The Importance of Checking the “lfd.log” File

A substantial portion of our work for our managed clients consists of monitoring their servers, and a large part of that monitoring consists of checking the logs, and seeing if there is anything unusual about them. We check all the pertinent logs, but there is one log file that is really close to our hearts, […]

Protecting Joomla’s Files and Directories from Accidents

A few days ago, a managed client of ours called us and told us that their website stopped working, and that that event coincided when an employee was trying to upload a file to the images folder using FileZilla. We immediately knew what the issue was, as it happened to another client of ours a […]

Using the Eximstats Database to Monitor the Health of Your Joomla Site

Note: The following post assumes that your Joomla website is powered by a WHM/cPanel server and that the Eximstats service is enabled (you can enable the Eximstats service from WHM’s Service Manager). At itoctopus, we go at great lengths to monitor the security of our managed Joomla websites, to the point where we check the […]

Your Visitors Can’t Access Your Joomla Site? Maybe They Use OpenOffice!

Note: This post is advanced and is mainly aimed at system administrators, but any Joomla administrator can still read it and understand the main points as we have simplified it as much as we can. One of our customers constantly emailed us about people getting randomly blocked from accessing their Joomla website. At first, our […]

Joomla Security Tip: Regularly Check the Physical Cron Files on Your Server

Most administrators check the cron jobs that they have on their server by just logging into their cPanel and clicking on the Cron Jobs link under the Advanced section. The more advanced administrators check their cron jobs by typing the following command in the shell: crontab -e So, in the absolute majority of cases, an […]

Joomla Displays Altered Content on Some Pages (Hint: It Is Hacked)

A few days ago, a client of ours emailed us and told us that some of the pages on her company website were displaying content that was not theirs. The content was not technically malicious, but it consisted of ads, which had nothing to do with the client’s business. Clearly, the website was hacked. Since […]

The Hacked “index.html” File on Joomla Sites

A new client called us yesterday afternoon and told us that his company website was displaying a weird page instead of his normal page (his company sells restaurant equipment). The weird page consisted of some gibberish in random languages. It was a no-brainer that the website was hacked. Since the client was in a hurry, […]

Joomla Security Tip: Block Long URLs

At itoctopus, one of the things we are fascinated by is security – we are always researching new ways to improve the security of our managed websites. Our Joomla honeypot experiment, for example, was a huge success and we implemented it for our major clients. It also helped us better understand attack patterns, which, in […]

The Joomla Honeypot Project Experiment

At itoctopus, we are paranoid about the security of our managed clients’ websites – as such, we always research revolutionary ways to better protect these websites against potential exploits. Last week, we conducted a honeypot project on one of the largest websites that we manage. For those of you who don’t know what a honeypot […]

7 Questions to Ask When Switching Your Joomla Site from HTTP to HTTPS

Earlier this week, we published a post on the importance of switching your Joomla website from HTTP to HTTPS, mainly because of a new setting in Chrome and Firefox labeling pages with sensitive forms (such as login forms) as insecure if they are not running in HTTPS mode. Most Joomla administrators think that switching from […]

Leveraging the Power of the “defines.php” File to Monitor POST Requests on Joomla Websites

As of version 1.6.0 (which was released 6 years ago in January of 2011), Joomla checks for the presence of a defines.php file at the main directory of the website. If it finds it, then it includes it. The defines.php file is not part of the Joomla core, it doesn’t even come packaged with Joomla. […]

Disqus Account Hijacked – What to Do

Let us tell you a little story… A huge Joomla website that we fully manage uses Disqus for commenting. The website receives an insane amount of traffic and it is in the Alexa top 10K websites in the US. About 4 months ago, we noticed that the Disqus commenting section had irrelevant ads, but we […]

500 HTTP Errors – Revealing Vulnerabilities on Your Joomla Website

One of the biggest mistakes that system administrators make when analyzing the Apache server logs, is that they ignore many of the “500” HTTP errors (also known as Internal Server Errors). They think that these fatal errors – if they are not happening on legitimate pages, then they are not worth investigating. Little do they […]

A High PHP Memory Limit in Joomla = An Invitation for DoS Attacks

Occasionally, Joomla administrators face the infamous allowed memory size error which forces them to increase the memory_limit value in the global php.ini or in a local .user.ini file by adding the following line: memory_limit=256M The above code will increase the memory limit to 256 megabytes, which is more than ample for any Joomla website out […]

SQL Injection in Joomla – Is It Still a Concern?

