Here at Joomla and More we have never tried to hide the fact that we aren’t always happy with all things Joomla. That lead to one Twitter user asking what, exactly irritates us and “where we moved on to” (which we alluded to in a tweet.
We decided to answer the question in a video, instead of writing a long form blog post. You can see the video at the bottom of this post.
In the video we discuss:
- What we believe Joomla’s strengths are
- Which things irritate(d) us.
- What has been keeping us busy when we weren’t working on Joomla things.
The video is roughly 20 minutes long.
In this day and age, if there is a way for the spammer and other abusers of this world to take use of your site, they will. One “attack vector” which I never even considered until I was confronted with it just minutes ago, were K2 users. They create the perfect platform for K2 User Spam if you are not paying attention. K2 User Spam being “using K2 users to post spam on your website”. Now that that’s on the way, let’s take a look at how it works and how you can prevent it.
How it works
Unlike Joomla, K2 by default allows ‘Users’ to create profiles with fancy avatars, subscriptions and links. Which is super, if you’re building a content based sites. Got to have those neat author profiles.
However, that means that the K2 User profiles can – and will – be abused.
Spammers can create account(s) on your website, and then fill their description with whatever they see fit, including images and links. This will then appear on their author page. What it comes down to, is that by creating a Joomla User they can basically create a spam page with the content their spammer hearts desires. These pages can and will show up when your friend Google visits your site, as proven by the DMCA requests we got for a site. That’s what brought the exploit to my attention. DMCA requests, for a site whose only page says “Site under construction?”
How to fix / avoid it
In K2 2.7, tackling this problem is as simple as setting an option. In the Spam Settings section, set “Control K2 User Profile display for users with no items” to disabled. This will disable all user profiles from being displayed, and is the default setting. It won’t stop the Spam users from signing up, but it’ll at least stop them from ruining your SEO.
Additionally, you can enable the anti-spam measures of K2, which include recaptcha and StopUserSpam, which detects known spammers and disables their accounts. However, we haven’t been able to test whether this will prevent users from signing up through the Joomla user form although the previous solution should prevent their profiles from being displayed regardless.
For today’s quick tip or reminder, we are looking at Joomla’s Users component. Specifically, the user activation.
Joomla allows you to choose between automatic activation, an activation on the user end or activation that requires administrator approval.
While the first two options are easy if you don’t want to get involved, this could lead to frustrations as you’re overrun by spammers who hammer your site(s) and access “restricted” areas for your site. E.G a user that can activate itself could easily start to spam the living bejeezus out of your forums or comment compoonents (if you have those installed).
That’s why the activation by admins is a good option if you want more control. However, when you enable this option you might run into an additional hurdle. By default the people that do the approving don’t get a notification. Joomla doesn’t have a module that says “Hey, guys, these people signed up. Can you look into that, please?”
That’s where the System Mails come into play. You will want to enable the “Receive System Messages” option on accounts of the users that you expect to activate the users. Don’t forget to save after you enable the option!
Joomla is currently beta testing version 3.5 of the popular Open Source CMS. This version doesn’t have much exciting in store for end users in terms of features or functionality. However, it will be the first version to support PHP7, the latest and greatest version of PHP that is supported by most hosting companies. If yours doesn’t, it might be time for a change, because PHP 5.6 is now nearly end of life. What’s that, they don’t support PHP 5.6? Burn their servers, grab your sites and go somewhere else. Might we suggest Siteground, for example?
The upgrade to PHP7 means that users of Joomla 3.5 can enjoy the benefits of a supported, and lightning fast version of PHP. Until now, Joomla didn’t support PHP7. No, really. If you want to see your site dissapear into nowhere, turn on PHP7 for your website and see what the result is. Beautiful 500-errors.
So, gentlemen, be prepared. There appear to be no big “issues” with upgrading to 3.5 – Joomla might be many things but at least they’re trying to keep their promise in that regard – so upgrading should be easy, fast and a no-brainer when the time arrives. Until then, you can download the Beta of Joomla 3.5 and experiment with it yourself. As usual, we suggest not to use a beta for your life site (unless it’s developed by Akeeba) unless you like playing with fire.
PHP 7 support for Joomla? Yes, we can!
Joomla has just released back-to-back “critical security releases” after it just released Joomla 3.4.6. Make of that what you will. They’ve just released a version that addresses a “severe security concern”, which is available immediately.
The patch apparently closes a security hole the size of the Mariana Trench which made it “really, really easy” to hack your Joomla sites. Now that the news is out in the wild, it’s of the upmost importance to patch your site before the bad guys start poking around.
So, ladies and gentlemen, it’s time to start updating all your sites – again – using your prefered method (the built-in updater, MyJoomla or a manual update) to make sure your sites are good to go.
May the force be with you, and don’t forget to make a back-up before you update.