A substantial portion of our work for our managed clients consists of monitoring their servers, and a large part of that monitoring consists of checking the logs, and seeing if there is anything unusual about them. We check all the pertinent logs, but there is one log file that is really close to our hearts, […]

A few days ago, a managed client of ours called us and told us that their website stopped working, and that that event coincided when an employee was trying to upload a file to the images folder using FileZilla. We immediately knew what the issue was, as it happened to another client of ours a […]

Note: The following post assumes that your Joomla website is powered by a WHM/cPanel server and that the Eximstats service is enabled (you can enable the Eximstats service from WHM’s Service Manager). At itoctopus, we go at great lengths to monitor the security of our managed Joomla websites, to the point where we check the […]

Note: This post is advanced and is mainly aimed at system administrators, but any Joomla administrator can still read it and understand the main points as we have simplified it as much as we can. One of our customers constantly emailed us about people getting randomly blocked from accessing their Joomla website. At first, our […]

Most administrators check the cron jobs that they have on their server by just logging into their cPanel and clicking on the Cron Jobs link under the Advanced section. The more advanced administrators check their cron jobs by typing the following command in the shell: crontab -e So, in the absolute majority of cases, an […]

A few days ago, a client of ours emailed us and told us that some of the pages on her company website were displaying content that was not theirs. The content was not technically malicious, but it consisted of ads, which had nothing to do with the client’s business. Clearly, the website was hacked. Since […]

A new client called us yesterday afternoon and told us that his company website was displaying a weird page instead of his normal page (his company sells restaurant equipment). The weird page consisted of some gibberish in random languages. It was a no-brainer that the website was hacked. Since the client was in a hurry, […]

At itoctopus, one of the things we are fascinated by is security – we are always researching new ways to improve the security of our managed websites. Our Joomla honeypot experiment, for example, was a huge success and we implemented it for our major clients. It also helped us better understand attack patterns, which, in […]

At itoctopus, we are paranoid about the security of our managed clients’ websites – as such, we always research revolutionary ways to better protect these websites against potential exploits. Last week, we conducted a honeypot project on one of the largest websites that we manage. For those of you who don’t know what a honeypot […]

Earlier this week, we published a post on the importance of switching your Joomla website from HTTP to HTTPS, mainly because of a new setting in Chrome and Firefox labeling pages with sensitive forms (such as login forms) as insecure if they are not running in HTTPS mode. Most Joomla administrators think that switching from […]

As of version 1.6.0 (which was released 6 years ago in January of 2011), Joomla checks for the presence of a defines.php file at the main directory of the website. If it finds it, then it includes it. The defines.php file is not part of the Joomla core, it doesn’t even come packaged with Joomla. […]

Let us tell you a little story… A huge Joomla website that we fully manage uses Disqus for commenting. The website receives an insane amount of traffic and it is in the Alexa top 10K websites in the US. About 4 months ago, we noticed that the Disqus commenting section had irrelevant ads, but we […]

One of the biggest mistakes that system administrators make when analyzing the Apache server logs, is that they ignore many of the “500” HTTP errors (also known as Internal Server Errors). They think that these fatal errors – if they are not happening on legitimate pages, then they are not worth investigating. Little do they […]

Occasionally, Joomla administrators face the infamous allowed memory size error which forces them to increase the memory_limit value in the global php.ini or in a local .user.ini file by adding the following line: memory_limit=256M The above code will increase the memory limit to 256 megabytes, which is more than ample for any Joomla website out […]

The last time we had a case of SQL injection on a Joomla website was a long time ago – and the affected Joomla website was a Joomla 1.5.10 website (which is highly exploitable – even by Joomla 1.5.26 standards). Since then (we are now in October of 2016), we have not seen a single […]

We are currently getting swamped with hacked Joomla websites with a malicious security.php file in their root directory (e.g. at the same level of the index.php file). The name of that file is extremely misleading because it implies security, while, in reality, it is the complete opposite. In fact, Joomla websites should not contain a […]

A client contacted us on Friday of last week and told us that he had the following weird problem: every time he clicked on Read Messages (which is located in the You have post-installation messages box) in the backend of his Joomla website, he saw a blank page. A blank page in Joomla, as you […]

