Joomla! Discussion Forums

There are a number of security tasks that you must do to your website configuration to help reduce vulnerabilities. Hopefully, this will get you started -- or at least pointed in the right direction where to ask questions -- related to security and v 1.0.11. Things are getting much, much more secure due to the hard work of many people here. Their guideliness are very good even if it seems a bit complicated at first.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #1: Recommended PHP.INI settings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The developers recommend you edit the php.ini file located in the php directory and make certain these parameters are set (as pictured below).


Note, exceptions from Beat:

allow_f_url_open = 0  => true that it increases security, but it will break a few components (like "URL Links" backend function in Docman)

safe_mode = 1 => it's another line of defense on shared hosts, but might not allow Joomla! components, modules, extension installer to work depending on other safe_mode settings. Joomla 1.5 fixes that.
Function exec is sometimes (rarely) needed for some libraries (like ImageMagic).

If your host maintains this information, see if they will make changes.

If your host will not make these changes, please read this post "Secure it with php.ini" < http://forum.joomla.org/index.php/topic ... #msg411018 > where it instructs you how to make your own php.ini files for each of your subdirectories in order to override the server settings.

NOTE: Beat lists SEVEN logical steps to getting your PHP settings changed that can help you think through your options if your web host will not make changes < http://forum.joomla.org/index.php/topic ... #msg455771 >

For MUCH more GREAT information, please see the Joomla! Security Administrator's Checklist, starting with the PHP section < http://forum.joomla.org/index.php/topic,81058.0.html > ):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #2: Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
After the installation, the developers recommend you edit the globals.php file located in the root directory of your website for increased security.

Locate this parameter (as pictured next):


Change the 1 (as pictured above) to 0 (as pictured below):


WARNING: Some extensions will not work with this variable off.

In testing, the developers identified several and notified third party developers. Some fixes are already available. Review and report such extensions, and find upgrades, here: < http://forum.joomla.org/index.php/topic,86525.0.html >. Questions about this setting should also be asked in that thread.

You can leave the globals.php file without changes knowing you are choosing a diminished safety level.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #3: New htaccess file 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
After the installation, the developers highly recommend you use the blocking rules that are now part of the default .htaccess file delivered with 1.0.11. Those using an older htaccess file are strongly encouraged to add this to their file. See < http://forum.joomla.org/index.php/topic ... #msg388584 > for more information or to ask .htaccess related questions. (If you are getting access denied messages to your website, it is very likely related to the htaccess file, post requests for help in this previous thread.)



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Installation Message #4: Please take time to consider the Joomla! Security Administrator's Checklist:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Joomla! Security Administrator's Checklist is available < http://forum.joomla.org/index.php/topic,81058.0.html > Rliskey maintains the previously linked to list, so, check back to that link frequently for updates. It is an EXCELLENT resource and he has made it EASY for us to learn how to secure our sites. Please spend time with this information. There is a link in that topic for you to use for questions or comments. Many people who are very knowledgeable in security issues watch that thread closely!


As you read through this information, it really starts to make sense. No worries, though, there are many who will help! It is worth our time to learn and there are many who will help us with questions. Thanks to all of you who have figured out this information for the Joomla! end user community.

Can this be stickied, please, during the next couple of weeks for the upgrade. 

Self stickied while i am helping ppl.

Mode Note: Making sticky for now. Amy you might want to submit to faqs forum

Thanks so much, Dave! I think I will turn it over to Rlisky, Beat and Rob when we get through this. Beat has some good stuff -- it's referenced here. Beat is talking about a security section for the Help area. Anyway, thanks much! Amy

I have yet to find a php folder or a php.ini file? I searched locally and on my server. Including the full 1.0.11 package.

Am I missing something?

besides the php folder, or this a host thing?

bz

Yes, sorry - that is on your host!

disable_functions = phpinfo

that also means that you can't see Php info in the system info in Joomla backend?

shared hosting accounts do not have php.ini file in their folder.
you need to ask your hosting provider
but he is utilizing this file for whole server and will not change the way you want it.

MamboTurk is likely correct that your web host will not be able to change shared PHP settings for *you*. And, if you find that to be the case, simply continue in the Step 1 area, above, to find alternatives specifically for your website. Pay close attention to Beat's "seven logical steps" to figuring out the best alternative.

