joomla 3.3 securityWith the impending release of Joomla 3.3, the Joomla Core development team has taken the decision of increasing its minimum PHP requirements to version 5.3.10 due to security reasons – as the team explains, it was due to “a significant change made in the PHP 5.3.x series leading up to PHP version 5.3.10 that substantially enhances the level of cryptography that can be used for securing passwords.” Given the number of revelations concerning the “Big Brother”-like global electronic surveillance systems run by various national intelligence services, this is definitely a step in the right direction. But much remains to be done, and now is the time to get ready for the (post-Snowden) brave new World Wide Web.

The past 2 years have been horrid, in terms of security news. Various user information databases have been hacked and cracked, some of which belong to giant names including LinkedIn, Yahoo! and the latest one, Adobe. Dropbox, one of the most popular cloud storage services, has been cracked numerous times. And of course, the granddaddy of all security news, the Big Bad NSA. While it is unlikely that most of us really have sensitive data in need of being secured from the government (nobody here’s using Joomla to serve up a bomb-making forum, right?), there are still valid reasons to ensure our websites are secure (EU regulations being just a part of it). So here are some things to consider when upgrading to Joomla 3.3 – not very difficult to do, but it may require you to spend some money on security.

SSL Here, TLS There, HSTS Everywhere

More and more, websites are beginning to use encrypted connections not only during user authentication, but for every individual user session. With open wireless hotspots becoming very popular, not only the major email players such as Google, Yahoo!, and Hotmail are doing this, but most social media and cloud storage providers have started as well. Firefox has an extension called HTTPS Everywhere, which attempts to enforce the use of encrypted connections wherever sites support them. If your Joomla website stores user details (including passwords and financial information), then you need to consider enabling HTTP Strict Transport Security, which means getting an SSL certificate (or even an Extended Validation certificate). We at Digital Peak take security very serious and have enabled HTTPS for every logged in user or purchase.

Gentlemen, Prepare Your Passwords

Stronger cryptography or not, storing passwords directly is a recipe for disaster. Your Joomla website, if it requires user authentication, needs to be storing and comparing password hashes, optionally (and preferably) individually and randomly salted. You can also help your users choose strong passwords by enforcing certain password requirements (minimum length, require alphanumeric + special characters, password expiry etc.) which can be automated by the use of Joomla password extensions.

Two Factor Authentication

Many financial institutions and other companies who provide high-value services have dispensed with the simple username/password combination, requiring in addition a one-time code/token as well. This token is usually generated on-the-fly by a hardware device (or software equivalent installed on a mobile device); alternatively, it may be sent via SMS. In either case, it required both something you know (password) and something you have (your mobile phone or hardware device) to log in; hence the name 2-factor. Joomla 3.3 natively supports the use of the software-only Google Authenticator as well as Yubico’s YubiKey (this feature was added in version 3.2), and several extensions add the ability to earlier versions of Joomla. You may also consider using services such as Duo Security to do the same thing.
We have enabled two factor authentication on our site as well, means you can enable your preferred method in your account settings. On our login page you can see the secret key to input. No need to wait to make your account even more secure at joomla.digital-peak.com!

joomla 3.3With the lockdown of Joomla 3.3’s feature set, and with its Release Candidate set to come out within days, this is a good time to understand the ins and outs of this new version of Joomla, and what it may mean for you, whether as a user or as an extension developer, moving forward from here. Joomla 3.3 is not the massive upgrade that Joomla 3 was. It does not feature any significantly different ways of doing things, nor does it introduce any new libraries or paradigms that would force you to rethink the way you’re working now; Joomla’s core developers are focussing on working on their feature requests backlog and on code optimisation. Nevertheless, there are a few aspects that might be worth your while investigating:

Moving from MooTools to jQuery

One of the bigger issues you may have to work with is the migration from the MooTools Javascript framework to jQuery (which was done back in version 3, to support Bootstrap). As we’ve mentioned in an earlier post, and amply supported by the Joomla support forums, the migration process is not without its challenges. Joomla’s core developers are likely to take a couple of iterations before everything that used to be done using MooTools is now done in jQuery. Nevertheless, at some point, Joomla will likely drop support for MooTools altogether, and so it might be a very good idea to figure out how to deploy using jQuery yourself.

