Is e107 safe?

Over the past 6 months we have had numerous security fixes, and still our sites are coming under heavy attack. The current spate seems to be the most destructive so far.

My question is simply, is e107 still safe? If the much heralded and promised v0.8 were to be in place would we not be safer? It seems that other sites I am running with Joomla are not coming under the same security attacks, maybe because the developers are not constantly fighting fires, but are setting goals and working to them.

I have said before, I have enormous respect for the e107 developers, but a goal to launch 'when we're ready' is no goal at all. Please save our cms before the user base evaporates!

As far as I know, nobody promised v0.8 within a certain period. It might as well take a few more years (do not pin me down on this, as I really do not know...). With non-paid developers it is hard to predict when things are ready to be called 'to be released'.

There have been quit a few security issues in Joomla as well. As the popularity of e107 grows, more attempts like this are to be expected. The e107 development team has always been very reactive and productive in case of any vulnerability, but personally I do not have the impression this blocks the dev team from being productive on developing new features.

My point is exactly that. As developers and as users, if there are no deadlines, how do we (you) know if anything is being achieved. Objectives set and met would give everyone confidence that something was really happening.

As has been said before, we are losing ground to other cms, plugin and theme development is stagnating, and users are going elsewhere. Your reply seems to suggest an even more worrying delay "It may well take a few more years" I suspect if that is the case, the only people left will be the development team and the security hackers.

I tend to disagree; the development on 0.8 is very well going on; it can be followed by the activity in the 0.8 change log.
I am not suggesting any time frame for the upcoming major release; on the contrary, in my post I stated clearly that I really don't know. The 'couple of years' was intended as some form of sarcasm.

Also, I do not see the connection between stagnating theme development and the development of the 0.8 core version. To me, those are two separated things. Furthermore, I admit that communicating is maybe not the best skill of some of the e107 developers. Let's say there is loads of room for improvement.

I don't know if I should be putting my thoughts in here, I intend no offence or disrespect to anyone, I am very grateful and devoted to E107 after having tried so many others previously.
My web site also has been under constant attack and I have no doubt that not one of the ones I had tried before could have stood up so well, but then I have my web site wound up tight, no comments allowed, and I don't just let anyone sign up, all new members must be admin approved, and if my site is under attack I set it to "Restrict website to members only" this stops them pretty quick.
But even more than that, E107 is so much easier to upgrade as the information provided is actually understandable.
Never for a moment do I believe anything on the internet is safe, and anyone who does believe so is fooling themselves, I never use it for banking or anything that can be stolen or used against me, so whether it is version 7 or 8 or any other of the many CMS scripts out there, it is up to each and every one of us as web masters to be vigilant and not let our web sites be abused, even if it means sitting up all night to ensure the scumbag hackers don't get in.
Thank you E107

There to busy coding

At the moment it's e107's turn to be attacked, tomorrow it will be another CMS, it's a fact of life these days and e107 is no more vulnerable than a lot of others. Every time a php or mysql update is added to a server by a host there is potential for another potential exploit via the servers never mind the CMS code. There was an exploit for Fantastico recently that had to be addressed by hosts. It's an ongoing battle of wits between developers and hackers I'm afraid.

What it has done though is made the Dev team look hard at the core once again and try and find a way to make 0.8 core structure is as secure as possible before release, whilst ensuring that v0.7 is maintained as well. Inevitably this has slowed development down as parts that were rewritten/coded from scratch have to be done once again.

Progress is being made though, but your not going to see any eta for a release at this time (my personal opinion)

What would you rather see, a release that's robust and secure, or one that needs patching every week because someone has decided that it's there target of choice and look for anyway they can to exploit a system, I know what my choice would be.

I think with any CMS there are going to be periods of heavy exploitation and slower periods. I think the main thing you should be looking for in a CMS is a team that cares -- obviously, e107's does. Sadly I think there is a slight lack of communication or things that could be implemented better but overall there's a quasi-responsiveness feeling that is comparable to a lot of larger CMS development projects.

Vulnerabilities are in fact part of life, and with an open-source project even moreso with thousands of eyes poring over the code. The best thing you can do is to restrict and limit plugin usage, keep frequent backups and pray

It's good to know that you and your team are keeping a tight rein on things server side David J. It's highly appreciated.

Agree with David J 100%

e107 is safe, just make sure your server/host is secure and everything should be good

e107 has come a long way. A few months ago I was considering moving but slowly but surely the dev team came around with moving to svn, email release notifications.. All we still need is security notifications and proper descriptions. So far so good.

As long as you stick to some basic rules with regards to file permissions and your host is hands on with server security you should not have too much of a problem with e107.

Just thought I would add here since my little post above I have had a very large amount of hits on my web site via the link below my post, all of these hits are from suspicious IP addresses with histories of hacking and spamming attempts.
It is obvious this forum is being watched very closely by the hackers.

I've just spent a long time banning IP's shown in my control panel awstats log. Lots of hits from places which would have no legitimate interest in my site. Also I find I have hundreds of referring sites listed which are 'dodgy'. I've banned these too but guess that won't stop them referring.. Any ideas for this one?

In my opinion e107 has improved a lot in last months in terms of security.
But bugs will always exists. In every software

Marco is right, e107 is very secure but there is always the possibility of undiscovered exploits in any software, just ask Sun, Apple or Microsoft.

Instead of providing a release date, maybe the development team should try and post more about what they are currently working on.

Not everyone is going to view the changelog and know what is going on, and making a news post or a blog entry entailing what is currently being tackled can't possibly take more than 10 minutes at most.

I would generally say that it's not the delay in the release of 0.8 that is the major problem, it's the lack of any type of news about 0.8 except "it's being worked on" that is causing so much negative publicity.

As for the security of e107; it's as secure as it can be at this point. Holes can't be fixed if they are unknown. Plus, a lot of things can be done on your and your server administrators part to ensure the e107 install you use is locked down, even if exploits exist. Not a single piece of software is 100% secure, and anything that claims to be is probably something you should be steering clear of because that type of mantra is just going to provoke people to prove said claim wrong.

septor, have a read of the blog: [-link-]

Yes, I saw that. Seeing as that is the first blog entry in the last four months you can hardly say that is a step up in the communication department. Well it is an obvious improvement (as mentioned previously there has been none in the last four months), it's still a long road. And if that post has been weeks in the making, it only further validates my concern.

Also, anyone who wants to chime in with the whole, "they're busy coding they don't have time to make blog entries and news posts", nonsense -- spare me. I for one would welcome them to step away from coding for a few minutes to keep us informed of the progress; in their words not changelog entries.

No, it is the delay that is causing the problem. There is no point in developing plugins to further enhance e107 at this stage because things will change if it comes out (see the blog). There are things that as a developer I want in the core but we've not got after 2 years of waiting. How many plugins/themes now require prototype for example yet that will not be included in .7xx This is why I'm not developing now except for a few of my own needs or paid jobs.

This is sort of hand in hand. If communication about the development of 0.8 was present, you wouldn't be sitting there wondering what is or isn't coming.


Edit: Also, I'm not saying I condone the delay in 0.8 and that it existing isn't causing major problems, I'm only saying the lack of communication is a major flaw in the overall progress.