The Joomla! developers have released an updated version of their Joomla! script, Joomla! 3.4.6

Joomla! 3.4.6 Released

This release fixes a major security bug in Joomla!

This security bug is also present in prior Joomla! releases, Joomla! 1.5 and Joomla! 2.5. But since Joomla! 1.5 and Joomla! 2.5 are end-of-life, no security patches are being released for those versions.

Users on our servers that have been using these outdated Joomla! versions have been sent several notices about this. Because of these notices and this recent security issue, this may be the final nail in the coffin for Joomla! 1.5 and Joomla! 2.5 scripts. We will likely have to start disabling Joomla! scripts that are end-of-life. We apologize for having to do this, but advice to upgrade your Joomla! scripts have gone ignored and the dangers of allowing these exploitable scripts outweighs any benefit from a server security standpoint.

If you are not using Joomla! 3.4.6, please upgrade as soon as possible

Steven

Due to a recent rash of web hosting accounts being compromised and exploited and a lot of these being traced back to outdated Joomla! scripts, we have made the decision to sunset all Joomla! 1.0 and Joomla! 1.5 scripts that are installed on our servers.

Sunsetting, in this context, means that we will be disabling these web hosting accounts or directories that currently have a Joomla! 1.0 or Joomla! 1.5 script installed.

To put this in perspective, consider these end of life announcements from the Joomla! developers:

End of Life means that the developer stopped supporting that software or that version of the software. Any security holes discovered after a product goes End of Life means that it will not be patched.

Joomla! 1.0 reached end of life in July 2009, that was over 5 years ago. Joomla! 1.5 reached end of life in April 2012 which was nearly 18 months ago. Joomla! 2.5 will reach end of life at the end of 2014, but we are not making any changes to Joomla! 2.5 based web hosting accounts.

When will you be sunsetting these scripts?
We are planning to start disabling Joomla! 1.0 and Joomla! 1.5 scripts in January 2015. So you still have plenty of time to make arrangements to move on to a supported version of Joomla! Because Joomla! 2.5 will technically be reaching it’s end of life at the end of 2014, we recommend moving straight to Joomla! 3.3.

The January 2015 deadline is not set in stone at this point, but that is what we are aiming for. It definitely won’t be before January 2015. But this may get pushed back depending on how this plays out.

How do I upgrade to a supported version of Joomla!?
That’s a very tricky question, one that unfortunately we cannot solve. The upgrade path from Joomla! 1.0 or Joomla! 1.5 to any supported version of Joomla! is quite daunting. That is why we have given such a wide timeframe to allow you to perform this “upgrade”. There is no de-facto standard way for “upgrading” a Joomla! 1.0 or Joomla! 1.5 to a supported Joomla! version. Every web hosting account is going to be different, depending on how you have Joomla! set up.

Because Joomla! 1.0 and Joomla! 1.5 are so old, they don’t take advantage of a lot of modern upgrade methods, that is why this process is so difficult. Basically you have to install a new version of a supported Joomla! and then migrate your data from your old Joomla! system into the new system. Any plugins or components that you had on your old Joomla! system would have to be reinstalled with an updated version, for the new Joomla! system.

For migrating from Joomla! 1.5 to Joomla! 3, you might find this link to be useful:

http://docs.joomla.org/How_do_I_upgrade_from_Joomla!_1.5_to_3.x

But your best resource is probably going to be the Joomla! support forums:

http://forum.joomla.org

If you don’t know what to do, I would suggest starting with the forums and asking the community there for help.

My website works fine, why are you forcing me to upgrade?
Unfortunately we are just seeing too many web hosting accounts that are becoming hacked, exploited, and used for abusive purposes. In order to try and get ahead of this, we have to be proactive and try to stop these hackings before they start. Your website may be working fine, but a lot of times, malicious users have taken advantage of your account and left behind little scripts on your account that perform abusive actions. These scripts may be completely oblivious to you, the website owner, but behind the scenes they are using your account to send out spam or initiate DDOS attacks, and all of these can be tied to a security hole in your account that gave these malicious users access and privileges to perform these actions.

But my Joomla! 1.x website is completely secure.
The other issue with Joomla! 1.x scripts is that the components, themes, plugins, and addons are also old and outdated. If you have a component installed on your Joomla! site and it is outdated and prone to security exploits, then this can allow your web hosting account to become hacked. There are no longer any updates to any Joomla! 1.x components or themes, and sadly a lot of those were poorly written to begin with, so you may be a ticking time bomb waiting to explode in terms of being hacked or exploited.

