Resources for researchers

Security issue puts older websites at risk

Image of a lock to denote security

The Health Communication Core (HCC) currently manages 20 websites that were developed between 2009-2012 in Joomla 1.5 and 2.5. (Joomla is one of many available online software systems used for website development and management). Joomla no longer supports these older versions and no longer issues security updates  for them.

Joomla security risk

In December 2015, HCC was notified by Harvard University Information Technology about a new security risk in Joomla versions 1.5 and 2.5 that was being used against Harvard systems. (Please see below for more information about Joomla.)

We have moved all Joomla website files and databases from HCC’s web server to external servers hosted by Amazon Web Services (AWS), where they are essentially “quarantined”--still online and accessible, but isolated on a separate server to prevent their security risk from affecting other websites and web servers across the Harvard system.
This is not, however, a complete solution, and we have been advised to “move away from these unsupported versions of Joomla as soon as possible.”

Long-term solutions

Some of the affected websites were developed for studies that have ended, while others are lab or center sites that are still receiving web traffic.

With the approval of the appropriate PIs, we are taking offline and archiving the files for several older Joomla sites developed for studies or funding cycles that have ended.

For websites that are still active, the optimal solution is to transition to Drupal. In 2013 HCC adopted Drupal as its web development platform of choice because it offers robust development capabilities--meeting the needs of complex, powerful sites, as well as small sites--and a user-friendly content management system that allows our clients to easily and independently update their site content.

Many companies and institutions have adopted Drupal as their content-management system of choice, including, The Economist, Museum of Fine Arts Boston, and Whole Foods.

Mobile-optimized display, enhanced search engine rankings

As user behavior and devices have evolved, sites developed more than a few years ago are showing their age--for example, they don’t display well on today’s popular mobile devices.

While Joomla’s security risk may be the impetus for migration to Drupal, transitioning to Drupal provides site owners with an opportunity to benefit from:

  • A web presence as cutting-edge as your research
  • Updated technology, including mobile-optimized display
  • Improved usability that reflects changes in user preferences
  • Enhanced search rankings (search algorithms favor mobile websites)

Drupal transition options

The most cost-effective way to transition a site to Drupal is for us to replicate its current content and structure, adapting the layout/design as required by newer mobile templates.

However, site owners should, whenever possible, consider leveraging the transition as an opportunity to assess their audiences and goals, and develop new graphics, content, and appropriate functionality.

These options represent two ends of a spectrum, and we will work with each client to determine the best approach based on the project’s needs and resources.

We will meet with each client to review the current site’s content, structure, web traffic data, and original communication goals. We will also discuss, page by page, the implications (opportunities and limitations) of adaptation to a mobile-friendly Drupal template.


To minimize cost as much as possible, HCC has developed a streamlined process that includes:

  • Replicating the website’s existing graphics, content, logo, colors, and typography in a new Drupal site with the same site structure as the original site
  • Adapting the current page layout as needed for a user- and mobile-friendly template
  • Making minor updates of content--for example, staff listings or news items

However, the number of pages, types of graphics, interactive functionality, and layout complexities of a site are among the factors that will affect its cost. Clients may also request enhancements that will increase the cost of migration, such as:

  • New content requiring editing, re-organization, or additional pages
  • New color palette
  • New graphics
  • New interactivity
  • Customized page layout

Based on each site’s needs and resources, we will develop a customized proposal and cost estimate.


The visual approach of the current site will be adapted to the extent required for optimal display across a range of mobile and desktop devices. Website conventions have changed dramatically over the past few years in response to user preferences and the adoption of smaller mobile devices. A few characteristics of newer sites are:

  • “Hero” images (single large images extending across a page)
  • Streamlined navigation
  • Concise, easily scannable content
  • Larger fonts
  • Long scrolling pages

The most significant layout changes will be apparent on an updated home page. HCC will adapt each site’s current home page and a sample internal page and review them with the client to resolve any layout or formatting issues.

Web development

Once the new site has been built, clients will be provided with a link with which to review it. After signoff, we will arrange for the current site’s URL to point to the new site. After launch, we will provide staff training in the new content management system and a copy of our Drupal user guide.


In December 2015, HCC was notified by Harvard University Information Technology that: “A critical vulnerability has been discovered in Joomla [versions 1.5 and 2.5] that can lead to data theft and remote code execution....The exploit is currently being used in attacks across the internet, including attacks against Harvard systems.”

HCC applied available security patches and subsequently moved all Joomla website files and databases from HCC’s production server to Amazon Web Services (AWS), where they are still available on the internet but essentially “quarantined.”  HCC is absorbing all AWS hosting costs and will not charge clients for the process of moving their sites.

This is not a complete solution, however, because these sites can still be accessed by hackers--for example, to send massive amounts of spam email. We have been advised to “move away from these unsupported versions of Joomla as soon as possible.”

Why not update to a more recent Joomla version?

Because of extensive platform changes that have taken place between the current and earlier versions of Joomla, updating to a recent version of Joomla would not be a simple, automated process, but tantamount to creating a new site from scratch. The cost of rebuilding in Joomla would be about the same as rebuilding in Drupal.

In addition, while current versions of Joomla are more robust and secure than the 1.5 and 2.5 versions, HCC has studied and tested a number of platforms, and Drupal presents as the best solution to our clients’ current and future needs. Key benefits from a development perspective include:

  • Security updates are timely and easy to apply
  • Drupal is highly configurable and offers many free plugins that further extend its functionality
  • The large, thriving Drupal developer community assists in creating updated documentation and vital resources for website builders

Please contact us for further information or to let us know how we can help.