Category Archives: Joomla

Review: Akeeba LoginGuard

We have taken a sneak peek at Akeeba LoginGuard for you, and made it into a video.

Akeeba LoginGuard is a Joomla add-on that will give your website new two-factor authentication tools. The tools lift the security of your website to the next level. Akeeba LoginGuard offers quite a few benefits over the already existing options in Joomla

More authentication options

Where Joomla offers ‘only’ OTP (one-time passwords) and Yubikey out of the box, LoginGuard takes things further. Which is a positive thing. While the options in Joomla are a good start, and Yubikeys are a great little things to use, it’s always good to have other options, especially in corporate settings.

LoginGuard offers the following options:

  • OTP (via an authenticator app)
  • Yubikey
  • Codes via e-mail
  • Codes via SMS (using SMSAPI.com)
  • Push notification (using PushBullet)
  • Fixed code(s)

Configure 2FA for users

Akeeba LoginGuard also allows you to setup 2FA options for your users. We discuss the upside of this feature and other features in our video review.

 

Advertisements

Configure U2F in Joomla and WordPress [VIDEOS]

User accounts. Without them, the back-end of your WordPress or Joomla site would be a barren wasteland. And, well, there would be no point in having a back-end.

However, with user accounts comes great responsibility not to get them hacked, as anyone with enough credentials can turn your website in a pile of spam for enhancement pills, Eastern offers and other unpleasantries.

Two-factor authentication is all the rage right now. I wouldn’t say it’s mainstream, per sé as many users still think that their “kittykat01” password will protect them from evil. But it’s now available on pretty much every big site. It comes in a lot of forms and shapes. Mostly in the form of OTP (and Android Authenticator.)

U2F is one of those “universal” two-factor solutions. It’s backed (and implemented) by Google, Github and quite a few others. It’s also pretty easy to use. And, as of now, you can setup U2F in both Joomla and WordPress.

Now, I know we usually spell things out for you. However, we decided to switch things up a bit. We made two videos in cooperation with Ciptor Benelux, a small but fierce startup with a focus on authentication that’s hoping to take the Benelux (and then the world?!) by storm.

The videos should give you a good idea on how to setup U2F. The WordPress video is about five minutes long. The Joomla video is a bit longer, because we dove into Akeeba LoginGuard as well. It’s part “How to”, part “This component is pretty cool.

How to setup U2F in WordPress

How to setup U2F in Joomla (Using Akeeba LoginGuard)

Error decoding JSON data: Syntax error – One Possible Fix

All right, all right. We’re mighty late with a ‘fix’ for this problem. But that’s because we haven’t run into it either. Let’s get to it.

After upgrading Joomla to Joomla 3.6.3 you might see the following error when trying to edit an article (and possibly modules, …):

Error decoding JSON data: Syntax error

I am not going to pretend to speak developer all of a sudden, but this error means that something’s wrong with one of the ‘settings’ for your article / module. Somewhere in your database, a mistake was made.

One “popular” fix back in the days was to partially roll back to Joomla 3.6.2. That’s the wrong approach for two reasons:

  1. THAT VERSION WAS PATCHED FOR A REASON.
  2. You’re not fixing the problem. You’re just killing the messenger and burying the body.

Instead, you could look into the database itself. When I read from Michael Babker (I hope I wrote that right) that it could be as simple as a { too little in one of the ‘settings’ fields I went to research.

So, here’s what you can do to try and solve the problem.

  1. Note the ID of the article / module
  2. Open PHPMyAdmin / your MySQL workbench of your choice.
  3. Lookup the item in com_content, com_modules or com_whateveryourelooking for. Joomla is fairly good at naming databases after what they contain. (No offense, Magento. You suck.)
  4. Compare the column values to those of articles / modules that work just fine, and focus at the start / stop. Do you see any extra / missing symbols?

When I tried this on my article, I stumbled upon the following:

JoomlaMySQLJSON

Pay close attention to what’s going on in the attribs column. Something went wrong, and there’s an extra {“ that shouldn’t be there.

After removing these extra characters, the article opened again.

So, if you are confronted by a JSON error, check your data. And make a back-up first.

Fun Story Time: As it turns out, this wasn’t even the article the client needed to edit and it only said “test”. 

[Q&A] Are we dissappointed in Joomla?

Here at Joomla and More we have never tried to hide the fact that we aren’t always happy with all things Joomla. That lead to one Twitter user asking what, exactly irritates us and “where we moved on to” (which we alluded to in a tweet.

We decided to answer the question in a video, instead of writing a long form blog post. You can see the video at the bottom of this post.

In the video we discuss:

  • What we believe Joomla’s strengths are
  • Which things irritate(d) us.
  • What has been keeping us busy when we weren’t working on Joomla things.

The video is roughly 20 minutes long.

Keep Your Eyes Open For K2 User Spam (On Older Versions)

In this day and age, if there is a way for the spammer and other abusers of this world to take use of your site, they will. One “attack vector” which I never even considered until I was confronted with it just minutes ago, were K2 users. They create the perfect platform for K2 User Spam if you are not paying attention. K2 User Spam being “using K2 users to post spam on your website”. Now that that’s on the way, let’s take a look at how it works and how you can prevent it.

How it works

Unlike Joomla, K2 by default allows ‘Users’ to create profiles with fancy avatars, subscriptions and links. Which is super, if you’re building a content based sites. Got to have those neat author profiles.

However, that means that the K2 User profiles can – and will – be abused.

Spammers can create account(s) on your website, and then fill their description with whatever they see fit, including images and links. This will then appear on their author page. What it comes down to, is that by creating a Joomla User they can basically create a spam page with the content their spammer hearts desires. These pages can and will show up when your friend Google visits your site, as proven by the DMCA requests we got for a site. That’s what brought the exploit to my attention. DMCA requests, for a site whose only page says “Site under construction?”

How to fix / avoid it

In K2 2.7, tackling this problem is as simple as setting an option. In the Spam Settings section, set “Control K2 User Profile display for users with no items” to disabled. This will disable all user profiles from being displayed, and is the default setting.  It won’t stop the Spam users from signing up, but it’ll at least stop them from ruining your SEO.

Additionally, you can enable the anti-spam measures of K2, which include recaptcha and StopUserSpam, which detects known spammers and disables their accounts. However, we haven’t been able to test whether this will prevent users from signing up through the Joomla user form although the previous solution should prevent their profiles from being displayed regardless.