[Updates] Joomla! 1.x Sunsetting
Wednesday, October 8th, 2014 - Updates
Due to a recent rash of web hosting accounts being compromised and exploited and a lot of these being traced back to outdated Joomla! scripts, we have made the decision to sunset all Joomla! 1.0 and Joomla! 1.5 scripts that are installed on our servers.
Sunsetting, in this context, means that we will be disabling these web hosting accounts or directories that currently have a Joomla! 1.0 or Joomla! 1.5 script installed.
To put this in perspective, consider these end of life announcements from the Joomla! developers:
End of Life Date | |
Joomla! 1.0 tree | July 2009 |
Joomla! 1.5 tree | April 2012 |
Joomla! 2.5 tree | December 31, 2014 |
End of Life means that the developer stopped supporting that software or that version of the software. Any security holes discovered after a product goes End of Life means that it will not be patched.
Joomla! 1.0 reached end of life in July 2009, that was over 5 years ago. Joomla! 1.5 reached end of life in April 2012 which was nearly 18 months ago. Joomla! 2.5 will reach end of life at the end of 2014, but we are not making any changes to Joomla! 2.5 based web hosting accounts.
When will you be sunsetting these scripts?
We are planning to start disabling Joomla! 1.0 and Joomla! 1.5 scripts in January 2015. So you still have plenty of time to make arrangements to move on to a supported version of Joomla! Because Joomla! 2.5 will technically be reaching it’s end of life at the end of 2014, we recommend moving straight to Joomla! 3.3.
The January 2015 deadline is not set in stone at this point, but that is what we are aiming for. It definitely won’t be before January 2015. But this may get pushed back depending on how this plays out.
How do I upgrade to a supported version of Joomla!?
That’s a very tricky question, one that unfortunately we cannot solve. The upgrade path from Joomla! 1.0 or Joomla! 1.5 to any supported version of Joomla! is quite daunting. That is why we have given such a wide timeframe to allow you to perform this “upgrade”. There is no de-facto standard way for “upgrading” a Joomla! 1.0 or Joomla! 1.5 to a supported Joomla! version. Every web hosting account is going to be different, depending on how you have Joomla! set up.
Because Joomla! 1.0 and Joomla! 1.5 are so old, they don’t take advantage of a lot of modern upgrade methods, that is why this process is so difficult. Basically you have to install a new version of a supported Joomla! and then migrate your data from your old Joomla! system into the new system. Any plugins or components that you had on your old Joomla! system would have to be reinstalled with an updated version, for the new Joomla! system.
For migrating from Joomla! 1.5 to Joomla! 3, you might find this link to be useful:
But your best resource is probably going to be the Joomla! support forums:
If you don’t know what to do, I would suggest starting with the forums and asking the community there for help.
My website works fine, why are you forcing me to upgrade?
Unfortunately we are just seeing too many web hosting accounts that are becoming hacked, exploited, and used for abusive purposes. In order to try and get ahead of this, we have to be proactive and try to stop these hackings before they start. Your website may be working fine, but a lot of times, malicious users have taken advantage of your account and left behind little scripts on your account that perform abusive actions. These scripts may be completely oblivious to you, the website owner, but behind the scenes they are using your account to send out spam or initiate DDOS attacks, and all of these can be tied to a security hole in your account that gave these malicious users access and privileges to perform these actions.
But my Joomla! 1.x website is completely secure.
The other issue with Joomla! 1.x scripts is that the components, themes, plugins, and addons are also old and outdated. If you have a component installed on your Joomla! site and it is outdated and prone to security exploits, then this can allow your web hosting account to become hacked. There are no longer any updates to any Joomla! 1.x components or themes, and sadly a lot of those were poorly written to begin with, so you may be a ticking time bomb waiting to explode in terms of being hacked or exploited.
I am using Joomla! 2.5.x on my account, will I be affected by this?
No. We are not going to be disabling any Joomla! 2.5 accounts – not yet anyway. Although, we do encourage you to consider upgrading to Joomla! 3 before Joomla! 2.5 reaches end of life. Eventually, perhaps January 2016, we will probably do the same thing with Joomla! 2.5 scripts as we are doing with Joomla! 1.0 and Joomla! 1.5 scripts. But for January 2015, Joomla! 2.5 based web hosting accounts are exempt from this sunsetting.
