Open Journal Systems (OJS) is a powerful, flexible, open-source journal management platform trusted by tens of thousands of academic journals worldwide. By digitizing the entire scholarly publishing workflow, OJS makes life easier for both publishers and researchers.

But like any system exposed to the internet, OJS can also be vulnerable to cyber threats if not configured and maintained properly. The majority of security breaches don’t stem from OJS itself, but rather from poor server setups, outdated software, weak user practices, or simply a lack of security awareness. Remember: even the strongest fortress can fall if its doors are opened from the inside.

In this guide, we’ll cover practical steps that everyone—server administrators, site managers, and journal editors—should take to ensure their OJS-based journal remains safe and secure.

1. The Foundation of Security: Server-Level Safeguards

Security begins with the server itself—the home of your journal. A solid, well-configured hosting environment is the first and most important step.

a. Choose OJS-Optimized Hosting

Generic shared hosting plans rarely provide the security and performance settings OJS requires. Because of OJS’s specific file structure, database access needs, and workload demands, you should use an OJS-optimized hosting environment. Providers such as ojs-services.com specialize in tuning servers for these exact requirements.

b. Set File Permissions Correctly

Misconfigured file and folder permissions are one of the most common security risks.

• config.inc.php – This file contains your database credentials and other critical settings. It should never be accessible from the web and must have permissions set to 600 or 400.
• public folder – This is the only directory that should be publicly accessible (for logos, CSS, etc.). Other OJS system files must not be writable by everyone.
• cache, public, files_dir – These must be writable by the web server but locked down so that arbitrary code cannot be executed from them.

c. Move “files_dir” Outside the Web Root

Your files_dir stores sensitive article files and submission documents. If this folder is inside public_html or www, a server misconfiguration could expose private files to the public. Update your config.inc.php so that files_dir points to a location outside the web root.

d. Harden the PHP Environment

Disable risky PHP functions (exec, shell_exec, passthru) using disable_functions. Configure session handling securely (session.cookie_httponly = On) to prevent session hijacking.

e. Enforce HTTPS/SSL

SSL is not optional—it’s mandatory. An SSL certificate encrypts traffic between users and your journal, protecting passwords, submissions, and author data. Enable it fully by setting force_ssl and force_login_ssl to On in config.inc.php.

f. Back Up Regularly

Even the best security can’t guarantee you’ll never face an attack. Daily or weekly backups of both files and the database are essential. Always store them in a secure, separate location.

2. The Site Manager’s Role: OJS Settings and Maintenance

Once the server is secure, attention shifts to how OJS itself is managed.

a. Keep OJS Updated—With the Right Version

The PKP team continuously releases updates to fix bugs and patch security vulnerabilities.

• Prefer stable, tested releases. Use long-term support (LTS) or stable versions (e.g., 3.3.0-14, 3.4.0-5) rather than early .0 releases.
• Avoid betas or development versions on live journals.
• Leave updates to professionals. Updating OJS is not just copying files; it involves database migrations. A mistake can break your entire site. Consider expert support from providers like ojs-services.com.

b. Enforce Strong User and Password Policies

• Set minimum password length and complexity requirements (uppercase, lowercase, numbers, symbols).
• Assign roles carefully: give users only the permissions they need. Avoid giving unnecessary Site Admin or Journal Manager access.
• Delete old, unused accounts.
• Enable reCAPTCHA on registration forms to block spam accounts.

c. Manage Plugins Wisely

• Install plugins only from the official PKP Plugin Gallery or trusted developers.
• Remove unused plugins.
• Always check that plugins are updated and compatible with your OJS version.

3. Editors and Journal Staff: Everyday Security Awareness

Even with strong technical safeguards, human error remains the weakest link. Editors, section editors, and reviewers all play a role in preventing security issues.

a. Watch for Suspicious Submissions

Attackers may try to upload malicious files disguised as manuscripts.

• Only open standard formats (.docx, .pdf, .tex). Be suspicious of unusual file types like .exe, .php, .js, or unverified .zip archives.
• If a submission’s title, abstract, or content looks nonsensical or irrelevant, it could be spam.

b. Stay Alert to Spam Users and Comments

Malicious users may register accounts to post irrelevant links or scams. If you notice suspicious profiles or activities, report them immediately to the site manager.

c. Don’t Fall for Phishing

Be cautious of emails claiming to be from “OJS Support” asking you to reset your password or verify suspicious activity. PKP and OJS service providers will never ask for your password via email. Always access your journal by typing its URL directly into your browser.

d. What to Do if You Suspect a Threat

• Do not download suspicious files or click suspicious links.
• Take a screenshot and report it to your Journal Manager.
• The manager should escalate the issue to technical support (e.g., ojs-services.com) or the hosting provider.

Conclusion: Security is a Team Effort

When properly configured and maintained, OJS is a highly secure publishing system. But journal security is not the job of just one person—it requires shared responsibility:

• Server administrators must provide a strong, OJS-ready infrastructure.
• Site managers must keep the platform updated, correctly configured, and monitored.
• Editors and staff must remain alert to suspicious activity.

If you don’t have the technical expertise or time to manage all this, don’t worry. At ojs-services.com, we provide OJS hosting, installation, upgrades, maintenance, and security consulting. With our professional support, your journal site is in safe hands.

👉 Don’t leave your journal’s security to chance—contact us today and let us help protect your publication.

We also offer OJS Secure Scan, a fast, automated checkup that finds vulnerabilities and provides actionable fixes.