The last time we had a case of SQL injection on a Joomla website was a long time ago – and the affected Joomla website was a Joomla 1.5.10 website (which is highly exploitable – even by Joomla 1.5.26 standards). Since then (we are now in October of 2016), we have not seen a single […]

The Malicious “security.php” File on Joomla Websites

We are currently getting swamped with hacked Joomla websites with a malicious security.php file in their root directory (e.g. at the same level of the index.php file). The name of that file is extremely misleading because it implies security, while, in reality, it is the complete opposite. In fact, Joomla websites should not contain a […]

Blank Page When Clicking on “Read Messages” in Joomla’s Backend

A client contacted us on Friday of last week and told us that he had the following weird problem: every time he clicked on Read Messages (which is located in the You have post-installation messages box) in the backend of his Joomla website, he saw a blank page. A blank page in Joomla, as you […]

A Very Long Password in Joomla Does Not Mean Better Security

A new client of ours called us very early in the morning and told us that his website was hacked and he wanted our help to clean it. He told us over the phone that he had no idea how he got hacked despite the fact that he had a very long and complex password […]

How Content-Security-Policy Can Help Protect Your Joomla Website

Have you ever heard of Content-Security-Policy? If not, then we’re sure that you will find this post extremely informative and interesting… In short, Content-Security-Policy is a policy set in the httpd.conf file, the .htaccess file, or as a meta tag (in the HTML code) that is typically used to prevent the website from running external […]

A Couple of Shell Commands to Find Hacked PHP Files on a Joomla Website

Note: This post assumes your website is running on a WHM environment. If your website is running on Plesk than the physical location of your Joomla website will be different. Another note: This post assumes you have some very basic Linux knowledge. If that’s not the case then you can ask some Joomla security experts […]

A Super Quick Guide to Deal with a Hacked Joomla Website

You wake up one morning, and you get that nasty email from Google telling you that your Joomla website is hacked. So what do you do? Well, first of all you relax knowing that this can happen to anyone in this galaxy, and then, you follow the below guide: Backup your Joomla website (filesystem and […]

Minimizing Brute Force Attacks on Joomla’s Backend Using .htaccess

If you’re running a Joomla website and you regularly check your Apache web server logs, you will notice that these logs are full of brute force attacks. These brute force attacks consist of continuous POST requests to your Joomla website, with dictionary based combinations of usernames and passwords, with the hope that one of these […]

A ModSecurity Rule to Block Brute Force Attacks on a Joomla Website

At itoctopus, we dedicate a lot of time to research, especially on enhancing Joomla’s security and performance. Today’s post is a fruit of that research, as we have managed to devise a concise ModSecurity rule to block brute force attacks on a Joomla website. In case you don’t know what ModSecurity is, it is a […]

On Wicked Joomla Developers

It is Friday afternoon, and we have a little present for you: a free real life suspense story about a wicked Joomla developer, how he crashed his client’s website, and how we knew who he was, Sherlock Holmes style. Coincidentally, this post comes after our bad Joomla developers post, which makes sense, as a wicked […]

GoDaddy Shared Hosting and Hacked Joomla Websites

We are having an increasing number of calls from clients asking us to fix their hacked GoDaddy shared hosted Joomla website. While many may see this as an indication that GoDaddy has many customers, we see the whole thing a bit differently. The thing is, a few months ago, we only had a few GoDaddy […]

ImageMagick and the Onslaught of Joomla Hacks

As discussed in a previous post, we have been experiencing an onslaught of Joomla 3.5.1 hacks for a few weeks now, and although we were able to clean and protect the hacked websites that we were asked to fix, we were not able to get to the root cause of the problem. We did, however, […]

What’s with All Those Hacked Joomla 3.5.1 Websites?

