Top Ten Stupidest Joomla! Administrator Tricks

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Joomla! Ace
Joomla! Ace
Posts: 1373
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Top Ten Stupidest Joomla! Administrator Tricks

Post by fw116 » Sat Aug 09, 2008 8:35 am

(orginal Post from rliskey)

10. Go with the cheapest hosting provider you can find, preferably a shared server that hosts hundreds of other sites, some of which are high-traffic porn sites. Don't check the list of recommended hosting providers.

9. Don't waste time with regular backups. Maybe the hosting provider will help you.

8. Don't waste time adjusting PHP and Joomla! settings for increased security. Hey, the install was brain-dead easy. How bad could the rest be? Worry about those details only if there's a problem.

7. Use the same username and password for your on-line bank account, Joomla! administrator account, Amazon account, Yahoo account, etc. Hey, who has time to keep track of so many passwords? And anyway, since you don't change passwords, it's easier to just use the same one all the time, everywhere.

6. Install your brand new beautiful Joomla!-powered site, celebrate a job well done, and don't worry about it again. After all, if you don't make any more changes, what can go wrong?

5. Do all upgrades and extension installations right there on the live site. Who needs a development and testing server anyway? If an installation fails, you'll just uninstall it again. That will hopefully also undo any damage the installation caused.

4. Trust all third-party extensions, and install all the cool-looking stuff you can find. Anyone smart enough to write a Joomla! extension will provide perfect code that blocks every known exploit attempt, now and forever. After all, almost all this stuff is provided for free by well-meaning, good-hearted people who know what they are doing.

3. Don't worry about updating to the latest version of Joomla!. Hey, nothing's gone wrong so far! Same plan for the third-party extensions. Too much work anyway.

2. When your site gets cracked, panic your way on over to the Joomla! Forums and start a new post with a very familiar title: "Help! My Site's Been Hacked!" Be sure not to leave relevant information, such as which obsolete versions of Joomla! and third party extensions were installed.

1. Once your site's been cracked, fix the defaced file and then assume all is well. Don't check raw logs, change your passwords, remove the entire directory and rebuild from clean backups, or take any other overly paranoid-seeming actions. When the attackers return the next day, scream loudly that you've been "hacked again," and it's all Joomla!'s fault. Ignore the fact that removing a defaced file is not even step one in the difficult process of fully recovering a cracked site.

User avatar
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Tue Jan 29, 2008 9:05 am

Re: Top Ten Stupidest Joomla! Administrator Tricks

Post by diadem » Tue Aug 12, 2008 10:23 am

Great tips on security and I wanted to add another one to the list:
- Don't stay abreast of the latest joomla extensions and updates which are being released. If something is not broken, than why fix it.

Hriday Biyani
Diadem Technologies Pvt. Ltd.
Custom Open Source Web Development

User avatar
Joomla! Apprentice
Joomla! Apprentice
Posts: 49
Joined: Tue May 27, 2008 11:48 am
Location: Hampshire, UK

Re: Top Ten Stupidest Joomla! Administrator Tricks

Post by puremetal » Wed Aug 20, 2008 5:51 pm

nice list - good stuff for a joomla noob like me to know

about point 8, where could a noob find appropriate information on setting up PHP/my server (and Joomla) for best security? There's so much information out there and its very difficult to know what's relevant. I got my first dedicated server this week, with the intention of using it for Joomla sites, so at least I passed point 10 :D

Gergo Erdosi
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4031
Joined: Sat Nov 11, 2006 9:34 pm
Location: Hungary

Re: Top Ten Stupidest Joomla! Administrator Tricks

Post by Gergo Erdosi » Wed Aug 20, 2008 6:49 pm

This list can be also found in the Security and Performance FAQs: ... _tricks.3F


Return to “Security in Joomla! 1.5”