Security, Communication, And Quality – Thoughts From A Long-Time Customer - Question | JoomShaper

Security, Communication, And Quality – Thoughts From A Long-Time Customer

Steve

Steve

General 5 days ago

Hello JoomShaper Team,

I’ve been running an advertising agency for over 20 years, manage around 70 Joomla websites, and also handle my own servers and hosting. Over the years, I’ve become familiar with all well-known template providers — such as JoomlArt, Gavick, YOOtheme, and many others.

However, I have been a conscious choice to be your customer for many years because I’m impressed by your products, your designs, and especially the flexibility in customization.

Nevertheless, I’d like to give you some honest feedback on how you handled the recent security vulnerabilities. I hope you’ll see this as constructive feedback from a long-time customer.

What didn’t go well, in my view

1. The response time was too slow. Websites were already under attack on Friday, but the first security update wasn’t released until Tuesday around 4 p.m.

2. The official communication came too late. A request to update wasn’t even sent out until Tuesday evening around 10 p.m.

3. Further security updates were released only gradually. Helix3 was updated first, followed by Helix Ultimate several days later. Especially when it comes to security vulnerabilities, it would be desirable to release updates as simultaneously as possible.

4. Communication could be much clearer. Phrases like “Action required” come across as too noncommittal when dealing with security-critical issues. Address the problem openly and make the urgency unmistakably clear.

5. There was no clear guidance for affected customers. I would have expected all affected customers to receive a prompt email detailing

  • which versions are affected,
  • what immediate steps are required,
  • how to check a website for possible compromise, and
  • how to remediate the issue if necessary.

At the same time, there was a similar security incident involving the JCE Editor. Ryan communicated very transparently and clearly in that instance. That’s exactly the kind of openness and clarity I would have liked to see from you as well.

Instead, several dozen inquiries popped up in the forum that your support team had to answer individually. With a detailed security bulletin, you could have significantly reduced the workload for both your customers and your own support team.

My Hopes for the Future

1. Actively use AI for security analysis. Hackers are already using AI-powered tools today. Take advantage of these capabilities as well to identify vulnerabilities early on. I believe we’re only at the beginning of this development.

2. Quality should take priority over new features. A good example is the issue of spam in the Form Builder. While the team spent weeks working on features like Dynamic Content and promoting them to us as customers, we agencies had to deal with thousands of spam messages and explain to our clients why their forms were being misused.

In situations like these, I wish stability and security would take priority over new features.

3. Please improve the quality of the releases. Especially when you — like me — have to update around 50 websites with Helix Ultimate or PageBuilder, it’s very frustrating when the next update is released shortly afterward because bugs in the previous release need to be fixed. Recent examples of this were Helix Ultimate 2.2.7 and 2.2.8.

Such “updates for an update” waste time and do little to build trust. Unfortunately, this isn’t just an isolated occurrence.

One last, but very important point

When I seek help on the forum, I almost always get a solution from your support team — and I’d like to express my sincere thanks for that.

What I would like to see, however, is this: I often find a forum post describing exactly my problem. But it simply states that support resolved the issue using admin access. While this is helpful for the individual customer, it’s unfortunately not helpful for everyone else.

It would be great if you could briefly document afterward what exactly caused the problem and what steps led to the solution. This would make the forum a much more valuable knowledge base, and we could solve many problems on our own without having to open a ticket every time.

Despite my criticism, I want to emphasize that I still highly value your products and use them every day. That’s precisely why I’m taking the time to write this feedback. I hope that JoomShaper will continue to be among the best providers in the Joomla community.

Thank you very much for taking the time to read this feedback.

Best regards...

Steve

2
5 Answers
C
copycat
Accepted Answer
5 days ago #228205

I agree with everything you wrote. I also appreciate JoomShaper as one of the few developers who still take the Joomla platform seriously.

I think all of us got overwhelmed in this situation because, after years of “peace” regarding hacking incidents, we suddenly had 3–4 weeks of daily Joomla exploits — serious, dangerous ones — and thousands of hacked and compromised websites. The real danger is that many of those sites still haven’t been cleaned, and attackers continue to exploit them for further attacks, crypto‑mining, and similar activities. Most people don’t even know their site has been breached if the homepage hasn’t been visibly defaced.

Honestly, I’m not satisfied with the lack of support for older Joomla versions, and now we’ve seen clearly that a huge number of users are still running Joomla 3. Unfortunately, the upgrade process is not simple, and for the average client it’s often too expensive. So we end up stuck on older versions — but we can’t just ignore that reality. Ideally, Joomla, Helix, and SP Page Builder updates would be one‑click, smooth, and painless. But of course, that’s not the case. We can see from open forum threads how many problems people face when updating Helix or SP Page Builder. If you maintain 50 or 100 websites, imagine the enormous number of hours spent fixing issues on each individual site — and in the end, how do you charge for that? Who is going to pay us for all that work?