What is the exact date that you will be sunsetting these Joomla! accounts?
We don’t have an exact date for this and likely never will, but we are planning for this to happen sometime in January 2015, more than likely towards the middle of January 2015. But it is in your best interest to not wait around, upgrade your Joomla! script as soon as you can so you don’t have to worry about this and so that you do not have to worry about your web hosting account being exploited.
[Security] VirtueMart Joomla! Vulnerability
Friday, September 12th, 2014 - Security
A nasty security exploit has been discovered affecting several thousand old an outdated versions of the popular Joomla! extension, VirtueMart.
More information is available at:
Security Advisory – Critical Vulnerability in the VirtueMart Extension for Joomla!
Security release of vm2.6.10 and vm2.9.9b
All users need to upgrade or remove the affected VirtueMart Joomla! extension.
Versions of VirtueMart that are safe appear to be versions 2.6.8c and 2.6.10c.
Unfortunately, we cannot provide any support for this. We are just a messenger letting you know that a serious security threat is there. If you are using a vulnerable version and you do nothing, your web hosting account will likely get hacked. We may have to suspend or disable web hosting accounts that are hacked or do not upgrade or resolve this issue.
If you require support for this, you may want to contact your web developer or web designer for more information. Additional support may be found directly at the VirtueMart Support Forums:
or at the Joomla! support forums:
Again, we are just advising you that a threat exists. If you do not know what to do about this, I encourage you to seek help at one of the above forums.
Steven – AMS Support
[Security] Slider Revolution Plugin Vuln
Thursday, September 4th, 2014 - General
A critical vulnerability has been found in the Slider Revolution plugin that is popular in WordPress either as a stand alone plugin or packaged with many different themes.
We are working on getting messages sent out to users that may have been affected by this.
Installed Version: XX.XX.XX
If the XX.XX.XX is greater than (but not equal to) 4.1.4 (for example 4.2, 4.3.8, 4.5.9, etc) but less than 4.6 then technically you are using an out of date version of Slider Revolution, and you may want to get with your theme vendor or web designer to see about updating this to the latest version. But there is no known security risk for you at this time.
If the XX.XX.XX is equal to or less than 4.1.4 (for example, 4.1.4, 4.1.3, 3.0.95, 2.3.91, etc) THEN YOU NEED TO TAKE IMMEDIATE ACTION. Your version of Revolution Slider is exploitable and your website and web hosting account is at risk and may have already been compromised. Contact your theme vendor or web developer IMMEDIATELY.
(Added September 11, 2014 6:33PM EDT)
If you received a message from us that sent you to this blog, then you need to check and make sure the Slider Revolution plugin on your website is up to date. If you are using a theme that is using Slider Revolution then you will need to update that theme, assuming that the theme developers have updated the Slider Revolution that is packaged with their theme. You will have to contact your individual theme vendor or developer for more information on this.
If you installed Slider Revolution as a stand alone plugin, you will need to update it. See:
Slider Revolution Responsive WordPress Plugin
for more information.
I am sorry that we cannot be of much more help regarding this. Slider Revolution isn’t something we created or developed and play no role in it. You will have to contact the companies and individuals that you installed this from for more information. We are only passing on information that this has been compromised.
Additional Information concerning this exploit can be found at:
Slider Revolution Plugin Critical Vulnerability Being Exploited
If you do nothing regarding this then it is very likely that your website and your web hosting account will be compromised. It is probably a good idea to go ahead and change all of your passwords, just for good measure. Including your WordPress passwords and your MySQL passwords.
This is a very serious exploit and should be treated as such.
Steven – AMS Support
[Updates] Script Updates
Wednesday, August 13th, 2014 - Updates
We have seen a large increase in the number of accounts that have been hacked, defaced, and used for abusive purposes on our servers and 99% of these incidents are traced back to users using outdated scripts or outdated/insecure/poorly written plugins, addons, components, extensions, or themes. You may have recently received a message from us detailing some of the outdated scripts on your account. This post aims to provide more information about outdated scripts.
