Security on OJS and how to manage hackers

Hello everyone.

I would like to know if anyone has any tips on how to improve security in OJS and the publishing system, such as how to combat cyber attacks and hackers. Does anyone have any tips or useful resources?

Thank you in advance for your attention and help!

The most obvious thing to do is to keep your version as up to date as possible. Updates fix bugs as well as keep everything running smoothly and securely. This brief memo on the PKP website covers the main things:

A key point to put on the table is that an updated OJS is a secure OJS. In practice, many updates that only change the last version number include security fixes, even if they sometimes go unnoticed. Staying up to date—even with these “minor patches”—makes a real difference.

If we review this year’s incidents, the pattern is quite clear: reported security issues almost always occur in installations running outdated or outright forgotten versions. We’re not talking about active flaws in maintained versions, but rather vulnerabilities that had already been fixed yet remained present because the system had not been updated.

I don’t intend to blame anyone—I’m very aware that many installations aren’t better maintained because editorial services lack IT staff, and institutional IT services are often overloaded. But I do want to advocate for PKP: all software (think Windows or Android) requires periodic updates, and it’s our responsibility to stay current.

That said—and while not essential for most cases—I’ll try to answer your question by outlining some strategies I’m applying or planning for 2026, aimed at hardening OJS installations (because I’m a bit paranoid):

• Use Docker: Docker enables fast, non-traumatic updates. Docker images are released within 24–48 hours after an official release, and since containers isolate each journal, a problem in one instance won’t spread to others.
• Integrate software for 2FA: Sometimes problems arise from poor user management policies. Open-source tools exist that add an extra layer of security to access (e.g., Keycloak).
• Regular audits: Tools exist that perform automated security audits. Some are open-source and can be integrated into your infrastructure. Sometimes, you can also request audits from your institution’s IT services.
• Install CrowdSec: an alternative, collaborative tool to fail2ban.

In any case, all of this represents an additional, almost “paranoid” level of security. For a normal scenario, keeping OJS updated is more than sufficient—and by far the most important measure.

Best regards,
m.

Thank you so much! We keep up with the updates at PUB IN and UMinho Editora.

Thank you so much! This is very helpful and detailed.

Hi,

The most important things are said already above.

Just want to highlight that probably the single most common reason for hacked OJS installations is that the installation is not done correctly when selecting the location of the files folder. This is the folder where OJS stores the article full text files among other things.

What you see sometimes is people placing the files folder to a location where it is directly accessible ie. inside the public_html folder. This opens an easy access for hackers while they can upload malicious files and then access them. I do not have statistics but I would say that at least 50% of all hack reports in the PKP forum are related to this.

The installation instructions of course explain the proper location of the folder.

Thank you so much for the input, very helpful!