A new client of ours called us very early in the morning and told us that his website was hacked and he wanted our help to clean it. He told us over the phone that he had no idea how he got hacked despite the fact that he had a very long and complex password […]

Have you ever heard of Content-Security-Policy? If not, then we’re sure that you will find this post extremely informative and interesting… In short, Content-Security-Policy is a policy set in the httpd.conf file, the .htaccess file, or as a meta tag (in the HTML code) that is typically used to prevent the website from running external […]

Note: This post assumes your website is running on a WHM environment. If your website is running on Plesk than the physical location of your Joomla website will be different. Another note: This post assumes you have some very basic Linux knowledge. If that’s not the case then you can ask some Joomla security experts […]

You wake up one morning, and you get that nasty email from Google telling you that your Joomla website is hacked. So what do you do? Well, first of all you relax knowing that this can happen to anyone in this galaxy, and then, you follow the below guide: Backup your Joomla website (filesystem and […]

If you’re running a Joomla website and you regularly check your Apache web server logs, you will notice that these logs are full of brute force attacks. These brute force attacks consist of continuous POST requests to your Joomla website, with dictionary based combinations of usernames and passwords, with the hope that one of these […]

At itoctopus, we dedicate a lot of time to research, especially on enhancing Joomla’s security and performance. Today’s post is a fruit of that research, as we have managed to devise a concise ModSecurity rule to block brute force attacks on a Joomla website. In case you don’t know what ModSecurity is, it is a […]

It is Friday afternoon, and we have a little present for you: a free real life suspense story about a wicked Joomla developer, how he crashed his client’s website, and how we knew who he was, Sherlock Holmes style. Coincidentally, this post comes after our bad Joomla developers post, which makes sense, as a wicked […]

We are having an increasing number of calls from clients asking us to fix their hacked GoDaddy shared hosted Joomla website. While many may see this as an indication that GoDaddy has many customers, we see the whole thing a bit differently. The thing is, a few months ago, we only had a few GoDaddy […]

As discussed in a previous post, we have been experiencing an onslaught of Joomla 3.5.1 hacks for a few weeks now, and although we were able to clean and protect the hacked websites that we were asked to fix, we were not able to get to the root cause of the problem. We did, however, […]

As of late, we are getting an abnormal number of requests for malware cleanup on Joomla websites (a substantial number of these websites are infected with the Google hack). What’s even more interesting is not the sheer number of such requests, but the fact that the absolute majority of the affected Joomla websites were 3.5.1 […]

An important daily task that we perform on the large websites that we maintain is the checking of the IPs that successfully accessed the backend section of the website. We check where these IPs are coming from, and, if they are coming from an unusual location (such as a remote country), then we will look […]

One of the things that we do daily on the websites that we fully manage is check which files were changed in the past 48 hours. Doing this helps us catch files that were maliciously modified, it also helps us check whether the client’s employees have uploaded files that they shouldn’t have uploaded, or have […]

We had an interesting case today – a client of ours told us that whenever he tries to login to the administrator section of his website, he was seeing phpMyAdmin‘s login page instead of Joomla’s regular administrator login page. At first, we thought we misunderstood what the client said, but it didn’t take us long […]

OK – we have to admit it. We’re paranoid and we’re afraid of our own shadows, we’re also afraid of clowns (they really are scary), adult strangers talking to us in the streets, and, of course, being sucked down the bathtub drain (baths are always a nightmare). But our greatest fear is seeing a client’s […]

Note: This post assumes you have cPanel access to your website. The instructions for other hosting interfaces are different and are not covered in this post. Warning: The method described in this post will wipe out any core modifications that you might have on your Joomla website. You have been warned! Another warning: As explained […]

At itoctopus, we test our clients’ Joomla websites constantly, so much that we have developed Joomla plugins that will help us in the testing. One of the plugins that we have developed and that we constantly use is the Super Login plugin, which allows us to login as any user to the Joomla website with […]

