Website security - should I hire a developer?

The most important thing to do when you use 3rd party applications like Joomla! is to always keep them up-to-date. Most attacks are targeting vulnerabilities which were patched long ago and only hit those people who neglect updating. So create a regular reminder in your calendar to check if an update is available for Joomla (as well as any themes and plugins you are running) and install it. Updating Joomla is very simple, because it can be done from within the administration interface. You don't need any advanced IT skills to do that. But it is very important to do this regularly!

Be wary of any plugins, themes, extensions and other addons which did not release any update for a long time. It means that either that addon is perfect and has no security problems, or that the developer simply doesn't care to release any more updates to fix security vulnerabilities. But the latter case is much, much more likely. You should also check the Vulnerable Extension List regularly and avoid everything listed there.

For more information, consult the security and performance FAQ on the Joomla wiki.

This actually applies not just to an application like Joomla but to your whole software stack, from operating system to webserver to PHP to MYSQL. OS and webserver also need to be configured securely. But when you use a hosted solution, then the provider will likely take care of everything except the applications you install yourself, so you likely don't have to worry about that.

But it's a different thing when you rent a virtual server which provides you with a naked operating system (or not even that) and expects you to set up everything on your own. In that case you are responsible for updating everything. When you require this for your project, you should consider hiring someone who knows how to harden a server properly, who knows which components need to be updated and how this is done. But the person you are looking for is not a software developer. It's a system administrator.


This is very subjective and the answer is a question, how much do you value your site? having a professional develop your site does not mean it is safe, professionals develop sites which have had massive breaches as well.

As a developer I would say a developer would be better if you're looking for quality, and yes, security might be better as well but there are plenty of steps you can take when developing a site to ensure the website is secure.

If you follow the OWASP top 10 most common vulnerabilities and stop them you are doing better then a lot of smaller websites on the internet, most of your issues will be related to SSL and injections such as (but not limited to):

  1. Heart bleed (SSL)
  2. DROWN (SSL)
  3. XSS (injection)
  4. SQL (injection)
  5. Execution of code / arbitrary data (injection)

These 5 are in my opinion any web applications WORST nightmare but also easy to not let happen!

Summary

Do you need a security expert? It would help and if you think its worth it then yes you do, if you don't think its worth it, then no, you do not.

Do you need a professional developer? No, though for quality and reasonable assurance yes.

Can you protect yourself? Yes of course, at least to some extent.

Can you learn enough within your time constraints? No problem.

Obviously this is all related to the web application ONLY and not the server it is hosted on.

Tags:

Websites