my personal view about Joomla! backups.

June 15th, 2012 by Andrea Matesi 1838 Views
Joomla! logo

Joomla! logo

Joomla!, like many other web-something, is an evolving thing, and exciting new features pop-up almost on a daily basis, but sometimes there's an hidden price: increased complexity often translates to additional maintenance burden and additional risks, and so decreased overall security.

When talking about "security", it's impossible not to talk about backups, and this, by far, is the best and most important defensive/offensive technique, for one, backups helps you restore, but at the same time they may pose a security threat if the stuff backed up isn't protected accordingly. Let's say, for example, that a funny guy knows where to look for your backups: if he is really mad at you, one of the first things he will try to do is to steal your backup bits!

I discovered my hosting provider is offering me daily scheduled backups, and even if it's just for one day (the latter being overwritten), I suggest you take control and manage the overall backup plan by yourself (I think that by just "having a plan" may suffice).

Outside office, I usually do not have plenty of time for backups, so, for simplicity, I'm assuming just one case scenario:"site online and ready": you just launched your colored Joomla! site and you're satisfied with its overall content and layout (BTW, we are talking about your "oh-not-so-up-to-date" site and not your "daily" blog).

OK, so now your site is online and kicking: you surely wanna forget about it, but if there are issues (like your site being hax0red and such), you''ll have to be able to fix it, and, as time goes by, you wanna be sure to be able to bring it back on it's entirety!

How many backups? Your choice. I don't have time/love for e-mails telling me "backup this and backup that" (got plenty already @ work!), so my philosophy is pretty lame, cheap and simple: do your best to keep it up, try to improve overall security and always backup before you change something and after you're satisfied with the changes. Also, very important, strive to act responsibly in-between and you'll see everything is gonna be alright.

The basic form of backup I'm gonna deal with, it's the daily automated backup, included inside your cheap hosting plan, also known as "the hosting backup", and, despite it's pissing some weirdos by it's simplicity, I must admit it just works. Many providers offer you this form of "automated schedule", that simply makes a copy of your files + db into some folder; this folder is often positioned outside your site's root, and so is not browseable (you may not download its content through HTTP access), hence no robots can scan for its precious content. If your site is not really big stuff, by periodically downloading those files, may keep you on-business.

See? No plugins, no complexity, no additional risks! So assess your hosting provider capabilities and check if this applies to your case! If your hosting is cheaper than mine (see "no backups"), have a look at some form of plugin from the JED at your own risk.

one more thing...: if you happen to have a linux box sitting nearby and doing its "daily-nothing", you may schedule an automated command to be launched by crontab. 99% of hosting providers allow you to ftp to your site (even if this protocol is not encrypted), so you just schedule this bash command and you're done!

lftp -c 'open <server.IP.address>; user <your-ftp-username> <your-ftp-password>; mirror -e <the remote folder> </your/local/mnt/point/folder> ; quit'

Anyway, since Joomla! basically is a db + some bits inside some remote storage, when my hosting provider doesn't offer me an auto-thingie, first I check if my hosting provider allows me SSH acces, so I can develop some custom backup scripts and plan for some form of automation, then, if none apply, as a last resort, I rely on 3rd parties plugins.

There are plenty Joomla! backup techniques around, and even if you don't know, maybe your hosting provider is already servicing you with some basic form of backup, so check that first!

Keeping a copy somewhere (relatively safe), is priceless, so I strongly encourage you to check if that is the case.

Senior Professional Network and Computer Systems Engineer during work hours and father when home.

Andrea strives to deliver outstanding customer service and heaps of love towards his family.

In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format.

Posted in Joomla, WEB | Comments Off on my personal view about Joomla! backups.

[SOLVED]Cannot login to Joomla backend as admin

February 11th, 2009 by Andrea Matesi 92500 Views
Joomla! logo

Joomla! logo

Recently, I've experienced a whole load of problems related to Joomla.

To vent some frustration, I'm gonna post some general info and experiences, useful to troubleshoot possible joomla problems, especially when it comes to issues affecting your ability to login to your administrator's backend (I know how it feels, just free your mind: computers are just numbers and circuits).

This post wouldn't exist without the suggestions and feedback received from the official joomla! forum and the official joomla! italian community (thanks - you know who you are).

See http://forum.joomla.it/index.php/topic,56790.0.html and http://forum.joomla.org/viewtopic.php?f=431&t=262426 for my sources of inspiration.

PLEASE TELL ME HOW TO FIX IT!

The first thing I feel to suggest you is to open and check the content of your configuration.php and .htaccess files on your site's root.

  • It is important for configuration.php not to contain any blank lines.
  • Also - Check configuration.php in respect to the Linux/UNIX text file conventions.

On Windows, text file "lines" are terminated with a "CRLF" while on Linux/UNIX, those text file lines are terminated with just a "LF" (for a tutorial on what that means, check here: http://usertools.plus.net/tutorials/id/22).

  • The .htaccess file may contain blank lines.
    Just make sure that, if any blank lines are found within the .htaccess file, they follow the 'foretold Linux/UNIX text file conventions (as said, Linux lines have to be ended by LFs), so please ensure there are no hidden CRLF (ie. after the rules declarations).
  • (Once you're on the .htaccess file): check and make sure the .htaccess file rules are correct (re-read them and search until they "start making sense").
    In case of doubt, you may restore the original htaccess.txt from a vanilla (original, untouched) Joomla! build.

