Top Ten Stupidest Joomla! Administrator Tricks

[rliskey]

10. Go with the cheapest hosting provider you can find, preferably a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers.

9. Don't waste time with regular backups. Maybe the hosting provider will help you.

8. Don't waste time adjusting PHP and Joomla! settings for increased security. Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

7. Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere.

6. Install your brand new beautiful Joomla!-powered site, celebrate a job well done, and don't worry about it again. After all, if you don't make any more changes, what can go wrong?

5. Do all upgrades and extension installations right there on the live site. Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused.

4. Trust all third-party extensions, and install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!. Hey, nothing's gone wrong so far! Same plan for the third-party extensions. Too much work anyway.

2. When your site gets cracked, panic your way on over to the Joomla! Forums and start a new post with a very familiar title: "Help! My Site's Been Hacked!" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions were installed.

1. Once your site's been cracked, fix the defaced file and then assume all is well. Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming actions. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.

[infograf768]

Thanks for this.

Hard for some to be exposed to true facts, but a very necessary list.

[steve4j]

10. Go with the cheapest hosting provider you can find, perferably a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites.

^^ Only have TWO PROBLEMS with this.
1. Most or Many users have NO CHOICE in the hosting provider. They werent just sitting around thinking, HEY! LETS MAKE A WEBSITE! and then start planning which quality host to use.  Few can afford or justify a DEDICATED SERVER to host their little league website or Crochet/Knitting community group. Many people ALREADY had some pokey HTML or POSTNUKE site and were CONVERTED by Joomla Evangelists like myself. Switching to another host leads them to the bryzantine world of DOMAIN and hosting contracts which often mean they have to have a dead or unavailable site while the DNS gets rerouted

2.As for "high traffic porn sites"? -an inflammatory interjection into an otherwise logical debate (hey most of us were made with a little bit of mom & dad porn anyway, what do I care? :P,
....though I would guess such sites rank a wee bit higher  on the totem pole than Phishing sites, Jhihad sites, Neo-Nazi & Anarchy forums, high traffic or otherwise )



8. Don't waste time adjusting PHP and Joomla! settings for increased security. Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

Here I feel Joomla JUST HAS TO STEP UP AND DO MORE
The three tiered login security in the backend is a good start, and the REGISTER GLOBALS security check is even better! now, if Joomla could provide a 'code/site snapshot' module that you could upload periodically and run to generate a md5 hash of all your site files for comparison with earlier runs, that would be a BIG PLUS.

Implementing the .HTACCESS protection rules could be a little more clearly documented and separated from the SEO/SEF stuff, good steps are in place, just needs a bit more noobie friendliness...
Maybe the install could do an initial backup for the user?
Or a save initial/current settings option?


5. Do all upgrades and extension installations right there on the live site. Who needs a development and testing server? If an installation fails, you'll just uninstall it again. That will hopefully undo any damage the installation caused.
true. But this is often unavoidable, especially with AJAX code and server settings/version numbers, there's just no substitute for just doing it live on your running site ... just backup first and DOCUMENT WHAT YOU ARE DOING

4. Trust all third party extensions, and install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!. Hey, nothing's gone wrong so far! Same plan for the third party extensions. Too much work anyway.

2. When your site gets cracked, panic your way on over to the Joomla! Forums and start a new post with a very familiar title: "Help! My Site's Been Hacked!" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions were installed.

A little bit of OUR FAULT HERE.
The SITE SHOWCASE FORUM has all KINDS OF RULES governing posts in that forum (indeed I was banned for three days for 'rating' presented site :P see offending post here ->http://forum.joomla.org/index.php/topic ... #msg576504

There should be a rigid template for entering hack reports.
I agree,there's just too darned much "I BEEN HACKED BY ****" followed by three or four posts of obligatory teeth pulling to get the prerequisite information :grrr:



1. Once your site's been cracked, remove the file the attackers defaced, and assume that all is now well. Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming actions. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.

Can we help here? maybe add a rudimentary -log file checker to the joomla backend? and maybe a little link to some log file format documentation? Maybe just enough functionality and information to whet the appetite and encourage them to search for more?
mant of the hacked NEVER looked at logs till the hack

LMBO @ 'PARANOID' I've been accussed of being paranoid HERE on this forum by .... oh well... all considered, a very thought provacative post ...too bad most people wont even read it until the day after their hacked..

maybe the New Joomla in the  control panel could have a link to RECOMMENDED READING to encourage click through to this section??

maybe SECURITY, BAD 3PD COMPONNENTS and similar thread could be 'stickied' in the Joomla backend??

