my personal view about Joomla! backups.

June 15th, 2012 by Andrea Matesi 1812 Views

Joomla!, like many other web-something, is an evolving thing, and exciting new features pop-up almost on a daily basis, but sometimes there's an hidden price: increased complexity often translates to additional maintenance burden and additional risks, and so decreased overall security.

When talking about "security", it's impossible not to talk about backups, and this, by far, is the best and most important defensive/offensive technique, for one, backups helps you restore, but at the same time they may pose a security threat if the stuff backed up isn't protected accordingly. Let's say, for example, that a funny guy knows where to look for your backups: if he is really mad at you, one of the first things he will try to do is to steal your backup bits!

I discovered my hosting provider is offering me daily scheduled backups, and even if it's just for one day (the latter being overwritten), I suggest you take control and manage the overall backup plan by yourself (I think that by just "having a plan" may suffice).

Outside office, I usually do not have plenty of time for backups, so, for simplicity, I'm assuming just one case scenario:"site online and ready": you just launched your colored Joomla! site and you're satisfied with its overall content and layout (BTW, we are talking about your "oh-not-so-up-to-date" site and not your "daily" blog).

OK, so now your site is online and kicking: you surely wanna forget about it, but if there are issues (like your site being hax0red and such), you''ll have to be able to fix it, and, as time goes by, you wanna be sure to be able to bring it back on it's entirety!

How many backups? Your choice. I don't have time/love for e-mails telling me "backup this and backup that" (got plenty already @ work!), so my philosophy is pretty lame, cheap and simple: do your best to keep it up, try to improve overall security and always backup before you change something and after you're satisfied with the changes. Also, very important, strive to act responsibly in-between and you'll see everything is gonna be alright.

The basic form of backup I'm gonna deal with, it's the daily automated backup, included inside your cheap hosting plan, also known as "the hosting backup", and, despite it's pissing some weirdos by it's simplicity, I must admit it just works. Many providers offer you this form of "automated schedule", that simply makes a copy of your files + db into some folder; this folder is often positioned outside your site's root, and so is not browseable (you may not download its content through HTTP access), hence no robots can scan for its precious content. If your site is not really big stuff, by periodically downloading those files, may keep you on-business.

See? No plugins, no complexity, no additional risks! So assess your hosting provider capabilities and check if this applies to your case! If your hosting is cheaper than mine (see "no backups"), have a look at some form of plugin from the JED at your own risk.

one more thing...: if you happen to have a linux box sitting nearby and doing its "daily-nothing", you may schedule an automated command to be launched by crontab. 99% of hosting providers allow you to ftp to your site (even if this protocol is not encrypted), so you just schedule this bash command and you're done!

lftp -c 'open <server.IP.address>; user <your-ftp-username> <your-ftp-password>; mirror -e <the remote folder> </your/local/mnt/point/folder> ; quit'

Anyway, since Joomla! basically is a db + some bits inside some remote storage, when my hosting provider doesn't offer me an auto-thingie, first I check if my hosting provider allows me SSH acces, so I can develop some custom backup scripts and plan for some form of automation, then, if none apply, as a last resort, I rely on 3rd parties plugins.

There are plenty Joomla! backup techniques around, and even if you don't know, maybe your hosting provider is already servicing you with some basic form of backup, so check that first!

Keeping a copy somewhere (relatively safe), is priceless, so I strongly encourage you to check if that is the case.

Posted in Joomla, WEB | Comments Off on my personal view about Joomla! backups.

[SOLVED]Cannot login to Joomla backend as admin

February 11th, 2009 by Andrea Matesi 92134 Views

Recently I encountered a whole load of problems related to Joomla and my new business open source web site.

Here I'm gonna post some general info and experiences, useful to troubleshoot possible joomla problems, especially related to when you're unable to login to the administrator backend (I know how it feels, just free your mind: computers are numbers and circuits).

What I am sharing here is my reaction to frustration, with suggestions and feedback received from the official joomla! forum and the official joomla! italian community (thanks - you know who you are).

please check here: http://forum.joomla.it/index.php/topic,56790.0.html and

and here: http://forum.joomla.org/viewtopic.php?f=431&t=262426

The first thing I feel to suggest you is to check configuration.php and .htaccess files on you site's root.

