP. Why would you slow down joomla with useless "firewalls" or logging? It serves zero purpose.
Standardization is needed to develop a secure platform; and one that can be developed on. The major security problems in joomla isn't joomla itself; installing poorly developed plugins/modules/components are mostly to blame.
Thanks to the development language PHP being easy to pick up, it has helped build the massive joomla development community; however 90% of the developers either A) completely ignore or don't understand common security problems or B) simply do not want to invest the time developing safe code. It’s all free anyways, so who cares!?
Standardization and secure API concepts would address most of these problems. But nothing is secure. If you are paying attention to "Hackers", then they should have taught you that.
Worst is, people are paying for such modules/components thinking they are getting safe software... That’s the kicker.
What everyone needs to grasp, is that Joomla is still a very "in its infancy" product. Sure its been around for a few years, but compare it to mature software like Windows or hell, FreeBSD (for those geek inclined)... They all still have pretty bad security holes on occasion.
Stop asking Joomla to be this perfect, 100% secure solution if you have no idea what you are talking about in the first place. Especially when you are getting it for free!