[brian]

just a thought but perhaps something along the same lines as this thread could be included as sample content. it MIGHT mean that more people read and take notice

[bradfordhill]

7. Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere.

I've heard from many reputable sources that it's more secure to use different usernames for everything than it is to use different passwords (and far safer information to write down/store), provided your standard password is not an unmodified real-word derivative...though different passwords will help, but only nominally so.

Personally, I use location-based passwords to go along with whatever set of usernames I'm working with, and I take care to change them bi-monthly.

Great post, though...a must read for anyone, not just site admins.

[RobS]

just a thought but perhaps something along the same lines as this thread could be included as sample content. it MIGHT mean that more people read and take notice

On it

[brian]

great

[Asphyx]

I am just so guilty on #5! LOL

But at least I knew I was wrong about that before this list came out! LOL

As for Joomla doing more I agree on the hash list but considering how many people hack files there would need to be some way to incorporate user changes to the check...

As for HTACCESS, I just don't see how J! could possibly take into account every server situation it might come accross....
not without including it's own PHP.INI and an HTACCESS that overrides every setting in apache irregardless of if it needs to be overwritten or not...

[RussW]

This has got to be the best post for weeks...! 

Sorry, Brian, Hackwar,  your security posts come nowhere near as good at this one 

Thanks for the laugh and touch of reality.... within minutes of reading, I went back out in to the fray and managed to identify 6 out of the 10 points in new posts  LOL

[brad]

Ron, can I post this to my blog and reference your thread? I love it!

[RussW]

Thats cheating Brad...!    :P


Having now been through a few more of the daily posts,  I gotta tell yer, rliskey's sense of humour is certainly coming out on top today, gotta appreciate that 

[Aris Ntatsis]

I will translate it and post it at Greek Joomla sites!

[rliskey]

Ha! Glad most of you liked the post. I was a little worried. Before anyone's feelings get hurt, let me say that I've been guilty of every one of these "tricks", and am still guilty of a few. But I'm learning...


"Slowly, slowly climbs the snail.
Up the slope of Mt. Fuji."
                                          -Basso

Humor is a touchy thing, especially cross-culturally. (Assuming of course that we all have a culture. Mahatma Gandhi, as you know, wisely differed with the dominant paradigm on this point. And recent political events seem to confirm his observation.)

Re: the reference to porn
My reason for mentioning porn was to give a typical example of the kinds of high-traffic/low cost sites that can and often do bog down a shared server. Porn sites are notorious producers--and targets--of spam, an activity that most people don't want on their server for purely technical reasons:
  1) server runs slowly or crashes (think 100% CPU load) and/or,
  2) all IPs on that server get black listed and/or,
  3) server gets shut down, reorganized, moved, or worst of all,
  4) server is simply ignored by the host and left to flounder.

Re: Is it okay to cross-post?
Absolutely! I don't have a copyright on stupid tricks, although sometimes it feels like I do have the corner on them.  But then I read the forums and feel better again.


Hey, an idea! I'll copyright stupid tricks! From now on, you need to send me 5% of anything you lose because of a stupid trick. Oh! Looks like Microsoft already grabbed that copyright!

[brad]

Done: http://dev.joomla.org/component/option, ... ,33/p,230/

[Aristocrat]

That was a great post thank you!

[RussW]

Ron

You just made my day again..... 

[Geoff]

Gotta love #10 on the list. 

I am guilty of #5 though. I mean, it's just SO much faster to upgrade/install on a live site. I mean after all I do have backups when things go wrong.

[elkuku]

I would like to translate it for the germans.

Very nice, and more funny than just saying "you have to do this and that" 

[rliskey]

I would like to translate it for the germans.
Very nice, and more funny than just saying "you have to do this and that"

Danke, und ich wuenche Dir viel Spass dabei. 

[bascherz]

Guilty on all charges (well, almost all). 

Great stuff. One more thing that maybe didn't make it onto the original list is actually believing the following: "Hey, I'm just the little guy. Who would want to take advantage of my site?"