Joomla! has set the end of life for Joomla! 2.5 at December 31, 2014. If you are using an unsupported version of Joomla! I would encourage you to forego Joomla! 2.5 and opt for Joomla! 3.3 because of the longer life expectancy at this time. Users of Joomla! 2.5 need to be thinking about and making arrangements to upgrade to Joomla! 3.3 by the end of the year. The term “end-of-life” means that it is no longer supported. Any software that is “end-of-life” in which security holes are found, will not be patched.
First, if you received a message from us, it likely contained a segment (or multiple segments) that looked like:
Account: xxxxxxxx
Script: xxxxxxxx
Installed Path: xxxxxxxx
Installed Version: xxxxxxxx
Latest Version: xxxxxxxx
Script Website: xxxxxxxx
If you received an email fro us with the above information and they are for accounts that you may not have direct control of, then it is your responsibility to pass that information on to the persons that do have control of the accounts. For example, resellers may not have direct access to their resold accounts, but you need to pass this information on to your resold accounts. We do not contact your resold accounts directly. If the account gets exploited and it was never updated because you didn’t pass the information on, unfortunately that’s not a valid excuse. We contacted you to let you know of the outdated scripts. That is as much as we can do.
(Added August 16, 2014 10:30PM EDT)
There are some key parts to this segment:
Script: is going to tell you the name of the script that is being referred to here. Common examples include WordPress and Joomla!
Installed Path: This is important to recognize. This is going to tell you the path as it pertains to your web hosting account, of the stated outdated script. It is important to pay attention to this. For example, you may have a WordPress script installed in the DocumentRoot of your web hosting account (i.e. http://yourdomain.com) but you may have another WordPress script installed some where else on your web hosting account that maybe you forgot about, or maybe you no longer need. That will be detailed here. Don’t assume that this is referring to a script that you are aware of. If it is listed, then it is very likely outdated and needs to be addressed one way or another.
Installed Version: This tells you the version of the script that is installed on your web hosting account at the specified location.
Latest Version: This tells you the latest current version that is released for this script from their developers. This is the version, at minimum, that you need to upgrade to.
Script Website: This gives you a link to the website of the developers of that specific script. For example, WordPress will send you to http://www.wordpress.org and Joomla! will send you to http://www.joomla.org You can visit these websites for more information as it pertains to the correct upgrade procedures.
• How do I upgrade my script?
Typically upgrading a WordPress or Joomla! (any version greater than 2.5) should be fairly easy. They have mostly made it easy and it’s just a matter of a single click in the admin area of the script. If you installed the script using Softaculous, then you may be able to upgrade it from the Softaculous interface in your cPanel. The link to the specific script’s website can be useful in regards to finding specific instructions for upgrading the script. Some helpful links include:
• Why is it important to keep scripts up to date?
Developers keep a fluid development of their application. Hackers and malicious users are always on the prowl looking for ways to exploit some of the most popular web applications and scripts. When a security hole is found in a script, the developers of those scripts or web applications will typically rewrite that section of the code so as to close that security hole. This is why applications and scripts get updates, to fix those security holes.
You may be familiar with the Windows operating system and the number of patches Microsoft releases for it. Typically your operating system will download those patches and will either reboot your computer or ask you to reboot your computer to apply those patches. Those patches are there to protect your computer and system from known security threats.
Updates to scripts and web applications are no different, they are applying security patches to guard against new found threats. The difference between a web application or script and your desktop computer is that a web application or script is constantly on the web. Your website is always up, always available. Your desktop computer, you may turn it off at night or when you are not using it. A computer or system that is off or not connected to the Internet is much, much, much less likely to be exploited. But because your website is constantly web accessible, protecting it against security threats is of the utmost importance.
• What happens if I don’t upgrade my scripts?
Sadly, we have seen quite a few users who elect to go this route, either thinking that their website is working now why fix something that isn’t broken? Or being too afraid that the upgrade process will “break” their website. While there are merits to each of these arguments, I can also tell you that there are some disastrous consequences in following this line of thinking.
We deal with security issues on accounts every day. We deal with multiple accounts every day. Speaking from experience I can tell you that if you don’t keep your scripts/plugins/components/extension/themes all up to date, then you should expect to be hacked/defaced/compromised/exploited. There’s no real tactful or easy way to make that point. The reason new versions of scripts and web applications are released is to patch known security holes. If you choose not to upgrade, then you are allowing hackers and other malicious users to take advantage of those known security holes.
