Security features

One of the biggest problems with open source software is that other people can see your source code.

Yeah, that's the whole point, but it also means they can see your bugs too. We have been careful about security throughout this project and have several security features built in.

User permissions

User security in Jojo consists of users and groups. A user can belong to one or more groups. Each resource in Jojo (e.g. a page, or article) has different permission levels for each group. Some articles may be viewable to all groups, but only editable by administrators. A forum may be invisible to all users, except those belonging to a particular group.

No writable files in web-root

This is a fundamental rule of web hosting, yet almost all CMS systems get this wrong. On shared servers, you should not have writable folders within the web-root of your server. Doing so can potentially expose you to attacks from other users on the server.
We have bent over backwards to make sure this does not happen in Jojo CMS. In fact, if you follow our recommended installation, your web-root folder will only have 3 files in it, and none of them writeable.

Spam protection

The contact form plugin includes an optional CAPTCHA, to help prevent contact form spam which is becoming more common. Several other forms on the site include a CAPTCHA. To make things slightly easier for the user, our CAPTCHAs are only 3 characters long and are not case sensitive. This may increase as spammers get better at cracking CAPTCHAs.

Email injection prevention

Email injection is a technique used by spammers to send spam via the contact form on an unprotected website. If your contact form is unprotected and your site is popular, it will be attacked in this fashion sooner or later. If your server is continually sending out spam, it will be added to the spam blacklists where it won't be able to send legitimate mail without being blocked.
Any forms POSTED from a Jojo site will be checked for email injection attacks. Because we still have a sense of humour about all this, if we detect someone trying to do a header injection on one of our forms, we redirect them to the Wikipedia page on email injection.

Regular updates

We recommend you keep your Jojo install up to date to minimise any security risks.