Early last week, we had a case where a malicious extension was subtly installed on the Joomla website for one of our clients. Luckily, our extra security measures prevented actual harm, but still, we were confident that if the person who installed that extension was a bit more persistent, he could have wiped out the […]

One of our very large clients sent us an email stating that the doctors working at an extremely high profile hospital were unable to access their website (our client’s Joomla website). The email stated that the website was timing out for them. At first, we thought it was a browser issue (since large companies tend […]

Here’s how the majority of malicious users try to hack your beloved Joomla website: They search for an exploit on your Joomla website. They use that exploit to upload a PHP file to your website. They invoke the URL pointing to that file, and by doing so, they create duplicates of the malicious file, hack […]

For the past month (yes, month!) we have been working on the security of a major website that suffered from a substantial hack. We were able to mostly secure the website, but still, there was a leak somewhere and we didn’t know where. The “leak” consisted of a malicious file called client.php that was created […]

A major company called us early last week and told us that they were alerted that they have the Sweet Orange Exploit Kit on their Joomla website. They said that a tool that they’re using to block malware sites, called ProofPoint, has blocked their own website because it contains malware! The report generated by ProofPoint […]

If you’re not using a 3rd party extension to generate your SEF links, then most likely you are already annoyed by the presence of the article ID in article URLs. In fact, most Joomla administrators use a 3rd party SEF extension to generate their links instead of Joomla’s built-in SEF tool because of this particular […]

A major healtchare client of ours emailed us yesterday and told us that they’re getting reports from some visitors that their Joomla website (the healthcare website) is blocked because it is compromised. One of those reports stated that it was Websense that labeled the website as compromised. So, we immediately went to csi.websense.com and we […]

For the past week or so, we have been working on a very puzzling issue. A client’s website was hacked. In fact, there was only one file that was hacked. The mootools-core.js file which is located under the /media/system/js folder. The hack was not detected by any scan – commercial or not – internal or […]

If you’re using FTP to upload files to your Joomla websites, then, you probably know that you’re not alone. The vast majority of Joomla websites allow for FTP access. What you probably do not know, is that you’re compromising the security of your Joomla website when you’re using FTP. Why is that? Well, because FTP […]

A new phenomenon that we’re noticing lately is that a user with a username “JoomlaSupport” is registering automatically on Joomla sites that allow user registration. Once that user registers, the owner of the Joomla website is contacted by a shady company, (surprisingly) called “JoomlaSupport”, pretending to be Joomla’s Official Support and telling him that his […]

We are recently getting a barrage of Joomla 3.2.1 websites that are hacked and need to be fixed. Obviously, someone cashed in on the recently announced vulnerability on Joomla 3.2.1, and fast! We are saying someone (and not some people), because 90% of those hacked websites have the exact same hack: the Google hack! (Or […]

So far this month, we have had 5 cases where all the users in a Joomla website had their usernames and passwords updated to the same value. In other words, all the usernames in those Joomla websites were set to admin, and all the passwords were set to an identical, md5 value. This type of […]

We are currently having an increasing number of cases where the 404 page – just the 404 page – is hacked. For example, when someone visits a page that doesn’t exist (on the Joomla website), he is either redirected to an obscene website or he just sees some obscene content on the Joomla website (or […]

Our clients (with previously hacked Joomla websites that we fixed) often ask us: “What can one do to have ultimate security on a Joomla website?” Our short and concise answer would be: “Have a development server and a production server. The development server is the one where you do the updates (and it’s usually behind […]

Now, don’t get us wrong, we are totally pro website security. In fact, we have written so much on Joomla security to prove that. However, we think that sometimes security is applied to the wrong place. An example of this is running a whole Joomla website in HTTPS mode. For those who don’t know, HTTPS […]

We know – that’s a very long title for a post, but we couldn’t think of a better title that would explain what this post is about. In any case… We got an email near the end of the day yesterday from a new client – he was complaining that his website, although running Joomla […]

We have been securing/cleaning Joomla websites for so long that we have identified the three-step process a malicious attacker performs to hack a Joomla website: The attacker injects a PHP file in the images directory. The attacker then replicates the PHP script into other directories where it’s under the radar. This strategy ensures that the […]