The really scary thing about what's happening here is that at some point these people have full access to your server account. They could easily do a lot more damage than they typically do.

[HH]

Hi rliskey,

Thanks a lot for this informative thread.

May I suggest updating this to be introduced into the Security FAQ's forum?
http://forum.joomla.org/index.php/board,322.0.html

Thanks,

[rliskey]

Searching before asking, however sometimes cannot find answer. Any Insight?

The only insight I can think of comes from Picasso...

"Computers are stupid. They can only give you answers."

[HH]

The only insight I can think of comes from Picasso...

Hey, give me a break! Picasso is already working somewhere else right now! (username + password = undefined)

"Computers are stupid. They can only give you answers."

Very Stupid indeed, however, sometimes it depends on the user's input

[hanzahar]

this is tough since i'm not really a computer guy 

[hinesw]

Does this mean I have to change my user name of "admin" and password of "admin"?

My kids could not work it out?

[matthewhayashida]

Awesome post.

[Basetballjones]

Truth always hurts a little, but it's good for us!
I've been guilty of every item on that list save the "OMG I've been haxed!" thread

If I report an issue that big and infuriating, it's going to look like a friggin nuclear reactor user's manual before I am done with it. 

My favorite though, is when someone asks me to help them design a site, afterwards I instruct them on how to make changes and then afterwards, close up the holes- and they never do.  Simple CHmods  oh no!
After a month or so when the turkish cyber army or whoever put's pretty pictures all over their homepage they blame me for lousy coding or setting them up with flawed software I ask them what the permissions on their config php is or was before it was deleted...

their answer "umm..  locked?" 

[hewbie]

Truth always hurts a little, but it's good for us!
I've been guilty of every item on that list save the "OMG I've been haxed!" thread

If I report an issue that big and infuriating, it's going to look like a friggin nuclear reactor user's manual before I am done with it. 

My favorite though, is when someone asks me to help them design a site, afterwards I instruct them on how to make changes and then afterwards, close up the holes- and they never do.

I modify their code so that if any file (on the secure list) is writable (and it should not be) the site wont run until the permissions are set appropriately. I got the idea from the Joomla install, which wont allow you to continue if the install files are still present.

IMHO Joomla should do something like that as well for security/file  settings it has the ability to SEE are a vulnerability issue.
It should be a Joomla default behaviour -but it isnt - It would be similar in practice to the "Fasten Seatbelt light and image, also the little 'chirp' you get every 2 minutes if you insist on running the car with it on!

Joomla should have it by default, IMHO, but wont.. oh well...

[DocMartin]

Good thread.

But surely gives the lie to claim Joomla is "easy to manage"!

Who wrote that, I wonder. 
(Claim maybe true if you're regular human who installs, does a little with J and moves on; or if you're some kind of cyberbeing. Otherwise, "easy" is just plain wrong.)

[Basetballjones]

Good thread.

But surely gives the lie to claim Joomla is "easy to manage"!

Who wrote that, I wonder. 
(Claim maybe true if you're regular human who installs, does a little with J and moves on; or if you're some kind of cyberbeing. Otherwise, "easy" is just plain wrong.)

To be perfectly factual, on a comparative basis, Joomla is very easy.

Firstly- Joomla takes nearly thousands of web design functions and maps them to simple buttons.  Point and click web design.  It is a CMS, and as such, it takes over 80% of the work out of building,  deploying, maintaining, and securing a web site.  I can simply mention the amount of time I have save not typing this out in full:

Code: Select all

<p style="center">Joomla does it for me, as well as hundreds of other things.</p>

I have probably saved 50 man hours on HTML elements alone.. And that is just one tiny example, overrall, Joomla has saved me countless  hundreds of hours in design and maintenance time. Joomla is the best damned employee I've ever had

Secondly- Any website has to be secured, and Joomla makes much of this ready integrated and the rest is fairly easy to implement if you read a little.  I don't care what you find to build websites, they all have to be secured, and without the benefit of the assistance Joomla, or other CMS' offer, you have a long days work ahead doing it all yourself.

I have worked with and on a few commercial/ enterprise grade CMS systems, and they don't offer much more than Joomla other than Oracle databases and ASP encoding, but you still have to go through all the steps of securing your property against attack as anything else.