security

  • Life is full of surprises. One of these days I got a job offering with a consistent budget, one of my former clients approached me to "make his site secure".  I said yes, but when turned out what he wanted in fact i had a surprise: he wanted nothing else, just to make the browser warning about "unsecure site" go away. He actually purchased a security certificate and hired someone to install it onto his server - with no success.

  • One of often overlooked security (and not only) resource for any Joomla site is under your fingertips! With each Joomla install (even from the old Mambo days) you have a file named htaccess.txt in your site's root directory. In most cases is never touched, and left as is - most weekend webmasters don't even know what is for. A few are using it to help Joomla or the specialized SEF URL builders to make those pretty SEF URL's for their site. And that's pretty easy - in most cases it's enough to rename it to .htaccess, and you are set. But there is much more power hidden there...

  • A while ago I wrote a tip about problems geting SEF URL's work on 1&1-s servers. Back then I didn't realized, that the problem is the same - or at least fairly similar - on GoDaddy's servers too. Not everywhere, I have a site running on GoDaddy with sh404SEF without any need of tweaking the .htaccess file, but recently I had issues with another site.

    So, the trick above solves the problem, but what is the cause?

  • Pissed off, eh? Me too! After you put together your site (small or big, hobbyist site or a large corporate one) and installed all the security gizmos available out there you began to receive all kind of alerts about hacking attempts. This is the good scenario - succesful hacking attempts usually aren't reported: you experience the sometimes devastating effects by visiting the site.

    Anyway, you probably get frustrated over time, and you definitively will try to do something above just stopping these attacks.

  • Beginning with Joomla 1.6 it's possible to lock anyone out of the back end of the website — including Super Users with Admin permissions — by setting the Site Admin permission to Deny. And this is something you can do accidentally against yourself by playing with the permissions without knowing how exactly these settings are working. That can have unpleasant side effects especially at the Super User group or at the Manager or Administrator group level. If Manager or Administrator is set to Deny, the Super User would inherit Deny from these groups, even if the Super User group is set to Allow.

  • Sometimes you need to allow a user to access and manage only one (or a few) Joomla! component in the backend. This is quite easy to set up, you need to use cleverly the ACL sytem Joomla has allready in.

  • Yes, things like media files - or your software. No, I don't sell software - I give it away for free, for example here. Bu I build sites with selling capabilities. My favorite solution for it is VirtueMart, THE shop to be used with Joomla.

    Is powerful - but is not for beginners, you can easily lost here without proper guidance.

  • In a previous tip I enumerated couple of methods on how you can make visible the template positions in Joomla 1.7+.

    But there seems to be at least two different problems for some users.

  • HTTP stands for 'HyperText Transfer Protocol', and it is the mechanism used to transfer data from one computer to another across the Internet. You can use HTTP to request information from a server, or to send information to a client by wrapping the request or data in a 'packet'.

  • JavaScript hijacking is a technique that an attacker can use to masquerade as a valid user and read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML). Nearly all major Ajax applications have been found vulnerable.

  • ACL stands for access control levels. It refers to who has permission to do what on the website, including read, create, edit, delete, or log in, among other permissions.

    Many think of ACL as relating to the front end of a website only. For example, when I log into the website, what articles do I have available to me? And if someone else logs into the site, do they see the same articles, or do they see different ones?

  • Now you have one more extra reason to use Google's very useful Webmaster Tools. Recently Google added to his arsenal of Joomla related enhancements a useful one: In the Google Webmaster Tools you will see a warning with useful details on what to do each time yor Joomla site gets outdated!

  • You may think that updating your Joomla site to the latest version is not something worth doing every time a new version is released. The site works just fine, and you are not interested in the eventual new additions. You're wrong! There's always a major reason for update to the latest version of Joomla: Security!

  • If files have been modified on your server, or files have been uploaded for instance, you can check the timestamps on those files to find out when the attacker was on your site. This is typical in the case of sites being defaced or malicious code being injected somewhere. Most of the time, the attacker will have gained access to your site shortly before modifying or uploading files to it.

  • Did you manage to lost your password? Worst, maybe you lost the Super Administrator password? And for some reason you can't use the retrieve lost password functionality of Joomla...  If you use Joomla, if you forget your password you could just simply click on the "Forgot password" menu, and the new password will be sent to your email address. But what if you can't remember the exact e-mail address, or you have a local, development version and did not have the mailer handy... or your Internet connection is down? Or, worse - happened to me couple of times - you need to overtake a site originally developed by someone else?

  • One of my clients, who have serious Joomla background complained recently, that on his brand new Joomla site when he clicked on one of menu items his browser raised the well known "Bad Certificate" error. The site obviously worked well, but for some reason the link to that inner page was created using the https:// prefix.

    Obviously, he had no valid security certificate in place - as many sides does not have these days, but the menu entry being an inner, Joomla generated link he (and myself, for some... 5 minutes approx) was dazzled, what might happened?

  • It's always a wise move to move your sensitive files outside of the so called WEBROOT, the directory which is used by Apache to show your website. This way you can be sure, that nobody else, but your Joomla core code can use these files.

    Moving some files/folders, like the main configuration.phpor the location of admin login may be tricky, but mowing these two key folders is relatively simple.

  • Most of attacks on the web - and Joomla sites aren't an exception - are made fully or in first phase at least by automated robots. These are using known entrance points as administrator logins to most used software solutions to try they chances to break in. So it's a wise move to change these well known locations. But wait! The need to upgrade compatibility may made this difficult, so, how we can do this without changing a line in Joomla code?

  • In a previous tip where I described how you can made a Joomla site more secure by relocating the admin login page I presumed that anyone reading it is a code guru. But what if not? More and more webmasters today are casual Joomla users - and they deserve attention too!

  • If you search for the title of this tip you will found lot of hits. Actually, my last search returned 6.6 millions of hits! Apparently lot of people are having with - or has fears on this subject. When I first published this tip, back in 2005, there was no such amount of answers/references, and I think, that this real flood of sites about this potential issue is not because lot of people would having problems, but because more and more people are getting into building interactive sites.

    So, do You have problems?