Cloud Storage APIs

With the increased prevalence and reliance of not only home users but also large corporations on services that offer mass storage online (or in the cloud, as it is commonly called), support by Joomla for the more well-known cloud storage providers would be a highly welcome feature. But this means that there would also exist much opportunity for extension developers to craft value-added features; for example, through the use of GnuPG or other Public Key Infrastructure (PKI) systems to provide at-rest encrypted storage for services lacking this facility, or the transparent integration of multiple cloud vendors into a single virtual storage space. You can even create an extension that extends such cloud storage support by Joomla to lesser-known providers.

Microdata library implementation

With the widespread support of major global search engines (including Google, Bing, Yahoo!, Yandex) for microdata formats to enrich and enhance search engine results, the Web is coming back to the roots of the Internet, which was primarily a tool for academia. Microdata formats and structured data (such as that defined by Schema.org) make it easier for machines to understand your Joomla website’s content. Given how database-centric most CMSes (including Joomla) are, and how critical search engines are in exposing websites to the world, it’s a good idea to acquaint yourself with the basic concepts behind structured data, and how to best use Joomla’s upcoming support of microdata to make your website shine (at least to the search engines).

As you can see, much of what Joomla 3.3 has to offer is iterative and incremental, rather than profoundly game-changing (and, in fact, is heavily based on what came out of Google’s Summer of Code 2013). Given that a Joomla 3.2 update is going to be released on the same day as the final version of 3.3, this is a great time to brush up on what will become Joomla’s future.

joomla events2014 promises to be an eventful year for the Joomla! CMS (pun intended). Of particular interest to us is the release of Joomla 3.3 (which we will cover in our next post), because of its various changes. However, what we’re focusing on in this post is not so much Joomla itself, but the people who are behind it, who code and develop for it, and the people who deploy (i.e. use) Joomla for the website(s) they build.

One of the strengths of Joomla as a CMS is that it has an active and vigorous community of both developers and users. All throughout the year, various meet-ups and conventions focused on Joomla get organised – not only for hardcore evangelists, but for ordinary Joomla folks as well. Yes, there are lots of Joomla! events going on all over the world! Here are a selection of those events:

Saturday 22nd and Sunday 23rd March 2014

Dutch Joomla! Days – Zeist, the Netherlands (The “Bootstrap on Joomla” giant, Joostrap, is taking part in this one)

Friday May 30th – Sunday June 1st 2014

J and Beyond – Konigstein, Germany (this is a HUGE event, try not to miss it!)

But if you’re in Asia instead, you can attend the Joomla User Group meeting:

Wednesday March 5th 2014

Joomla User Group Pune meeting- Maharashtra, India

Even Africa has a Joomla! Day; in Algeria, of all places. Best if you spoke French if you wanted to attend:

Thursday May 15th and Friday 16th May 2014

Joomla! Day Algeria –Sidi Abdellah, Algeria

And as for Americans, there are easily half a dozen meetings that have been set up to date. Sadly, Oceania and South America are under-represented for the time being – but the year is young, so who knows?

For more information on these and other events, visit the following sites:

http://events.joomla.org/

https://www.facebook.com/joomla

In addition, consider attending conferences and events of the other open source CMSes around – WordPress has an official WordCamp in San Francisco every year, for instance – and Joomla people have been known to cross-pollinate at such conferences.

bootstrap less joomlaIn previous posts, we’v taken a look at LESS, the superset of Cascading Style Sheets (CSS) that makes it perform much more like a full-blown programming language, as well as the Twitter’s Bootstrap framework built on it, which provides web designers a standardized toolset for UI elements. This post will delve into Joomla 3’s support of Bootstrap, and the implications that this has on its support for LESS as a result.