From my personal experience, those checks helped me solve my "admin loop, cannot login problem".

An obvious way to avoid this messy "CRLF vs LF" kind of problems is to become a "Linux power user" - If you were working on your Joomla! site while on Ubuntu, the above problems wouldn't have occurred in the first place (admittedly, I was mucking around my Joomla! site with my "powerful" Vista64(!) gaming rig).

But I am digressing - you might as well just use a nerdy text editor such as gVIM on your Windows PC.

Uhm..not fixed yet?!

Another useful thing to check is to make sure you have the right PHP version, so:

  • Ensure your host is serving you at least PHP 5 (since Joomla! was created with PHP 5).

How do you find out if you have PHP5 (if you can't even access the admin backend)?

Well:

  1. One way could be to upload to your site's root the uncompressed file JTSPOST (obtainable from: http://joomlacode.org/gf/project/jts/frs/), [UPDATE-2017] "fpa-en.php" (aka "Forum Post Assistant" - get it from https://forum.joomla.org/viewtopic.php?f=432&t=586336).
    1. Download, uncompress & upload "fpa-en.php" to your site's root.
    2. Browse to the corresponding address of the uploaded file's name (ie. www.yoursite.com/fpa-en.php).
      Once you browse to "fpa-en.php", you'll get some useful info about Joomla! and your hosting web server features, including what PHP version your web server is running.
    3. If you happen to fix your issue, please remember to remove JTSPOST "fpa-en.php" (the Forum Post Assistant) from your www server's root - if you forget it there, you may disclose potential security information.
  2. Another way to find out what PHP version your host is running is through cPanel or some other web hosting console - just login to your hosting console and I guess you'll be able to find your PHP version there.
  3. Ultimately, you may ask to your hosting provider - find a way to get in touch with them and ask!

Once you've clarified what stuff is running on your web server, you may then check the Joomla! official forums, and possibly refer to them for other specific problems and related suggestions.

A personal experience.

For the sake of completeness, I will now report my forum experiences below (note that I edited some parts for additional clarity):

Suggestion n.1)

  1. edited the file administrator/components/com_login/admin.login.php to comment out line 69 (//LoginController::display() )
  2. browsed to the login page.
  3. [tried to login] and got an 'Invalid token' message.
  4. Reedited the [administrator/components/com_login/]admin.login.php file to remove my comment at line 69.
  5. Refreshed the login page in my browser and got the normal login form.
  6. Logged in [successfully].

Try this and if it doesn't work, then:

Suggestion n.2) [user inoxfire]

  1. edit file administrator/components/com_login/admin.login.php [to comment out line 57, // JRequest::checkToken('request') or jexit( 'Invalid Token' );]
  2. browsed to the login page.
  3. [tried to login] and got an 'Invalid token' message.
  4. Reedited the [administrator/components/com_login/]admin.login.php file to remove my comment at line 57.
  5. Refreshed the login page in my browser and got the normal login form.

Try this and if it doesn't work, then:

Suggestion n.3)

  1. Log into phpMyAdmin and navigate to the jos_plugins table.
  2. Look for the "User - Joomla!".
  3. Ensure that it is published as mine was not (set published to 1 just in case).
  4. [Look for] in row "Authentication - Joomla"
  5. Ensure that it is published as mine was not (set published to 1 just in case).

Try this and if it doesn't work, then:

Suggestion n.4)
  1. first check your Super Admin status:
    [Open PHPmyAdmin] in the "jos_users" table set SuperAdmin to:
    - field "id" - value "62"
    - field "gid" - value "25" or "26".
  2. in the "jos_core_acl_aro" table find row for "62":
    - field "id" - write this down (should be 10 normally) - this is the "aro_id".
  3. in the "jos_core_acl_groups_aro_map" table find row for "aro_id" = 10
    - "group_id" should be "25" or "26".
[UPDATE-2016] Above Suggestions applicable to 1.5.X releases of Joomla, untested on Newer 2.5.X+ or 3.X releases of Joomla.

BONUS:

If for some reason you now need to reset your Joomla! admin password straight from the database, you may do so by proceeding as follows:

  1. Open PHPmyAdmin.
  2. Access your joomla DB and goto table jos_users (or "_users" more recently).
  3. Modify the "admin"-row and set its password code to this string of numbers: 21232f297a57a5a743894a0e4a801fc3 (copy-paste as-is, this string of numbers is the equivalent "hashed" version of password = 'admin').
    (On Newer 2.5.X+ or 3.X Joomla, the new "password = admin" string is 433903e0a9d6a712e00251e44d29bf87:UJ0b9J5fufL3FKfCc0TLsYJBh2PFULvT).
  4. After successfully logging-in, make sure you change (update) your "admin" password (otherwise if you leave your password as "admin", your site might get hacked!).

(for further explanations of the above hack, please also refer to this post over here: http://forum.joomla.org/viewtopic.php?t=10985 and, more recently, also here: https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F).

Hope above info is useful to everyone, and wish you enjoy your "adrenaline kick" after fixing this issue.

[UPDATE 2012] Now that comments are closed, if the above info helped you in any way, please support this website's hosting costs by clicking on the ads.

Senior Professional Network and Computer Systems Engineer during work hours and father when home.

Andrea strives to deliver outstanding customer service and heaps of love towards his family.

In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format.

Posted in Joomla, WEB | 123 Comments »