Joomla 3.8 + .htaccess

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
Crystalrain
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Mon Aug 13, 2007 2:54 pm

Joomla 3.8 + .htaccess

Post by Crystalrain » Sat Sep 01, 2018 4:13 am

Dear Joomla security team.

As my site was hacked in the past, I would like to kindly ask you for suggestion how to make it bullet proof (if possible). Could you please share with me suggestion how to make my J3.8 site secure with .htaccess (what should be and should not be inside?) Thank you!
Forum Post Assistant (v1.4.3 (Frosty)) : 1st September 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.12-Stable (Amani) 28-August-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (400) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 2 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | PHP Supports J! 3.8.12: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : Unknown |

PHP Configuration :: Version: 5.6.30 | PHP API: fpm-fcgi | Session Path Writable: No | Display Errors: | Error Reporting: 22519 | Log Errors To: /home/html/site/logs/php.log | Last Known Error: 01st September 2018 06:03:48. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /etc/apache2/scripts:/home/html/site:/home/html/site:/usr/share/php | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 300 | Memory Limit: 256M

Database Configuration :: Version: 5.5.5-10.0.29-MariaDB-0+deb8u1 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Localhost: No | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 9.35 MiB | #of Tables:  105
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.30) | date (5.6.30) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | session () | PDO (1.0.4dev) | standard (5.6.30) | posix () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | Phar (2.0.2) | shmop () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.12.5) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | curl () | gd () | gmp () | imagick (3.4.1) | imap () | intl (1.1.0) | mcrypt () | memcache (2.2.7) | mssql () | pdo_dblib (1.0.1) | PDO_Firebird (0.3) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | pspell () | sqlite3 (0.7-dev) | tidy (2.0) | xmlrpc (0.51) | xsl (0.1) | mhash () | ionCube Loader () | Zend OPcache (7.0.6-devFE) | Zend Guard Loader () | Zend Engine (2.6.0) |
Potential Missing Extensions ::
Disabled Functions :: exec | passthru | system | shell_exec | popen | pfsockopen | readlink | symlink | link | leak | proc_open | pclose | virtual | dl | pcntl_exec | escapeshellcmd | proc_get_status | proc_nice | proc_terminate | url_exec | apache_setenv | proc_terminate | ini_restore | disk_free_space | diskfreespace | set_time_limit | fpassthru | ini_alter | apache_child_terminate | apache_get_modules | apache_get_version | apache_getenv | apache_note | apache_setenv |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (750) | components/ (750) | modules/ (750) | plugins/ (750) | language/ (750) | templates/ (750) | cache/ (750) | logs/ (---) | tmp/ (750) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (750) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 46241055 | Threads: 10 | Questions: 25274698879 | Slow queries: 9625 | Opens: 4223387 | Flush tables: 1 | Open tables: 190954 | Queries per second avg: 546.585 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: WF_AGGREGATOR_DAILYMOTION_TITL (2.6.32) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.32) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.32) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.32) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.32) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.32) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.32) 1 | WF_POPUPS_WINDOW_TITLE (2.6.32) 1 | WF_LINK_SEARCH_TITLE (2.6.32) 1 | WF_ANCHOR_TITLE (2.6.32) 1 | WF_ARTICLE_TITLE (2.6.32) 1 | WF_AUTOSAVE_TITLE (2.6.32) 1 | WF_BROWSER_TITLE (2.6.32) 1 | WF_CHARMAP_TITLE (2.6.32) 1 | WF_CLEANUP_TITLE (2.6.32) 1 | WF_CLIPBOARD_TITLE (2.6.32) 1 | WF_CONTEXTMENU_TITLE (2.6.32) 1 | WF_DIRECTIONALITY_TITLE (2.6.32) 1 | WF_EMOTIONS_TITLE (2.6.32) 1 | WF_FONTCOLOR_TITLE (2.6.32) 1 | WF_FONTSELECT_TITLE (2.6.32) 1 | WF_FONTSIZESELECT_TITLE (2.6.32) 1 | WF_FORMATSELECT_TITLE (2.6.32) 1 | WF_FULLSCREEN_TITLE (2.6.32) 1 | WF_HR_TITLE (2.6.32) 1 | WF_IMGMANAGER_TITLE (2.6.32) 1 | WF_INLINEPOPUPS_TITLE (2.6.32) 1 | WF_KITCHENSINK_TITLE (2.6.32) 1 | WF_LAYER_TITLE (2.6.32) 1 | WF_LINK_TITLE (2.6.32) 1 | WF_LISTS_TITLE (2.6.32) 1 | WF_MEDIA_TITLE (2.6.32) 1 | WF_NONBREAKING_TITLE (2.6.32) 1 | WF_PREVIEW_TITLE (2.6.32) 1 | WF_PRINT_TITLE (2.6.32) 1 | WF_SEARCHREPLACE_TITLE (2.6.32) 1 | WF_SOURCE_TITLE (2.6.32) 1 | WF_SPELLCHECKER_TITLE (2.6.32) 1 | WF_STYLE_TITLE (2.6.32) 1 | WF_STYLESELECT_TITLE (2.6.32) 1 | WF_TABLE_TITLE (2.6.32) 1 | WF_TEXTCASE_TITLE (2.6.32) 1 | WF_VISUALBLOCKS_TITLE (2.6.32) 1 | WF_VISUALCHARS_TITLE (2.6.32) 1 | WF_XHTMLXTRAS_TITLE (2.6.32) 1 |

