Category Archives: Joomla

Keep Your Eyes Open For K2 User Spam (On Older Versions)

In this day and age, if there is a way for the spammer and other abusers of this world to take use of your site, they will. One “attack vector” which I never even considered until I was confronted with it just minutes ago, were K2 users. They create the perfect platform for K2 User Spam if you are not paying attention. K2 User Spam being “using K2 users to post spam on your website”. Now that that’s on the way, let’s take a look at how it works and how you can prevent it.

How it works

Unlike Joomla, K2 by default allows ‘Users’ to create profiles with fancy avatars, subscriptions and links. Which is super, if you’re building a content based sites. Got to have those neat author profiles.

However, that means that the K2 User profiles can – and will – be abused.

Spammers can create account(s) on your website, and then fill their description with whatever they see fit, including images and links. This will then appear on their author page. What it comes down to, is that by creating a Joomla User they can basically create a spam page with the content their spammer hearts desires. These pages can and will show up when your friend Google visits your site, as proven by the DMCA requests we got for a site. That’s what brought the exploit to my attention. DMCA requests, for a site whose only page says “Site under construction?”

How to fix / avoid it

In K2 2.7, tackling this problem is as simple as setting an option. In the Spam Settings section, set “Control K2 User Profile display for users with no items” to disabled. This will disable all user profiles from being displayed, and is the default setting.  It won’t stop the Spam users from signing up, but it’ll at least stop them from ruining your SEO.

Additionally, you can enable the anti-spam measures of K2, which include recaptcha and StopUserSpam, which detects known spammers and disables their accounts. However, we haven’t been able to test whether this will prevent users from signing up through the Joomla user form although the previous solution should prevent their profiles from being displayed regardless.

Joomla’s User Activation by Admins and System Messages

For today’s quick tip or reminder, we are looking at Joomla’s Users component. Specifically, the user activation.

Joomla allows you to choose between automatic activation, an activation on the user end or activation that requires administrator approval.

While the first two options are easy if you don’t want to get involved, this could lead to frustrations as you’re overrun by spammers who hammer your site(s) and access “restricted” areas for your site. E.G a user that can activate itself could easily start to spam the living bejeezus out of your forums or comment compoonents (if you have those installed).

That’s why the activation by admins is a good option if you want more control. However, when you enable this option you might run into an additional hurdle. By default the people that do the approving don’t get a notification. Joomla doesn’t have a module that says “Hey, guys, these people signed up. Can you look into that, please?”

That’s where the System Mails come into play. You will want to enable the “Receive System Messages” option on accounts of the users that you expect to activate the users. Don’t forget to save after you enable the option!

Joomla 3.5’s biggest feature? PHP7 support

Joomla is currently beta testing version 3.5 of the popular Open Source CMS. This version doesn’t have much exciting in store for end users in terms of features or functionality. However, it will be the first version to support PHP7, the latest and greatest version of PHP that is supported by most hosting companies. If yours doesn’t, it might be time for a change, because PHP 5.6 is now nearly end of life. What’s that, they don’t support PHP 5.6? Burn their servers, grab your sites and go somewhere else. Might we suggest Siteground, for example?

The upgrade to PHP7 means that users of Joomla 3.5 can enjoy the benefits of a supported, and lightning fast version of PHP. Until now, Joomla didn’t support PHP7. No, really. If you want to see your site dissapear into nowhere, turn on PHP7 for your website and see what the result is. Beautiful 500-errors.

So, gentlemen, be prepared. There appear to be no big “issues” with upgrading to 3.5 – Joomla might be many things but at least they’re trying to keep their promise in that regard – so upgrading should be easy, fast and a no-brainer when the time arrives. Until then, you can download the Beta of Joomla 3.5 and experiment with it yourself. As usual, we suggest not to use a beta for your life site (unless it’s developed by Akeeba) unless you like playing with fire.

PHP 7 support for Joomla? Yes, we can!

Joomla Releases Yet ANOTHER Critical Patch, 3.4.6

Joomla has just released back-to-back “critical security releases” after it just released Joomla 3.4.6. Make of that what you will. They’ve just released a version that addresses a “severe security concern”, which is available immediately.

The patch apparently closes a security hole the size of the Mariana Trench which made it “really, really easy” to hack your Joomla sites. Now that the news is out in the wild, it’s of the upmost importance to patch your site before the bad guys start poking around.

So, ladies and gentlemen, it’s time to start updating all your sites – again – using your prefered method (the built-in updater, MyJoomla or a manual update) to make sure your sites are good to go.

May the force be with you, and don’t forget to make a back-up before you update.

How to solve it when Chronoforms5 doesn’t submit from a page.

If you are using Chronoforms and Joomla, you might’ve run into this particular problem when you use their plug-in to embed the form into a page: it simply won’t send. Instead, you’re thrown into an infinite loop of the form resetting, resetting, resetting, resetting… Okay, I’m sure you got the point.

When you tried the form using Chronoforms’ View Form’ option you could’ve sworn it worked just fine. And you’d be right. The problem is the URL when embedding the form in a Joomla article or module

To solve this problem, there are two things you can do.

1. Add the Form to a menu item

You can turn the form into a menu item using the Menu Manager (Sorry, Marketing people, we’re going to keep on using “Manager” for everything. Manager. Menu Manager. Deal with it.) but that does not really solve your problem since it’s now a stand alone form.

2. Change a setting in the Form Setup

A more complicated, but far more relevant option, is to make a change to your form URL. To get started, open the form in the Chronoforms component.

2015-12-08_15-32-02.png

Changing the URL will only work when you’re using the “Advanced” mode of Chronoforms, so you’ll need to enable that first and save your form.

2015-12-08_15-28-43.png

Once that’s done, open the setup tab. In the setup tab, look for the “On load” section, and click “Edit” on the item HTML (Render Form)

2015-12-08_15-29-30.png

A window will pop up. Find the option “Relative URL”, set it to no and choose “Save and close”. Then, save the form and test your form again. You sohuld now be able to submit your messages without at problem.

And that’s all there is to it!