Joomla! 3.6.4 Security Update
Thursday, November 3rd, 2016 - General
A new version of Joomla! was released last week. This release fixes a huge security hole in Joomla!
Information about these security holes can be found directly from Joomla!’s website:
Joomla! 3.6.4 Released
Revised Assessment of 3.6.4 Security Release
Basically this vulnerability allows anyone to create an administrator user on your Joomla! website. When they have administrator privilege to your site, they can log in and do anything.
You must upgrade your Joomla! script to 3.6.4 as soon as possible!
This point cannot be stressed enough.
If your account is hacked, if someone gains administrative privileges to your web hosting account, they can do anything to your account. YOU MUST UPGRADE TO JOOMLA! 3.6.4 AS SOON AS POSSIBLE!
To update your Joomla! script, log into your administrator dashboard. Click on Components -> Joomla! Update and follow the instructions.
You also need to check for users that may have been added if your Joomla! script has been hacked. To do that click on Users -> User Manager (just click on User Manager)
You will then see a list of Users. We don’t know who all is suppose to be a user and who isn’t. This is something that you need to know. If you find users that shouldn’t be there, then you have been hacked. If you’re hacked, all bets are off. You will need to clean up your user list, removing users that aren’t suppose to be there.
If you find users on here that aren’t suppose to be there, then you have been hacked. If you’ve been hacked, then your account may contain backdoors and other malicious files. If you are hacked, your best course of action is to reset your account because the integrity of your account is now in question. You don’t know what malicious or abusive files may exist on your account.
If you are going to use Joomla! on your website, you need to stay up to date with Joomla! releases. When Joomla! releases a new version you need to update to it, immediately. It doesn’t do you any good if Joomla! releases a new version and you do not update. You have to update the script on your web hosting account to be protected from the security holes that update provides.
Steven
AMS Support