I am using Joomla! 2.5.x on my account, will I be affected by this?
No. We are not going to be disabling any Joomla! 2.5 accounts – not yet anyway. Although, we do encourage you to consider upgrading to Joomla! 3 before Joomla! 2.5 reaches end of life. Eventually, perhaps January 2016, we will probably do the same thing with Joomla! 2.5 scripts as we are doing with Joomla! 1.0 and Joomla! 1.5 scripts. But for January 2015, Joomla! 2.5 based web hosting accounts are exempt from this sunsetting.

What is the exact date that you will be sunsetting these Joomla! accounts?
We don’t have an exact date for this and likely never will, but we are planning for this to happen sometime in January 2015, more than likely towards the middle of January 2015. But it is in your best interest to not wait around, upgrade your Joomla! script as soon as you can so you don’t have to worry about this and so that you do not have to worry about your web hosting account being exploited.

Steven

We have seen a large increase in the number of accounts that have been hacked, defaced, and used for abusive purposes on our servers and 99% of these incidents are traced back to users using outdated scripts or outdated/insecure/poorly written plugins, addons, components, extensions, or themes. You may have recently received a message from us detailing some of the outdated scripts on your account. This post aims to provide more information about outdated scripts.

First, if you received a message from us, it likely contained a segment (or multiple segments) that looked like:

Account: xxxxxxxx
Script: xxxxxxxx
Installed Path: xxxxxxxx
Installed Version: xxxxxxxx
Latest Version: xxxxxxxx
Script Website: xxxxxxxx

There are some key parts to this segment:

Script: is going to tell you the name of the script that is being referred to here. Common examples include WordPress and Joomla!

Installed Path: This is important to recognize. This is going to tell you the path as it pertains to your web hosting account, of the stated outdated script. It is important to pay attention to this. For example, you may have a WordPress script installed in the DocumentRoot of your web hosting account (i.e. http://yourdomain.com) but you may have another WordPress script installed some where else on your web hosting account that maybe you forgot about, or maybe you no longer need. That will be detailed here. Don’t assume that this is referring to a script that you are aware of. If it is listed, then it is very likely outdated and needs to be addressed one way or another.

Installed Version: This tells you the version of the script that is installed on your web hosting account at the specified location.

Latest Version: This tells you the latest current version that is released for this script from their developers. This is the version, at minimum, that you need to upgrade to.

Script Website: This gives you a link to the website of the developers of that specific script. For example, WordPress will send you to http://www.wordpress.org and Joomla! will send you to http://www.joomla.org You can visit these websites for more information as it pertains to the correct upgrade procedures.

• How do I upgrade my script?
Typically upgrading a WordPress or Joomla! (any version greater than 2.5) should be fairly easy. They have mostly made it easy and it’s just a matter of a single click in the admin area of the script. If you installed the script using Softaculous, then you may be able to upgrade it from the Softaculous interface in your cPanel. The link to the specific script’s website can be useful in regards to finding specific instructions for upgrading the script. Some helpful links include:

Upgrade Joomla!

Upgrade WordPress

• Why is it important to keep scripts up to date?
Developers keep a fluid development of their application. Hackers and malicious users are always on the prowl looking for ways to exploit some of the most popular web applications and scripts. When a security hole is found in a script, the developers of those scripts or web applications will typically rewrite that section of the code so as to close that security hole. This is why applications and scripts get updates, to fix those security holes.

You may be familiar with the Windows operating system and the number of patches Microsoft releases for it. Typically your operating system will download those patches and will either reboot your computer or ask you to reboot your computer to apply those patches. Those patches are there to protect your computer and system from known security threats.

Updates to scripts and web applications are no different, they are applying security patches to guard against new found threats. The difference between a web application or script and your desktop computer is that a web application or script is constantly on the web. Your website is always up, always available. Your desktop computer, you may turn it off at night or when you are not using it. A computer or system that is off or not connected to the Internet is much, much, much less likely to be exploited. But because your website is constantly web accessible, protecting it against security threats is of the utmost importance.