It's important for configuration.php not to contain any blank lines; also, check this file in respect to the Linux/UNIX text file conventions. On Windows, text file lines' are terminated with a CRLF, on Linux/UNIX instead, the lines of a text file are terminated with just a LF (for a tutorial on what that means, check here: http://usertools.plus.net/tutorials/id/22).

The .htaccess (on the contrary of configuration.php), may contain blank lines, just make sure that, if any, they respect the 'foretold Linux/UNIX text file conventions (lines have to be ended by LFs); also, check and make sure the rules are correct and there are no hidden CRLF after the rules declarations (in case of doubt, restore the original htaccess.txt from an untouched joomla! build).

From my experience, those checks helped me solve my admin loop, cannot login problems; an obvious way to avoid this kind of problems is to become a power user on the Linux side (aka pwrusr), but that's a personal choice! If working directly on your joomla! site with, say, Ubuntu, these problems would'nt have ever happened to any of us (I admit it: I was jerking on my site with my powerful Vista64 gaming rig).

Another useful thing to check for, is to make sure you have the right PHP version: make sure your host is serving you with PHP 5 (since joomla was made with it). How to discover if you have PHP5 if you can't access the admin backend? Well, upload on your site's root the uncompressed file JTSPOST (here: http://joomlacode.org/gf/project/jts/frs/), and open the address corresponding to the copied file's name. Once you open it up, it's gonna give you some useful info about joomla! and your server, included what php version you have.
Please remeber that if you happen to fix your problem, then remove JTSPOST from your server's root, because if you forgive it there, you may leave a possible information security hole.

OK, so, going on, as I said, I checked the joomla! official forums, and referred to them for other possible problems and related suggestions, wich I will report here for the sake of completeness (note that I edited some parts for some added clarity):

Suggestion n.1)

  1. edited the file administrator/components/com_login/admin.login.php to comment out line 69 (//LoginController::display() )
  2. browsed to the login page.
  3. [tried to login] and got an 'Invalid token' message.
  4. Reedited the [administrator/components/com_login/]admin.login.php file to remove my comment at line 69.
  5. Refreshed the login page in my browser and got the normal login form.
  6. Logged in [successfully].

 try this and if it doesn't work, then:

Suggestion n.2) [user inoxfire]

  1. edit file administrator/components/com_login/admin.login.php [to comment out line 57, // JRequest::checkToken('request') or jexit( 'Invalid Token' );]
  2. browsed to the login page.
  3. [tried to login] and got an 'Invalid token' message.
  4. Reedited the [administrator/components/com_login/]admin.login.php file to remove my comment at line 57.
  5. Refreshed the login page in my browser and got the normal login form.

 try this and if it doesn't work, then:

Suggestion n.3)

  1. Log into phpMyAdmin and navigate to the jos_plugins table.
  2. Look for the "User - Joomla!".
  3. Ensure that it is published as mine was not (set published to 1 just in case).
  4. [Look for] in row "Authentication - Joomla"
  5. Ensure that it is published as mine was not (set published to 1 just in case).

 try this and if it doesn't work, then:

Suggestion n.4)
  1. first check your Super Admin status:
    [Open PHPmyAdmin] in the "jos_users" table set SuperAdmin to:
    - field "id" - value "62"
    - field "gid" - value "25" or "26".
  2. in the "jos_core_acl_aro" table find row for "62":
    - field "id" - write this down (should be 10 normally) - this is the "aro_id".
  3. in the "jos_core_acl_groups_aro_map" table find row for "aro_id" = 10
    - "group_id" should be "25" or "26".

BONUS:

If, for some reasons, you need to reset your joomla! admin password, or if you need to offer admin access to somebody else, or for whatever the reason, please change it by doing so:

  1. Open PHPmyAdmin.
  2. access your joomla DB and goto table jos_users.
  3. modify "admin"-row and set it's password code to this: 21232f297a57a5a743894a0e4a801fc3 (it's the equivalent of 'admin').

(for more info and explanations, check this post over here: http://forum.joomla.org/viewtopic.php?t=10985).

Hope this info is useful for everyone, and wish you all have a good time.

Posted in Joomla, WEB | 123 Comments »