NOTE: THIS ARTICLE HAS AN UPDATE AVAILABLE HERE

The number of people I see posting on forums asking for support on components who are running versions of Joomla! sometimes 4 or more versions out of date is really quite alarming - when I point out to them the error of their ways, often the first question is "Well how do I upgrade to the latest version?".  Hopefully this article should help clarify the process involved with installing the latest patches for Joomla! and help you stay up to date!

Joomla! docs has a full walk-through of this process, which is where most of the information in this article is from.

What is security?

Unlike a static site, a Content Management System such as Joomla! is dynamic, and the information is stored in a database and retrieved by various methods from the code in the files of your site.  Data is the most important thing in today's society, and as a website owner, administrator, manager or developer, it is your responsibility to ensure that the data for your sites is secure.  If you're based in the UK, this is actually part of the Data Protection Act (1998) and theoretically, if someone hacked your site and the data was used maliciously, you could be prosecuted under section 7 of the Act (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).

Due to the perceived "value" of the data, there will always be people who want to get access to it.  Whether this be to gain "kudos" amongst the hacking community or to sell the email addresses to spammers, there will always be a driver to encourage this kind of activity.  As Anthony Ferrera quite plainly put it during the security presentation at JoomlaDayUK 2009, if someone wants your data, they will get it.  What we need to do is put as many barriers in the way as is feasible, while maintaining a functional and "user friendly" site.  Depending on your target audience, you will need to decide whether having a three-layer authentication system is appropriate, or if just the one login will suffice.

What is a patch?

A patch is an update which is released to "cover the hole" when vulnerabilities are identified.  The Joomla! Security Strike Team and the Bug Squad are extremely quick to respond to any vulnerability reports, and although the patching cycle is usually every 6-8 weeks, it is not unheard of for an urgent patch to be released out-of-cycle (For example, 1.5.13 and 1.5.14 were released only 8 days apart due to the fact that two bugs were introduced in 1.5.13 which needed fixing urgently - the same happened with subsequent releases when problems with the packaging were identified).

When a patch is released for download from Joomla.org there will be both a full-release (i.e. all the files for a Joomla! installation of that version) and an update patch (i.e. just the files you need to update from old versions to the newest version).  If you have a site which you need to update, find out what version it's running (displayed in the top right hand corner in the administrator portal) and then download the appropriate patch - so if you're going from 1.5.19 to 1.5.20 you'd need the patch (which you'll find by clicking on the "Download other 1.5.x versions" link) Joomla_1.5.19_to_1.5.20-Stable-Patch_Package.

A patch will consist of the same file/folder structure as the core Joomla! installation, but not every folder will be there - only the ones where files have been changed.

What should I do before patching?

It is vitally important that if you are patching a site, you can quickly get back to where you were before the patch in case things don't go to plan.  This is one thing that we would absolutely 100% insist you do before upgrading.  Ensure you have a LOCAL COPY (i.e. physically on your computer or on a disk in your possession) of all your files AND your database from immediately before your update.  It is also a very good idea to take your site offline during this process, to ensure people can't log in or make any changes during the process.

How do I back up my files?

On a day to day basis, many people rely on their server's own backups as disaster recover for their files, however before an update it is really important that you have this copy which can be quickly restored if things should go wrong.  The easiest way to do this is simply to download a backup to your local hard drive of the entire site - call it something like "Backup Pre-Upgrade to 1.5.20" so you know exactly what the files are and can delete them in the future if not required.

How do I back up my database?

We would always recommend using an automated backup on a regular basis, such as LazyBackup, which mails you a copy of your database, or Akeeba Backup which can be set (using a Cron task) to automatically back up your site at regular intervals, to ensure you have a copy of your database and files as often as required.  Before updating it is important to get an up-to-date copy.  If you have a very busy site, it's a good idea to take the site offline to ensure no new content can be posted until after you've done the update.  The easiest way to back up your database is to go into phpMyAdmin (if you have a CPanel interface you can just click on the icon - Plesk and other interfaces tend to call it Database Adminstration), click on your database name, then click on the "Export" tab.  Leave everything as standard but tick the box at the bottom left which says "export to file" and click Go.  This will export your database as an SQL file which could then be re-imported at a later date if you have problems.  To back up your files we would recommend using Akeeba - it is much easier than downloading by FTP each and every file and folder (and much quicker too).

How do I patch my site?

Cautious approach

Once you have a full backup, there are two ways to patch your site.  If you are ultra cautious, you need to load the files & database on a localhost server such as WAMP or MAMP, copy over the update files and folders from the patch to over-write the original files, then test to ensure everything works before copying the files back up to your server.

Other approach

For those who do not have time/facilities/etc, you can just copy the patch files directly to your website root, over-writing the existing files and folders.  As you have a full local backup you can easily over-write the files again if there is any problem.  This is a somewhat quicker approach than using the local server in-between, however as it can take time to re-write your files back to the server in the event of a problem occurring, it has inherant risks for larger sites, where downtime needs to be kept to a minimum.

When should I patch my site?

You should ALWAYS endeavour to patch your sites as soon as possible after the patch is released.  As soon as the patch is released, everyone knows exactly what the vulnerabilities are that it fixes (as they're stated in the release), so the people trying to get your data will also know this!

We tend to patch our sites when we know there will be minimal traffic.  Look at your analytics software and see what days in the week you're quiet - and what times of day are the least popular.  Sure, it means you have to stay up late perhaps, but it's better than inconveniencing your site's visitors at peak time, eh

Where can I find out about getting involved?

If you'd like to get involved with the Bug Squad, Security Strike Team, or any other aspect of Joomla!, the best place to start is to post in the forums.  Perhaps set aside an hour or so to have a look through the forums each week - even the newest of newcomers to Joomla! will be able to answer some posts - even if it's just to welcome other newcomers or point people at the appropriate documentation!

References:

Information Commissioners Office - Data Protection Act 1998

NOTE: THIS ARTICLE HAS AN UPDATE AVAILABLE HERE

Joomla Docs - Upgrading a 1.5 site