Skip to main content
OJS for Everyone Logo
OJS for EveryoneThe Practical GuidebookRSYN Research LLP

OJS Security

Questions about securing your OJS installation, recognising a compromise, and maintaining a safe publishing environment.

Is OJS secure for e-publishing?

Yes. OJS is used by thousands of journals worldwide, including those at major research universities and scholarly publishers. It has a strong security track record when properly maintained. The PKP development team actively monitors and patches vulnerabilities.

However, no software is unconditionally secure — security depends on:

  • Keeping OJS updated to the latest patched version.
  • Using a secure, well-configured web server.
  • Practising good password hygiene.
  • Restricting access appropriately.
  • Monitoring for signs of compromise.

An OJS site running an outdated version on a poorly configured server is at high risk regardless of OJS's inherent security.

Why should I care about OJS security?

The consequences of a compromised OJS journal are serious:

  • User data exposure — author names, email addresses, institutional affiliations, and manuscript files are stored in OJS. A breach may violate data protection laws (GDPR, PDPA, etc.).
  • Journal reputation damage — a hacked journal that serves malware or hosts spam damages the journal's credibility with authors and readers.
  • Article integrity — attackers may modify published article content or redirect DOIs.
  • Blacklisting — Google and browsers may flag the site as dangerous, blocking access for all users.
  • Legal liability — GDPR violations carry significant financial penalties.

How will I know if my OJS has been hacked?

Signs of a compromised OJS installation:

  • Unexpected file changes — new or modified files in the OJS directory (especially PHP files in unexpected locations).
  • Strange admin accounts — new administrative users you did not create.
  • Email spam — your server IP is blacklisted; emails from OJS are rejected.
  • Browser warnings — Google Chrome or Firefox displays "Dangerous site" warnings.
  • Search engine results — Google Search shows spammy content or links in your journal's index listing.
  • Unusual server load — high CPU or network usage suggesting the server is mining cryptocurrency or sending spam.
  • PHP errors — unexpected PHP errors appearing on journal pages.
  • OJS displays changed content — text, links, or images altered on journal pages.

Run the following command to find recently modified PHP files (Site Administrator task):

find /path/to/ojs -name "*.php" -newer /path/to/ojs/config.inc.php -type f

Who are the OJS hackers?

Most attacks on OJS installations are automated — bots scanning the internet for known vulnerabilities in outdated software versions. Specific threat types:

  • SQL injection bots — exploit unpatched database vulnerabilities to extract data.
  • Web shells — upload malicious PHP files through vulnerabilities to gain persistent server access.
  • Credential stuffing — automated login attempts using leaked username/password lists.
  • Spam injection — insert hidden spam links into journal pages for SEO poisoning.
  • Ransomware — encrypt server files and demand payment.

Targeted human attacks are rare for most academic journals. The primary threat is automated exploitation of outdated software.

Is it important to keep OJS up to date?

Yes — this is the single most important security action you can take. Each OJS release includes security patches for vulnerabilities discovered in previous versions. Running an outdated version means:

  • Known attack vectors remain open.
  • You are vulnerable to automated scanners that exploit published CVEs (Common Vulnerabilities and Exposures).

PKP publishes security advisories on the PKP Community Forum and via email notification. Subscribe to the pkp-dev mailing list or monitor the OJS GitHub releases page for security announcements.

warning

Do not delay security-related OJS upgrades. Even minor version upgrades (e.g., 3.5.0 → 3.5.1) frequently contain critical security patches.

Is it possible for me to secure my own OJS site?

Yes. The following practices substantially reduce your risk:

  1. Keep OJS updated — upgrade promptly when new versions are released.
  2. Use strong, unique passwords — for OJS admin, database, FTP/SSH, and server control panel.
  3. Enable HTTPS — configure an SSL/TLS certificate (Let's Encrypt is free) and redirect all HTTP to HTTPS.
  4. Restrict file permissionsfiles_dir should not be web-accessible. config.inc.php should be readable only by the web server user.
  5. Use a dedicated server user — do not run OJS as root.
  6. Configure a Web Application Firewall (WAF) — Cloudflare (free tier) or server-level ModSecurity rules block many common attacks.
  7. Regular backups — maintain offsite backups so you can restore quickly if compromised.
  8. Monitor access logs — check for unusual login attempts or file access patterns.
  9. Remove unused plugins — unused plugins are potential attack surface that should be uninstalled, not just disabled.

The PKP Security Guide provides detailed hardening recommendations.

Do hosting providers offer security audits?

Some managed OJS hosting providers offer security audit services as a paid add-on:

  • Configuration review (file permissions, PHP settings, database access).
  • Malware scan of all hosted files.
  • Review of access logs for suspicious activity.
  • OJS version audit and patch status review.

Ask your provider if this is available, especially when taking over an existing installation or after a suspected incident.

Why do I need to upgrade my OJS?

Beyond security (described above), upgrades provide:

  • Bug fixes — corrections for editorial workflow bugs, export issues, and display problems.
  • New features — each minor version adds new capabilities (new review types, improved statistics, better accessibility).
  • PKP support — PKP only actively supports the current and immediately previous minor version series.
  • Plugin compatibility — newer plugins increasingly require current OJS versions.
  • PHP compatibility — OJS upgrades maintain compatibility with current PHP versions; running old OJS on new PHP often causes errors.

See the Upgrade FAQ for guidance on performing OJS upgrades.

Further Reading