The Joomla! Forum ™

Unfortunately the main component of a website I'm running is being discontinued and I consequently won't be able to migrate to 2.5, not now, not ever, I guess this website will always stay on 1.5.26 as security releases will be ceasing next September.

I suppose some others will find themselves in this situation and I wondered if we could share tips on how to make compromisation of out-of-date Joomla! version websites less likely, I've read a lot about this matter and I'm following -almost- every good practice but I sense it's never enough (not even for uptodate websites for that matter..) so if anyone has any advice specifically for people using old versions (many are still using Joomla! 1.0 I hear..) feel free to share..

Also, as this website is targeted exclusively to Spain, hoping it makes any sense at all I'm stripping it off any English words that in time might make it less likely to be picked up by search engines wordlwide, reason behind it would be that the less people see it the less hackers will feast on it, once it's targeted to the Spanish people it's good enough for me (I'm not being racist, there're hackers in Spain too, it's just a mathematical bet), if someone knows any trick to limit worldwide exposure without compromising local exposure again pls share.

You can successfully operate a website on any version of Joomla. Do expect at some point there will be an issue with security. What the issue will be and what has to be done about it will vary. Do keep a clean copy of the entire installation. This includes clean copies of any extension and any template as well as the latest version of whatever version of Joomla the site is built on. All of this stuff will become hard if not impossible to come by after a certain period of time. It will help if you know something about php programming as well as htaccess entries. Other than that use a good server host and follow the security checklist and the "before you post" forum announcment. They contain good info to help keep a site safe.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

This is actually very good advice Phil thanks. I keep doing backups but I don't actually have the original zip files of the main component, the modules, the templates.. by saying "clean copies" you mean the copy of the directories or the original component/module/template zipped file?



I'm at fault at this. This website was on a Godaddy EU dedicated hosting plan but I chose to downgrade to shared, when this plan expires I'll probably move it to a more reliable Spanish server host.

I intend to keep 1.5.26 until my site gets hacked, then I will upgrade.

I have added extra security by adding some exta features in .htaccess.
http://docs.joomla.org/Htaccess_examples_%28security%29

I also uses the free security plugin JHackGuard that protects against SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!
http://extensions.joomla.org/extensions ... tion/13233

If the sites gets hacked I have Eyesite that can detect changes in files and new files on the site:
http://extensions.lesarbresdesign.info/ ... ns/eyesite

I also have MD5 Comparison Tool if I can't log in in administration and log in to run Eyesite:
This tool can detect changed files and missing files of Joomla.
http://extensions.joomla.org/extensions ... ools/15379

You can block big hacker countries via .htaccess. There are sites that provide such entries to htaccess,

I mean keep the zip downloads of the installed extensions and also get and keep the latest version of Joomla for the version of Joomla the site uses. In your case this is 1.5.26. If you do not have the original zip files, then try to get them now if they are still available. Failing that then keep a good copy of the files that make up the website on a dvd. The idea is to have something to put back that is not hacked. With the exception of the user table, database information (articles etc) are rarely hacked and the normal regular backup of this info should be fine.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Thanks for this, at present I only have AdminTools and Fly06 SpammerBlocker, but I'll look into those extensions as well, the idea would be not to 'clutter up' the website with too many 3rd party extensions but if they are useful I don't see why I shouldn't given that I'll never be able to migrate that particular website.
I'll also document myself on working at .htaccess to resctict access by location, if it works it'd be brilliant.

For the record and before anyone gets the idea I am endorsing maintaining an out of date security challenged website, I do not. No website should remain on an old version of Joomla (or any other cms for that matter) for any length of time. For those who choose to maintain an out of date website with security issues anyway, let me say this.
It will eventually be hacked. Now, let me sat that again. It will eventually be hacked.
You cannot prevent the website from being hacked by installing an extension into Joomla. It is just not possible to prevent a hack this way, so don't waste your time.

1.) It will be up to you to have the means to recover from the hack successfully.
2.) It will be up to you to have the means to put in place specific changes to the website in order to block that attack without rendering the website unusable.
a.)This means you have to know enough to identify the specific area of the security breach.

b.) Know enough php programming to be able to make edits to the file(s) that caused the security breach to close or reduce the severity of the security issue.

c.) know enough htaccess to add specific htaccess files with specific rules into specific directories of the site to help prevent further security issues.

d.) Know how to read raw server logs and do it on a daily basis.

e.) know how to set up and run a bash one line script from cron to monitor for any added, changed or altered files. (there is a script to do this in the security checklist 7 document).

f.) know enough mysql to be able to use phpmyadmin to fix or remove any issues with the database that may arise from a hack; such as recovery from changed admin passwords, authentication modules being turned off, added tables, added code within articles that is not from an altered template.

g.) adapt to and provide other requirements and fixes as the website and hacking may warrant.

If you can meet the above requirements and can adapt to changing and increasing sophistication of website hacking methods, then you may successfully run an out of date security compromised website.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator