JOOMLA 2.5 IS THE RECOMMENDED VERSION FOR MOST SITES – Yes, still!
For most people, we recommend that you update from Joomla 2.5 only when Joomla 3.5 is released around September next year.
If you are an early adopter, developer or more experienced user, then we think you’ll love Joomla 3 right now.
Next year, after more real-world testing, we think everyone will love Joomla 3. At that time, Joomla 3.5 will be available as a one-click update option from your administrator area.
Joomla 2.5 is currently the recommended version for existing sites and will remain so until the release of 3.5.
Many Many more Joomla based sites are being hacked daily at the moment – and ITS NOT JOOMLA’s fault!
Firstly let me say the sites were NOT hacked through Joomla! They were all hacked through Joomla Custom Components!
If you are running Joomla 1.0.10 then there are no known security holes in that version!
extCalender • OpenSEF • phpBB Forum (com_forum) • SimpleBoard Forum • VideoDB • Mambo-SMF Forum • LoudMouth • PollXT • HashCash • perForms • Google Page Rank Module • BSQ SiteStats • MultiBanners • MiniBB • New Article Component • Advanced Poll • JomBok • ArtLinks • PCCookBook • Mambo/Joomla SiteMap (Custom Component) • Galleria • com_spray
I write this to inform you of thiese facts, and also to let you know, as our customer, that none of the components on www.phil-taylor.com have been hacked or used to hack Joomla websites! Yippee!
You should really only install components from TRUSTED sources, from developers that you trust!
Again, ALL COMPONENTS ON PHIL-TAYLOR.com Have been HACKER SAFE certified! And have no known security issues (At this moment in time ) As experts in Joomla development we take pride in checking our components with an industry standard (expensive!) scanning solution used by the big players worldwide!
We have fixed over 50 hacked sites for new customers worldwide in the last 7 days!
Fix My Site is a very unique service offered by Phil Taylor.
(This is a fee per incident based service, no contracts and no strings involved!)
Fix My Site puts a very experienced and knowledgeable Mambo and Joomla expert at your fingertips when things go wrong on your site. For a set fee, you can have Phil Taylor (Or one of our other experts) login and take a look at that problem that has causing problems on your site.
See our site at http://www.phil-taylor.com/FixMySite
ONLY TRUST THE EXPERTS! – Beware of some other help sites that simply repair your site without giving advice on how hackers gained access or how to prevent further attacks. We are not just Joomla experts, we have huge amounts of experience in this area and can draw on this experience to provide the very best solution for you.
You have been warned!
If you want to stop hackers and do information security as a career, consider information assurance training.
Obviously the first stage in securing your web site is to ensure that you are using a strong password. Ideally this should be a mixture of both upper and lower case characters and include a few numbers for good measure, not forgetting not to make it a real word.
Those naughty hackers aren’t stupid and are well aware that people may use the number 3 to replace the letter e in a password. It’s also extremely important that you don’t use the same password on multiple sites, you only need one of those sites to be hacked for all your sites to be vulnerable. See this blog entry for a typo3 horror story.
Unfortunately people are lazy and often re-use passwords or chose ones that appear strong to them but are in fact pretty weak and vulnerable to brute force attacks, and this is where the problem currently lies in Joomla.
Every Joomla site creates a super-administrator user by default with exactly the same name – “admin”. As you can see from the screenshot there is no option to rename this super-administrator account during the installation.
So what does this mean? For a hacker it’s a dream scenario as without doing anything you have given them 50% of the credentials they need to break into your site and do as they wish with all your precious work.
In the long term the solution is for Joomla itself to be updated to allow you to chose the default super-administrator username as well as the password. There are however several steps you can undertake right now.
As soon as you have installed Joomla and logged in for the first time go to the user-manager and create a brand new super-administrator with a strong password. Then log out and re-login with the newly created account and go back to the user-manager and demote the “admin” user to manager level, apply your changes and then delete the “admin” user.
(You have to do it this way as Joomla does not allow you to delete a super-administrator.)
If you’re wondering why I didn’t suggest just changing the username of the “admin” user rather than creating a new one that’s because the “admin” user always has the same userid of “62″ which potentially is another piece of useful information for a hacker or script-kiddie.
If you are at all worried about your Sites Security, or would like us to provide you with a security consultancy service then please get in touch!
I am receiving a HUGE amount of traffic to my site from people searching google for the com_migrator component that allows (kind of) the migration of content from Joomla 1.0.x sites to Joomla 1.5.0. We feature high in google results for these queries because we blogged about “what you need to know about Joomla 1.5″ a while ago and the migrator component was mentioned there.
