Joomla Extensions. The good, the bad and the downright dangerous

Joomla takes no responsibility for the quality of extension listed on the JED. It's up to you to do your homework. Joomla takes no responsibility for the quality of extension listed on the JED. It's up to you to do your homework.

One of the reasons for the success behind Joomla and Wordpress is they give website owners the ability to extend a website with Extensions. The Joomla Extension Directory (at the time of writing) contains 6,238 extensions. An incredible number of bolt-on features and functionality. However, it can be difficult to sort the good from the bad.

There's a lot of crap in there. Some may slow your site to a crawl, others may break your template or clash with other extensions rendering your site unusable. Some haven't seen an update for years. The biggest issue is exposing your site to hackers. It happens more often than you think. You need to be careful. Very careful.

Joomla publishes an official Security and Performance FAQ. About half way down the list is the part about Joomla Extensions (http://docs.joomla.org/Security... #Joomla.21_Extensions). If you are a DIYer please take the time to read the entire page.

There are a few important things to consider before installing a new extension. However, it's your website and you can do what you want with it. If you ignore some of the considerations here or the warnings on the official Joomla FAQ at least you won't be going ahead blind. So lets get into it.

1. Do you really need the functionality?

Before you install an extension ask yourself what the value of that functionality is to your end user. What is your end user looking for or trying to achieve? Will it help them or improve their experience? Here's a tip, if it flashes, rotates or moves by it's own accord in any way it's most probably detrimental to your site. It may look cool to you but banner blindness is an epic phenomenon than can no longer be ignored.

If it's not contributing to your website goals - your financial/traffic goals, not the emotional "I want a pretty website" goal - then best thing is to leave it off.

More extensions equates to more processing time. Every plugin, module and component on your site slows down the server response time. Most extensions include their own assets like Javascript, CSS and image files further slowing your load times. Even if an extension isn't active it's assets may be included in the markup. Slow loading adversely affects your search ranking and the user experience so only install what you absolutely need.

The other thing to consider is maintenance. Most of the bigger, more popular extensions I've used over the past few years have appeared on the Vulnerable Extensions List at one time or another. It's important that the development status of your extensions be monitored and updates applied when available. If you've got 30 extensions installed that's a mammoth task that probably won't get done. Eventually, leading to a compromised site and a lot of heartache.

2. Check the Joomla Vulnerable Extensions List

There are currently 223 know vulnerable extensions on the Vulnerable Extensions List. To be clear here, an extension listed on the VEL doesn't mean you should immediately reject that extension. Vulnerabilities are discovered all the time in all types of software. The important thing is how the developer has responded. Many of the VEL listings provide a link to an update package to fix the reported issues. But, many do not. Check it first and monitor it regularly.

3. Does the extension or the developer have a good history?

This can require some investigation particularly for a new extension. Does the developer actively maintain their extension and release regular updates? Are the developers experienced? Do they develop websites or Joomla extensions for a living? Is there an avenue for support? 

4. Is the extension likely to be supported in the future?

It's time for an example. I use Akeeba Backup and Akeeba Admin Tools on almost every site I build. The developer, Nicholas K. Dionysopoulos, releases updates to his products on a regular basis. In addition to Akeeba and Admin Tools there are many other extensions Nick has developed and supports.  Most of his extensions are free to download and use. One-on-one support is via a paid subscription but there are pages full of documentation and demo videos. Nick has been building Joomla extensions since at least 2006, he speaks at Joomla conferences and he's very active in the Joomla community. You can tell by reading his blog and following his tweets that Nick's livelihood is built around his work with Joomla.

A vulnerability was reported in Akeeba on 17 April, 2011. Nick posted an update on the Akeeba website on the same day. Apple or Microsoft wouldn't prioritise a security update like that. Akeeba Backup is currently at version 3.7.4 with 3 stable releases so far for 2013. This is a developer you can trust.

On the other hand, Rapid Recipe, was a commercial Joomla extension by a different developer. A vulnerability was reported in July 2010. Development has since been abandoned, the website has disappeared an the extension was never patched or updated from Joomla 1.5 to Joomla 2.5. If you had built your site or your online business around this extension then you'd be in serious trouble.

In conclusion

It takes a bit more time to consider your audience and research the extension and the developer. But, it can save you some significant frustration. It can save you from wasting time fixing a broken site. And it can save you from the heartache of getting your site hacked or having to completely rebuild.

john-pitchers-avatar smAbout John Pitchers

John Pitchers is co-founder and lead developer at Joomstore where his primary role is the design and development of Joomla websites. He is also the developer of the FocalPoint maps extension for Joomla. John has been building CMS based web sites since 2004, originally working with Mambo before it forked into Joomla. When not writing PHP, Javascript or CSS you'll find John carving up the hills around Baldivis on his longboard (long before Walter Mitty made it famous).

Find out more about John on his About.me page and . Follow John on Twitter.

These posts may interest you...

Leave a comment