Thanks, MamboTurk! Amy

AmyStephen

i'm still in awe with all your valueable posts -- just a sincere thank you for your hard work

just a note, i was one of the fortunate ones == my webhosting provider did change the global settings for me

so i may be possible depending on your host

AmyStephen thanks once again, for this post, all your posts and especially your post regarding tutorials, very informative, and bookmarked..

babel

AmyStephen thank you for the nice tutorial!

I have a question: What should we do, when the provider don't want to change register globals to 0, and we don't have any posibility to set registy globals to off for our account?

I suppose it is not possible to install Joomla 1.0.11 or?

"Installation Message #1: Recommended PHP.INI settings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The developers recommend you edit the php.ini file located in the php directory and make certain these parameters are set"

Do I understand correctly that I must do Installation Message #1 before copying the 1.0.11 files over 1.0.8 files? And then do what is recommended in Installation Messages #2 and #3 after? Or does it not matter?

To recap, I must change #1, then overwrite my files, then do #2 and #3 and the ugrade will be complete?

Hi, help me please....
I can't login to admin backend after upgrade from 1.0.10 to 1.0.11, login and password is OK, but I see notification "You need to login" after sending login form. On the frontend login is successful.
Thank's

I  upagrde  to 1.0.11  with succes all work fine  but  i see this message in the global configuration any one can help 

Your version of Joomla! [ 1.0.11 Stable ] is
14 days old
Click to check ????

Yikes! I have been offline for a week, I am sooooo sorry, guys. Thanks for the kind words, too, although it makes me feel even worse for leaving you all hanging!

@Tunilove - that is an acceptable message. It is a new feature just to remind us that we need to keep checking on new versions. Maybe the wording can be improved a bit so it doesn't alarm people. (It is so hard to communicate!)

@Fixxx - Did you check to see if any of your extensions are listed < http://forum.joomla.org/index.php/topic ... #msg440027 >.

@kmcgee - Good question. Upgrade, then go through the installation steps. Since it is now a WHOLE WEEK later, I hope you have figured that out. SORRY!

@THE_AI - The article covers that possibility. Hopefully, you have read it, again, (blah - very difficult reading!) and found the following that will help you exhaust seven ways to get this done. However, Joomla! 1.0.11 CAN run without this setting. Just make DOUBLY sure you have good backup and restore ability. (And make sure of that anyway!)
NOTE: Beat lists SEVEN logical steps to getting your PHP settings changed that can help you think through your options if your web host will not make changes < http://forum.joomla.org/index.php/topic ... #msg455771 >

@babel - Mom? Is that you? lol ... Babel - you can't imagine how that helped me. Thanks so much! I never get tired of kindness.

+++

Now ALL of you, if you are not getting answers to your questions after waiting a day, feel free to email me. (I could be busy and not answer awhile, but I will try to get in touch.) There are THOUSANDS of questions posted every day and people unfortunately get lost in the shuffle. We don't want that to happen!

Thanks guys! again, sorry for the delay. Hopefully, most or all of you have moved on! Amy

Welcome back  AmyS    ok thank you for your reply  well i imagine to change this message to say  :

  you version of Joomla is  XXXX    stable .....  14 days  since last update .... Click to check if new update  available


  for example  like this can be understood

Why not do what phpBB does.

Check the version number. If it's current then:

Your installation is up to date

if it's not current then

Your installation is out of date. Please upgrade.

What are the risks if i don't follow the security notice 1 and 2?
The globles and the php.ini ones. 

Email issue with Upgrade:

Since completing the upgrade, the Contact Us does not work.  I just looked at the confi.php file, and it is set correctly.  In ADMIN under MAIL it is set correctly.  Looking at the email rejection this is what you get:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  email@email.com


Updated - Disregard my question...  It's amazing what a few hours of being away from the computer, and a little sleep will do to a person.  While poking around the backend, adding a user manually,.. it dawned on me to look at the CONTACT information.

I am guessing that on upgrading, the contact info was defaulted.  I updated it, and corrected my issue.

hao!

BTW, in the backend, I can not find out the image of big banner, how to change it by my own picuture?

This needs to be done in the index.php or css file of your template in /templates//