Because Joomla 3 fully implements Bootstrap, and because Bootstrap is built using LESS, it is only reasonable to think that Joomla 3 fully supports and implements LESS as well. And in a sense, it does – you can edit the LESS files that Bootstrap is made from in Joomla and recompile them. However, there are some things you should know about how LESS works in Joomla:

You do not need to know LESS to make Bootstrap in Joomla work

Or more accurately, all the hard work’s already been done for you. Bootstrap’s source files have all been precompiled as CSS and JavaScript files, which you can simply include or import into your own template. What’s more, if you used or modified Joomla Core’s default Protostar template, Bootstrap's pretty much baked in right from the start as well. Mind you, it’s a ‘slightly modified’ version of Bootstrap, so you do have to do your due diligence and take appropriate steps when using Bootstrap in Joomla 3.

In addition, changing the various defaults in Bootstrap can be done simply by invoking the Bootstrap Customizer and replacing the necessary files in your installation with the ones generated by the Customizer. The use of LESS does not come into the picture at all. Knowing how LESS works and being able to modify Bootstrap’s source code is a bonus, but it is hardly necessary for you to get full use out of Joomla.

Joomla Core does not include a LESS compiler

To be precise, it does not provide a LESS compiler that you can run at will and on any LESS file you want. What it does have is a way for you to adapt a PHP script (generatecss.php) to compile LESS changes for your own template. You can also use a LESS Compiler Joomla plugin to do so every time you make a change. However, if you are serious about playing around with LESS, then you may have to install your own LESS compiler (many paid-for themes and templates include compilers). Given that the whole point of LESS was so that you could write so much less CSS, though, Joomla Core’s decision not to include a standalone compiler (many of which are open-source) is strange.

Override vs. Modify: Which is best?

Assuming that you really do want to delve into LESS to change the default ways in which Joomla’s implementation of Bootstrap behaves, should you really directly modify the Bootstrap LESS files and recompile, or should you maybe override the behaviors in a custom LESS file and call that in your template? In this particular case, using overrides is probably the better solution, as it means that whenever a new version of Bootstrap (or Joomla, for that matter) is released, you can drop it in without worrying that your previous customization are totally lost.

bootstrap less In a previous post, we took a look at how LESS can help you manage your CSS, by providing you with a powerful superset of features that makes CSS feel (and work) much more like a traditional object-oriented programming language. Given the power that the LESS pre-processor provides to CSS, it’s no surprise that a lot of web design frameworks are built using LESS. Examples of such frameworks include fusionCSS, the Gantry framework, and the biggest contender of them all, Twitter’s Bootstrap.

In and of itself, Bootstrap is already quite a powerful framework that allows anyone to design a Web interface that just plain works, first time round. Part of what makes Bootstrap so compelling for Web developers, however, is the fact that it is extremely flexible. You can build your website using the UI components that come as default with each Bootstrap installation, and then use CSS (and hence LESS) to override them – making your website look like Windows (of any kind), or OSX, or KDE, or GNOME… anything you can think of.

Changing the defaults

One of the ways in which LESS is used by Bootstrap is through the modification of the various default settings that Bootstrap encodes as LESS variables. For example, in plain CSS, every style defined can include colour settings – but each colour value is set individually of the others, so if you have a series of related elements using the same colour(s), and you want to change them, you have to laboriously find-and-replace the colour number(s). By using LESS, Bootstrap centralises all of these default colours in defined variables, so you only need to change the values in the variable declarations for the changes to be reflected elsewhere.

Nor are colour values the only things that LESS (and Bootstrap) can store and use in variables. Anything that CSS accepts as valid values, including font types, pixel sizes, and percentages can be placed in a variable. Using LESS’ support of nesting, you can even place a variable inside another variable. Without changing a single line of your HTML page, you can make it look entirely different simply by manipulating the default values stored in the Bootstrap-defined variables.

Enhancing functions and procedures

In addition to default variables, Bootstrap also makes full use of mixins, the LESS equivalents of functions and procedures. Mixins essentially allow you to create a style class and import all the properties of that class into another class. By using variables with mixins, you can create a function that allows you to modify the default parameters of the mixin.

Mixins in Bootstrap are used to create various UI elements simply by calling them, rather than having to define these elements from scratch. In addition, Bootstrap mixins also allow you to apply a number of transform effects to various elements quickly and easily.

LESS supports various mathematical operations, namespaces and other advanced functionality which Bootstrap takes full advantage of. As a result, if you want to really play around with Bootstrap, you need to understand how LESS works and how Bootstrap builds itself on it as well.

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.