There is a surprisingly easy way to detect your Joomla version - and one don't need sophisticated tools, like BlindElephant or his siblings to do it. And this information can be used by hackers to make you scream...

The curious one needs to access this URL on your site:

And the second line looks like this:

<extension type="component" version="2.5" method="upgrade">

BTW., this is just one spot, there are many similar ones - all XML files, and someone knowing Joomla can track them down easily.
What you can do about? One recipe is dead simple, you can stop access to these .xml files by relatively simple .htaccess rules.
This one works for the most cases:

<Files ~ "\.xml$">
 Order allow,deny
 Deny from all
 Satisfy all

The other solution is handy - and you don't need to make your hands dirty with code - if you have a cPanel based hosting. Most of these hosting panels have a nifty feature: you can set up a so called Hotlink Protection.
All you need to do is to log in to your cPanel and locate the Hotlink Protection applet. If you don't find it, your hosting company does not allow you to use it - give them a call!
Once in the applet, the setup is simple. First of all, you need to set up the allowed URL's, like this:

Then you need to setup the file extensions which can't be directly accessed (by typing in the URL for them) in Block direct access for these extensions field:


Then click on the Enable button on the top of the page.
All is great - and you're safer... but there is trouble in the paradise... what if you are a SEO conscious webmaster (you should be!), and you have an .xml sitemap for the search engines? Yeah, that will be also not accessible to the search engine bots, so you are in trouble....
There are couple of workarounds, the simpler (???) is the case when you used .htaccess to block the access to the .xml files. In this case, supposing that the XML sitemap is located in sitemap.xml file in your SITEROOT/WEBROOT directory, then in this case the code you should use in the .htaccess file can look like this:

<Files ~  "sitemap\.xml$">
  Order allow,deny
  Allow from all  

Even better, you can use regular expressions, and the .htaccess's FilesMatch feature, and use this (more reliable, trickier to setup to match your exact case:

<FilesMatch "(?<!sitemap)\.xml$">
   Order allow,deny
   Deny from all

If you are using Hotlink Protection, basically you are out of luck, you need to use something else to block access to XML files and allow Search bots to discover and index tour XML sitemaps.

Category: Secure Joomla