Joomla users and extension developers are asked to download and install the packages in order to provide quality assurance for the forthcoming 4.0 and 3.10 releases.
Joomla! 4 is the latest major release of Joomla! CMS. Please note that going from 3.9 to 4.0 is a migration. You would need to upgrade your J3.9 to J3.10, which will be available the day J4.0 is stable. J3.10 has a compatibility checker to help guide you through the migration to J4.0. Please do not upgrade any of your production sites to the release candidate version!
What is this release for?
Joomla 4.0 RC3 is aimed at extension and template developers. To encourage them to work with this release in order to prepare extensions for the stable release of Joomla! CMS 4.0. Users are encouraged to test the package for issues and to report issues in the Joomla! CMS Issue Tracker. Test sites based on this release candidate can be taken through to stable but never use this version on a production site. There will be an upgrade path between release candidates and the final release candidate to the stable of Joomla 4.0 should you wish to try a new site build.
Spotlight on Joomla4Security
When it comes to security, running a site with well written, state of the art code helps you stay ahead. Joomla 4 contains many architecture changes designed to maximize security and keep hackers out. You can be assured that moving to Joomla 4 is a wise choice when it comes to keeping your site safe.
Starting with Joomla 4, the CMS changed it's database query technology to use Prepared Statements, effectively eliminating any attack vector for SQL injection attacks. Prepared Statements are available for both core CMS and 3rd party developers and work seamlessly across all supported database drivers.
On top of that, Joomla 4 will by default ship with a new built-in plugin that sets multiple security-relevant HTTP headers and allows the configuration of advanced Security headers like Content Security Policy. Those headers work with the built-in security mechanisms that are in modern browsers to help mitigate click-jacking attacks or impede cross-site-scripting attacks.
Last but not least, Joomla 4 adds new authentication mechanisms. The new webservice API is protected by an API token authentication, allowing you to safely use the API without exposing your plaintext credentials.