As of late, we are getting an abnormal number of requests for malware cleanup on Joomla websites (a substantial number of these websites are infected with the Google hack). What’s even more interesting is not the sheer number of such requests, but the fact that the absolute majority of the affected Joomla websites were 3.5.1 […]

How We Analyze the Logs for Suspicious Logins on a Joomla Website

An important daily task that we perform on the large websites that we maintain is the checking of the IPs that successfully accessed the backend section of the website. We check where these IPs are coming from, and, if they are coming from an unusual location (such as a remote country), then we will look […]

A Quick Shell Command to Check the List of Modified Files on a Joomla Website

One of the things that we do daily on the websites that we fully manage is check which files were changed in the past 48 hours. Doing this helps us catch files that were maliciously modified, it also helps us check whether the client’s employees have uploaded files that they shouldn’t have uploaded, or have […]

Joomla’s Backend Displaying phpMyAdmin

We had an interesting case today – a client of ours told us that whenever he tries to login to the administrator section of his website, he was seeing phpMyAdmin‘s login page instead of Joomla’s regular administrator login page. At first, we thought we misunderstood what the client said, but it didn’t take us long […]

Monitoring the Logs: A Proactive Technique to Ensure Your Joomla Website Remains Secure

OK – we have to admit it. We’re paranoid and we’re afraid of our own shadows, we’re also afraid of clowns (they really are scary), adult strangers talking to us in the streets, and, of course, being sucked down the bathtub drain (baths are always a nightmare). But our greatest fear is seeing a client’s […]

A Super Fast Way to Clean a Hacked Joomla Website

Note: This post assumes you have cPanel access to your website. The instructions for other hosting interfaces are different and are not covered in this post. Warning: The method described in this post will wipe out any core modifications that you might have on your Joomla website. You have been warned! Another warning: As explained […]

Super Login: A Free Joomla Plugin that Allows a Super User to Login as Any User

At itoctopus, we test our clients’ Joomla websites constantly, so much that we have developed Joomla plugins that will help us in the testing. One of the plugins that we have developed and that we constantly use is the Super Login plugin, which allows us to login as any user to the Joomla website with […]

How to Password Protect the Backend of a Joomla Website with .htpasswd (and .htaccess)

Early last week, we had a case where a malicious extension was subtly installed on the Joomla website for one of our clients. Luckily, our extra security measures prevented actual harm, but still, we were confident that if the person who installed that extension was a bit more persistent, he could have wiped out the […]

What to Do When Your Joomla Website Is Blocked by HP’s Tipping Point

One of our very large clients sent us an email stating that the doctors working at an extremely high profile hospital were unable to access their website (our client’s Joomla website). The email stated that the website was timing out for them. At first, we thought it was a browser issue (since large companies tend […]

“index.php” Should Be the Only Accessible File on Your Joomla Website

Here’s how the majority of malicious users try to hack your beloved Joomla website: They search for an exploit on your Joomla website. They use that exploit to upload a PHP file to your website. They invoke the URL pointing to that file, and by doing so, they create duplicates of the malicious file, hack […]

Fixing an Elusive Joomla Hack

For the past month (yes, month!) we have been working on the security of a major website that suffered from a substantial hack. We were able to mostly secure the website, but still, there was a leak somewhere and we didn’t know where. The “leak” consisted of a malicious file called client.php that was created […]

How to Remove the Sweet Orange Exploit Kit Hack from Your Joomla Website

A major company called us early last week and told us that they were alerted that they have the Sweet Orange Exploit Kit on their Joomla website. They said that a tool that they’re using to block malware sites, called ProofPoint, has blocked their own website because it contains malware! The report generated by ProofPoint […]

How to Remove the Article ID from Joomla’s SEF URLs

If you’re not using a 3rd party extension to generate your SEF links, then most likely you are already annoyed by the presence of the article ID in article URLs. In fact, most Joomla administrators use a 3rd party SEF extension to generate their links instead of Joomla’s built-in SEF tool because of this particular […]

Your Joomla Website Is Blacklisted by Websense? Here’s What to Do!