It would have been helpful to have a timely and clearly structured response — for example: Helix 3, specific version, update instructions here; for older versions, apply this patch; then the same for Helix Ultimate and SP Page Builder.

Situations like this will only become more frequent because attackers are using AI to discover vulnerabilities. But the same approach needs to be applied on the development side at JoomShaper: proactively research vulnerabilities and patch them before releasing the product.

Good luck to everyone.

0
C
copycat
Accepted Answer
5 days ago #228206

I appreciate that the JoomShaper team said two days ago they would look into possible protection measures for Joomla 3 when used together with Helix Ultimate. Unfortunately, we still haven’t received any information on this. Those websites remain active targets for ongoing attacks.

0
Toufiq
Toufiq
Accepted Answer
Senior Staff 4 days ago #228403

Hi Steve,

First of all, thank you for taking the time to write such a detailed and thoughtful post.

We truly appreciate your continued trust in JoomShaper over the years. Feedback from experienced professionals like you, who manage many Joomla websites in production, is incredibly valuable to us. We're also grateful for your kind words about our products and our support team.

We've carefully read through your feedback, and we'd like to respond to each of your points below.

1. Response Time

We completely understand your concern about the time it took to release the security updates.

During a security incident, our first priority is to investigate the reports thoroughly, identify the root cause, develop a reliable fix, and validate it before releasing an update. While we always aim to respond as quickly as possible, we also have a responsibility to ensure the fix is stable and doesn't introduce new issues.

2. Communication

Thank you for pointing this out.

We agree that communication is just as important as the technical fix during a security incident. Your suggestions about earlier notifications, clearer messaging, and providing more detailed guidance are appreciated.

We'll continue working to improve how we communicate important security-related information with our customers.

3. Simultaneous Releases

Although the underlying issue may affect multiple products, each product has its own codebase, compatibility requirements, and testing process. Because of that, updates cannot always be released at the same time.

That said, we understand why a coordinated release would be beneficial for customers managing many websites, and we'll continue looking for ways to improve this process.

4. Security Advisories

We appreciate this suggestion.

A more detailed security advisory that clearly explains the affected versions, the required actions, how to determine whether a site has been compromised, and the recommended remediation steps would certainly be helpful.

We'll take this into consideration as we continue improving our security communication.

5. AI for Security Analysis

Security is an ongoing effort, and we're always evaluating new tools and technologies that can strengthen our development and review processes.

Your suggestion about using AI to assist with security analysis is appreciated, and it's something we'll continue exploring.

6. Security and Stability Before New Features

We understand your perspective.

While we continue developing new features, security and product stability remain among our highest priorities. Finding the right balance is important, and feedback like yours helps us better understand what matters most to agencies and long-term customers.

7. Release Quality

We understand how frustrating follow-up releases can be, especially when you're responsible for updating many production websites.

Every release goes through testing before publication, but we know there's always room to improve. We're continuously refining our QA process and testing procedures to deliver more stable releases and reduce the need for follow-up updates.

8. Forum Knowledge Base

Thank you for this excellent suggestion.

We agree that, whenever possible, sharing the root cause and a general explanation of the solution would make the forum much more valuable for the community.

While some cases involve customer-specific configurations that can't be shared publicly, we'll continue encouraging our team to provide more useful technical summaries whenever appropriate.

Once again, thank you for taking the time to share your feedback and for your continued support of JoomShaper.

Constructive feedback like yours helps us improve not only our products, but also our communication, documentation, and the overall customer experience.

We truly appreciate your trust and look forward to continuing to earn it.

1
Steve
Steve
Accepted Answer
3 days ago #228452

Hello Toufiq,

Thank you as well for your candid and detailed response. I’m very pleased to see that JoomShaper is openly addressing the points of criticism raised and is willing to continue improving the areas mentioned.

It is precisely this openness and willingness to take feedback seriously that build trust and show that customers matter.

Should you need further feedback or suggestions for improvement based on (agency) experience in the future, as a long-time customer, I’m always happy to help.

Best regards!

0
Toufiq
Toufiq
Accepted Answer
Senior Staff 1 day ago #228600

Hi Steve,

Thank you so much for your feedback. We are preparing a security guideline along with the necessary security patches for the reported issues, and we'll release them as soon as possible.

We truly appreciate your thoughtful feedback and your continued support. It's encouraging to know that our openness and commitment to improvement have reinforced your trust.

Thank you again for offering your help. Feedback from experienced, long-time customers like you is always valuable, and we'll be happy to reach out in the future.

Best regards,

Toufiqur Rahman (Team Lead, Support)

0