Components :: ADMIN ::
Core :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_associations (3.7.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 |
3rd Party:: com_advancedmodules (7.7.1) 1 | com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.6.4) 1 | COM_JCE (2.6.32) 1 | com_rsform (2.0.14) 1 |

Modules :: SITE ::
Core :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
3rd Party:: JA Content Slider (2.7.4) 1 | JA Facebook Like Box Module (2.6.2) 1 | JA Masshead (2.6.1) 1 | JA Side News (2.6.8) 1 | JA Slideshow Lite (1.2.4) 1 | RSForm! Pro Module (1.51.1) 1 | sigplus (1.5.0.266) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
3rd Party::

Plugins :: SITE ::
Core :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 |
3rd Party:: plg_content_jce (2.6.32) 1 | Content - RSForm! Pro (1.51.1) 1 | plg_content_sigplus (1.5.0.266) 1 | plg_editors_codemirror (5.38.0) 1 | plg_editors_jce (2.6.32) 1 | plg_editors_tinymce (4.5.8) 1 | plg_editors-xtd_sigplus (1.5.0.266) 1 | plg_extension_jce (2.6.32) 1 | plg_fields_mediajce (2.6.32) 1 | plg_installer_jce (2.6.32) 1 | plg_installer_rsform (1.0.0) 1 | plg_quickicon_jce (2.6.32) 1 | plg_search_sigplus (1.5.0.266) 0 | plg_system_advancedmodules (7.7.1) 1 | plg_system_jce (2.6.32) 1 | plg_system_regularlabs (18.7.10792) 1 | System - RSForm! Pro (1.52.1) 1 | System - RSForm! Pro Delete Su (1.0.0) 1 | System - RSForm! Pro reCAPTCHA (1.52.1) 1 | T3 Framework (2.7.2) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | ja_university_t3 (1.1.7) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Sat Sep 01, 2018 6:21 am, edited 1 time in total.
Reason: mod note: disabled smilies in Options tab for readability

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4035
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Joomla 3.8 + .htaccess

Post by AMurray » Sat Sep 01, 2018 8:41 am

The usual round of advice:
* Make sure you're keeping Joomla up to date.
* Make sure you're keeping third party extensions up to date.
* Use Akeeba Admin Tools - this has a ".htaccess maker" in it with which you can for example add the extra password protection (the pop-up window asking for credentials - separate to your Joomla details.
* Make sure you don't have the FTP option enabled.
* Where possible, make sure your server environment is maintained - might be out of your control but if you host with a reputable hosting company that actively maintains its servers and updates regularly risks should be minimal.
* Give myjoomla.com a go. It's a subscription service, but very comprehensive, and gives you mountains of information concerning any security concerns it finds. It is also a practical all-on-one administrative tool to manage all your joomla sites.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3339
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Joomla 3.8 + .htaccess

Post by ribo » Sat Sep 01, 2018 9:19 am

Session Path Writable: No . This must be Yes(your host must correct this)
But this is not the problem in your issue. You must have joomla, third party extensions and template up to date. One other thing is that your php version is out of date. For example the latest version of php 5.6 is 5.6.37 and you have 5.6.30. Better to use php 7.x in your joomla version and better for each supported version to use its latest version. This is your host issue.
chat room spontes : http://www.spontes.com

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla 3.8 + .htaccess

Post by fcoulter » Sat Sep 01, 2018 10:59 am

Yes I second all the advice above.

And most hosts these days offer a simple way to switch PHP versions so it should not be difficult. Provided all your extensions are up to date your site should run very well on PHP 7, and you will find that it is much faster, it really improves the performance.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1844
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Joomla 3.8 + .htaccess

Post by JAVesey » Sat Sep 01, 2018 12:14 pm

In addition to the above (all of which are essential I'd suggest), I'd heartily recommend the AdminExile plugin to hide your /administrator login and make sure that you're using one of the Two-Factor Authentication options that ship with Joomla by default on your Admin login.

fcoulter wrote:
Sat Sep 01, 2018 10:59 am
Provided all your extensions are up to date your site should run very well on PHP 7, and you will find that it is much faster, it really improves the performance.
High-quality hosting is a must, too, and it needn't be expensive. I'm running on PHP7.2.9 without a problem, but all my extensions are kept up to date which makes this possible.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

Crystalrain
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Mon Aug 13, 2007 2:54 pm

Re: Joomla 3.8 + .htaccess

Post by Crystalrain » Sun Sep 16, 2018 5:20 am

Thank you for suggestions. All ideas implemented :-) Have a great day!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19139
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Joomla 3.8 + .htaccess

Post by leolam » Sun Sep 16, 2018 3:01 pm

Couple of more things I noticed from the FPA:
Session Path Writable: No
contact your host since that must be Session Path Writable: Yes

Your permissions are incorrect. Make sure folders are always '755' and files are always '644'

You should enable gzip-compression in the server tab of your global configuration. Speeds up page loading dramatically.



Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

Crystalrain
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Mon Aug 13, 2007 2:54 pm

Re: Joomla 3.8 + .htaccess

Post by Crystalrain » Mon Sep 17, 2018 6:43 am

Thank you for answer,

Session_path_writable is probably /tmp outside of public_html, which I have set 770. What permissions should I set to make it perfectly?

My site was hacked in the past, and I am extremely concerned to not make it happen again. Will permission 750 for folder and 640 and 644 for files hurt functionality of the website? ie configuration.php is set to 440 :-)


Post Reply

Return to “Security in Joomla! 3.x”