A major healtchare client of ours emailed us yesterday and told us that they’re getting reports from some visitors that their Joomla website (the healthcare website) is blocked because it is compromised. One of those reports stated that it was Websense that labeled the website as compromised. So, we immediately went to and we […]

Hacked “mootools-core.js” – How to Fix

For the past week or so, we have been working on a very puzzling issue. A client’s website was hacked. In fact, there was only one file that was hacked. The mootools-core.js file which is located under the /media/system/js folder. The hack was not detected by any scan – commercial or not – internal or […]

Using FTP on Your Joomla Website Can Result in Getting It Hacked

If you’re using FTP to upload files to your Joomla websites, then, you probably know that you’re not alone. The vast majority of Joomla websites allow for FTP access. What you probably do not know, is that you’re compromising the security of your Joomla website when you’re using FTP. Why is that? Well, because FTP […]

The JoomlaSupport User Is a Scam! Beware!

A new phenomenon that we’re noticing lately is that a user with a username “JoomlaSupport” is registering automatically on Joomla sites that allow user registration. Once that user registers, the owner of the Joomla website is contacted by a shady company, (surprisingly) called “JoomlaSupport”, pretending to be Joomla’s Official Support and telling him that his […]

Joomla 3.2.1 Hacked? It Might Be the “loader.php” File

We are recently getting a barrage of Joomla 3.2.1 websites that are hacked and need to be fixed. Obviously, someone cashed in on the recently announced vulnerability on Joomla 3.2.1, and fast! We are saying someone (and not some people), because 90% of those hacked websites have the exact same hack: the Google hack! (Or […]

The Mass Username/Password Update Hack in Joomla

So far this month, we have had 5 cases where all the users in a Joomla website had their usernames and passwords updated to the same value. In other words, all the usernames in those Joomla websites were set to admin, and all the passwords were set to an identical, md5 value. This type of […]

Beware the Hacked 404 Error Page on Your Joomla Website

We are currently having an increasing number of cases where the 404 page – just the 404 page – is hacked. For example, when someone visits a page that doesn’t exist (on the Joomla website), he is either redirected to an obscene website or he just sees some obscene content on the Joomla website (or […]

Ultimate Security on a Joomla Website

Our clients (with previously hacked Joomla websites that we fixed) often ask us: “What can one do to have ultimate security on a Joomla website?” Our short and concise answer would be: “Have a development server and a production server. The development server is the one where you do the updates (and it’s usually behind […]

Making Your Whole Joomla Website Run HTTPS Mode Is Unprofessional

Now, don’t get us wrong, we are totally pro website security. In fact, we have written so much on Joomla security to prove that. However, we think that sometimes security is applied to the wrong place. An example of this is running a whole Joomla website in HTTPS mode. For those who don’t know, HTTPS […]

The Number of Installed Extensions on Your Joomla Website Is Inversely Proportional to Its Security

We know – that’s a very long title for a post, but we couldn’t think of a better title that would explain what this post is about. In any case… We got an email near the end of the day yesterday from a new client – he was complaining that his website, although running Joomla […]

Quick Joomla Security Tip: Disable PHP Execution in the Images Folder

We have been securing/cleaning Joomla websites for so long that we have identified the three-step process a malicious attacker performs to hack a Joomla website: The attacker injects a PHP file in the images directory. The attacker then replicates the PHP script into other directories where it’s under the radar. This strategy ensures that the […]