However, the new wiki page on docs.joomla.org has all the details, and the download links, so (after you buy some of our components ) pop on over to:
Joomla 1.0.14 *is* stable as far as our professional opinion – stable to us means secure! While you may encounter some issues, those will only be minor compared to the greatly increased security your site will have by running Joomla 1.0.14RC1 instead of Joomla 1.0.13
If you are running Joomla 1.0.13 then we urge you to upgrade immediately to Joomla 1.0.14RC1
Remember that Joomla 1.0.14 is built on the stability of Joomla 1.0.13 and has only bug fixes and security changes to it – nothing new has been added. While we accept that a lot of files have been changed, we would rather our customers encounter smaller issues (maybe like session issues) than have their websites hacked/compromised. Joomla 1.0.14 RC1has been released to address specific security issues. Buried in a forum we find a commitment to other bug fixes in Joomla 1.0.15:
Please note that the main aim of this release is to address known security issues. We will be trying to devote additional resources for a 1.0.15 to fix other bugs and general annoyances over the next few months. Don't have any timing on that - it just depends on how it fits into everything else that's going on.
Upgrading from Joomla 1.0.14 RC1 to Joomla 1.0.14 will be a simple file replace just like the upgrade from Joomla 1.0.13 to Joomla 1.0.14
The announcement was:
The Joomla! Project today announced the immediate release of Joomla! 1.0.14 RC1 [Daybreak], the first and hopefully singular release candidate for the 1.0.14 release cycle. Several security issues have been discovered and addressed for this release. While the required changes are not significant, the number of impacted files are significant and we need your help. Before this release is declared stable we need to ensure that it works as well for you as it does for us.
This weekend a silent release has been made of Joomla 1.0.13 by the core Joomla team. This release has several security fixes, a regression of the Itemid handling and a MAJOR change in the way passwords are stored in the database (more about this below)
On the same day the core team announced Joomla 1.5 RC1 in a blaze of publicity, Joomla 1.0.13 received no announcement of its own, no fanfare and no blog post.
The Joomla Team have come under quite a lot of critisim from within its own Q&T Testing Team regarding the timing of the release of Joomla 1.0.13, one Quality and Testing team member is quoted as saying that vulnerabilities may still exist in Joomla 1.0.13!!!
Due to recent popular demand we are publishing details about a service that we have been providing for some time now for existing customers, but now we are opening it up to all sites.
We offer a private and confidential service to customers that will reveal all known security vulnerabilities with your server and Joomla/Joomla Components.
For that we use professional industry standard software to scan your Joomla website for any unknown and known flaws – this tests the web pages.
We then use ScanAlert (A very expensive system) to do a one-time indepth scan of the server, domain and much more – this gives us a huge report – more details on scanalert can be found at scanalert.com, lastly we do a manual audit of your website, this means we manually review your websites PHP files, 3pd party components/modules/mambots, and also compare versions of these against known issues (Plus we use our full experience with Joomla to provide an indepth service)
If you have full root access to your server we can further secure the server against know attacks – an additional fee is payable for this service as different skill sets are required and can be more time consuming. Depending on the results of the audit this may be a recommended step – however the costs of this are not included in the audit fee.
We will provide you with a list of issues that we find, what you do with that information then is up to you – if you are on shared hosting there may be little you can do (apart from the obvious Joomla and Joomla Component audit recommendations). If you have a dedicated server we can secure your server and Joomla installations to meet the very strict PCI Certification scheme run by MasterCard and Visa card providers. We can work with you to fully secure your dedicated server and even provide monthly audits or monitoring if you wish.
UPDATE: It seems my post has attracted the attention of Amy
Here is a note to explain best I can that the inclusion of mootools DOESNT (yet) mean Joomla 1.5 has AJAX support.
[quote from here] Mootools is about more than ajax, ajax in mootools is only a very small part of the library, in fact its the most least used part of mootools for a lot of people.
As an example of how (currently) moo is used, for the Pane Sliders in Joomla 1.5 the moo tools for Pack and Slide are used to produce the new sliders that are used for params tables etc…
At the time of writing, the J1.5 SVN doesnt even have the mootools AJAX plugin JS. All it has is moo.fx.pack.js and moo.fx.slide.js so using moo for ajax (at the time of writing) is impossible anyway
I believe you are confused about mootools and ajax and about exactly what including mootools really brings to Joomla 1.5 – it is certainly NOT included by the core devs to provide ajax functionality and is certainly not a change in direction from the official line – yet !
If not then you are at risk from hackers! Make sure that you take time
out TODAY to upgrade your Joomla website to the latest version.
If you would like us to upgrade your website for you (For a small fee)
then please visit
It has been reported to us twice over Christmas that a certain backup and restore component for Joomla is “cloning” Joomla databases without reinstating all the properties of the databases’ primary keys correctly.
You will know when you have this problem as you will not be able to add any NEW content to your Joomla site and you may get error messages about duplicate primary keys.
If you take a look at your jos_content table, check the ID field and see if auto_increment is a property of the field – if not then you have lost all your auto_increments.
I have compiled a short list of SQL commands to reinstate the correct primary keys and properties based on joomla.sql, the default joomla installation SQL. This will NOT fix 3rd party components tables which must be done manually.
The following SQL Commands are applicable to Joomla 1.0.x only. (more…)