Once an account gets hacked and compromised the integrity of all of the files on that account fall into question. A lot of times, the only recourse is to completely wipe the account out and start over fresh with fresh files and fresh content, meaning that the account loses all of it’s previous content. I am sorry that this has to happen, but it is part of the consequences of not keeping a hosting account or script up to date.
• What can I do to protect my account?
Keeping your scripts up to date is the best thing to do.
Keeping your plugins/themes/components/addons/extensions/etc. all up to date is also very important.
It is also important to use reputable scripts and plugins/themes/components/addons/extensions/etc. There are a lot of plugins/components/extensions/themes that are just not well written or they quickly become abandoned meaning their developers never update the plugin any longer. This is why it is important to only use well-known and reputable extensions for your script. A plugin or theme may exist that does exactly what you want it to, but if it’s poorly written or insecure and leads to your website being hacked, compromised, and defaced, then it’s not much help to you.
Use strong passwords. There is a huge botnet that comes around every few months that attempts to brute force its way into popular scripts and web applications by guessing admin username and passwords. If you are using a weak password, then it will be easy for this botnet to brute force it’s way into your script.
Any additional security layers you can add to your script will benefit you. These would include extra login prompts, image captcha systems, two-factor login systems, etc. The more security you can put between your website and a potential hacker, the more likely you are to avoid simple hacks. Hackers typically have a defined method for hacking a website, if you have an extra layer of security that disrupts that defined method it cause most hacking attempts to move on to another website.
• I have already been hacked, what can I do?
Unfortunately, once you are hacked you can no longer trust the integrity of the files on your account. You do not know what all was tampered with, what backdoors may have been left behind, or what access points the hackers and malicious users may have left behind for themselves. Once you are hacked and compromised, the only real recourse is to completely wipe your account and start all over again. That is why it is so important that you be proactive in regards to the security of your website, taking measures to prevent a hack in the first place.
We have a seen a very large uptick in instances where accounts were hacked months or even years ago. Hackers may not have done anything to exploit the account at that time, instead the hack just lays dormant until the hackers call upon it many months later. So it is possible that your account may have already been hacked and you don’t know it.
As always, if you have any questions or need additional help, you can submit a support ticket at:
Steven – AMS Support
[General] MySQL username password change
Monday, June 16th, 2014 - General
One of the issues that has arose with the switch to PHP 5.4 has to do with MySQL username passwords. If you created a MySQL username and password combination many years ago, on a system that predates MySQL 4.0, then PHP 5.4 is not going to recognize this password. This has to do with the change of MySQL engines that PHP 5.4 uses versus what previous versions of PHP used.
If you see an error message or warning message on your website that says the page is not able to connect to the database server or error connecting to database server, it is likely that you are being hit by this issue.
If you are being hit by this error, you can submit a support ticket and our support staff will assist with this. Just be sure to include a link to the website or webpage that is giving you this error message.
You can also resolve this issue yourself, by changing or updating the MySQL password that your script uses. You can even use the same password, the system just has to update itself to store the password in a way that the new PHP 5.4 MySQL engine will understand.
– Before you start, you either need to know what the current MySQL username password is for your script or know how to change the password in the script’s configuration. If you do not know this information or do not know how to gather or change the information, then you will probably just want to submit a support ticket and let our support staff handle this issue for you.
To change or update the password for a MySQL username, log into your cPanel:
Find the section labeled Databases and look for the MySQL Databases icon:

Click this icon.
Next, scroll down to the bottom of that page, you’ll find a section labeled Current Users. In that table you’ll see a list of your MySQL usernames:
Click on the desired MySQL username that you are wanting to change or update the password to.
Next, you’ll get a page labeled MySQL Account Maintenance and you will see the MySQL username you clicked and two boxes for the password:
Type the password for the MySQL username in both MySQL fields, or enter a new password in both MySQL fields, or use the Password Generator button to generate a new password, then click Change Password.
The password to this MySQL username should then be changed. If you reused the same password, then your script should be working now. If you entered a new password, you would need to update the configuration file for your script to use the new password.
As always, if you need assistance with this, you can submit a support ticket at:
Steven – AMS Support