Right now there’s no machine-readable output format of the vulnerable extensions list. This causes a lot of issues when someone tries to find out, if a specific extension is listed on the VEL or not, because he or she wants to do for example one of the following things:

  • develop a plugin that automatically sends an email to the site administrator when an installed extension gets listed

  • add a feature to the built-in installer to warn users when a listed extension should be installed

  • develop a tool for webhosts that allows them to specifically search for vulnerable Joomla installations on their servers

Read more: VEL API volunteers required

If a person follows these few simple rules the majority of site hacks will not happen.

1.) Use a decent hosting provider. Cheap is not necessarily bad, and expensive is not necessarily good. Do your research. Take a few minutes to search for and read comments and reviews left by other users.

2.) If you don't need it for your sites functionality then don't install it. If you do need it for your sites functionality, take a few minutes to search for and read comments and reviews left by other users of that software to make sure you're not getting more than you bargained for by installing the software.

Read more: A Few Basic Security rules

There are numerous sites advertising free templates but you have to watch out. File sharing sites are the most common place to get a free template or from a friend if you read the joomla forums.
Nowadays more and more unsavoury distributors of templates have come on the scene trying to cash in on joomla success and catch unwary users.

Several companies in the past have been known to just put hard coded links into their files. Eg Themza whose method was to call an encoded gif{menu_col.gif} file to place a spam link in the menu and also in the footer. a sample of the code
A big discussion on themza is at http://forum.joomla.org/viewtopic.php?p=1827027 They also do not state they are gpl as they have restrictions on you altering their code. 

A newer trick is

Read more: Malicious templates

sucuri

Spam Alert

Have you found a lot of hidden spammy links on your Joomla site and don't understand how they got there? Here is a possible explanation.

Recently a case of spamming involving rogue Joomla extensions came to light. The extensions involved were several popular free modules and plugins listed in the Joomla extensions directory, mostly slideshows, twitter widgets and similar extensions. Some examples were:

Read more: Spotting Spam Code in Malicious Extensions

There have been recent questions over why devlopers should inform the VEL team about exploits they have fixed before the velteam get to know about them. This includes when a developer updates their listing on the JED and neglects to mention the update is due to a coding weakness.


Developers have several responsibilities when it comes to insecure code:-

Read more: Why developers should tell VEL:

  1. An unintentional honey trap
  2. moving the configuration.php file
  3. The Importance of Using a Strong Username & Password
  4. Changing the administrator url

Page 5 of 6