• What happens if I don’t upgrade my scripts?
Sadly, we have seen quite a few users who elect to go this route, either thinking that their website is working now why fix something that isn’t broken? Or being too afraid that the upgrade process will “break” their website. While there are merits to each of these arguments, I can also tell you that there are some disastrous consequences in following this line of thinking.

We deal with security issues on accounts every day. We deal with multiple accounts every day. Speaking from experience I can tell you that if you don’t keep your scripts/plugins/components/extension/themes all up to date, then you should expect to be hacked/defaced/compromised/exploited. There’s no real tactful or easy way to make that point. The reason new versions of scripts and web applications are released is to patch known security holes. If you choose not to upgrade, then you are allowing hackers and other malicious users to take advantage of those known security holes.

Once an account gets hacked and compromised the integrity of all of the files on that account fall into question. A lot of times, the only recourse is to completely wipe the account out and start over fresh with fresh files and fresh content, meaning that the account loses all of it’s previous content. I am sorry that this has to happen, but it is part of the consequences of not keeping a hosting account or script up to date.

• What can I do to protect my account?
Keeping your scripts up to date is the best thing to do.

Keeping your plugins/themes/components/addons/extensions/etc. all up to date is also very important.

It is also important to use reputable scripts and plugins/themes/components/addons/extensions/etc. There are a lot of plugins/components/extensions/themes that are just not well written or they quickly become abandoned meaning their developers never update the plugin any longer. This is why it is important to only use well-known and reputable extensions for your script. A plugin or theme may exist that does exactly what you want it to, but if it’s poorly written or insecure and leads to your website being hacked, compromised, and defaced, then it’s not much help to you.

Use strong passwords. There is a huge botnet that comes around every few months that attempts to brute force its way into popular scripts and web applications by guessing admin username and passwords. If you are using a weak password, then it will be easy for this botnet to brute force it’s way into your script.

Any additional security layers you can add to your script will benefit you. These would include extra login prompts, image captcha systems, two-factor login systems, etc. The more security you can put between your website and a potential hacker, the more likely you are to avoid simple hacks. Hackers typically have a defined method for hacking a website, if you have an extra layer of security that disrupts that defined method it cause most hacking attempts to move on to another website.

• I have already been hacked, what can I do?
Unfortunately, once you are hacked you can no longer trust the integrity of the files on your account. You do not know what all was tampered with, what backdoors may have been left behind, or what access points the hackers and malicious users may have left behind for themselves. Once you are hacked and compromised, the only real recourse is to completely wipe your account and start all over again. That is why it is so important that you be proactive in regards to the security of your website, taking measures to prevent a hack in the first place.

We have a seen a very large uptick in instances where accounts were hacked months or even years ago. Hackers may not have done anything to exploit the account at that time, instead the hack just lays dormant until the hackers call upon it many months later. So it is possible that your account may have already been hacked and you don’t know it.

As always, if you have any questions or need additional help, you can submit a support ticket at:

http://www.amshelp.com

Steven – AMS Support

Last week, WordPress released an update to their WordPress blogging platform, version 3.6.1. This is a security release. It fixes some very nasty bugs from previous versions of WordPress.

All WordPress users need to update to version 3.6.1. Failing to do so can cause your account to be hacked and compromised. You should also take this time to update and themes, plugins, or other components that are a part of your WordPress script.

For release notes and information regarding this release see:

http://codex.wordpress.org/Version_3.6.1

Steven – AMS Support

We have seen a flurry of accounts being hacked due to outdated Joomla! Content Editor components (JCE). Because of this we have made the decision to go through all of our servers are remove/disable all outdated JCE components.

The reason for this is because these accounts with outdated JCE components are being hacked into, compromised, and used to send out spam. This affects the integrity of our servers and is not fair to other users on the server that are keeping their scripts and components up to date, to have to deal with a server that is blacklisted for sending out spam.

It seems that a large portion of our users are unable or unaware of the need to keep their scripts, components, plugins, extensions, and themes up to date. Disabling these outdated JCE components will hopefully bring to light why it is so important to keep things up to date.

The latest version of the Joomla! Content Editor (as of May 30, 2013) is 2.3.2.4. If you are not using 2.3.2.4 then your version is outdated and potentially dangerous. That is why it has been disabled/removed. The website for the Joomla! Content Editor is:

http://www.joomlacontenteditor.net

We wanted our users to be aware of this.

Steven