There has been a lot of talk lately regarding Joomla Security and attacks on Joomla sites.

Yesterday the website security company Sucuri posted a blog entitled "Big Increase in Distributed Brute Force Attacks Against Joomla Websites" in which they summarize some very worrying statistics:

"We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere."

The following image shows the alarming increase in attacks over the past few weeks:

brute-force-chart-joomla

This got us thinking how such attacks could easily be thwarted. The attacks they cited were login attempts on the Joomla Administrator folders which are relatively easy to protect.

Recently, important updates were released for Joomla 2.5 and Joomla 3.1 that address a critical security issue where unauthorized file uploads may be uploaded to a site.

Joomla 1.5 is also affected by this vulnerability. However Joomla 1.5 has reached it's end-of-life and therefore no update is being released for it. A patch has been published, however it cannot simply be installed using Joomla's extension manager.

Anything Digital is proud to announce the immediate availability of an installable package — SECURITY PATCH 31626 — that easily installs the Joomla 1.5 Security Patch like any Joomla extension.

Joomla 3.1.1 Stable has been released.

Most notable in this build is a fix for an issue where the database may not upgrade properly.

There is also the of another 10 items from the bug tracker including some fixes for the new tags feature.

Full details can be found in the official 3.1.1 release announcement at joomla.org, at the time of this post the link to the release notes were not updated, theses are the actual 3.1.1 release notes

Joomla 2.5.11 has been released.

Notable in this build is the inclusion of a fix for a problem where an error in Database tab in Extension Manager did not reflect the Joomla 2.5.10 update

5 items from the bug tracker were addressed.

Full details can be found in the official 2.5.11 release announcement at joomla.org

A big THANK YOU goes out to the production team for addressing these issues quickly.

A Joomla upgrade can be performed directly in the Joomla administrative backend. For users with multiple sites, we recommend updating all your sites from Watchful.li — a centralized site manager for Joomla.

Joomla 3.1.0 Stable has been released.

Most notable in this build among new features is the long awaited Tags feature as descibed by Nick Savov's community post Tag you're it

There is also the important inclusion of 7 low and medium priority security patches for information disclosure, XSS, DOS and privilege escalation vulnerabilities affecting versions 3.0.3 and earlier versions of 3.0. In addition 38 items from the bug tracker were also addressed.

Full details can be found in the official 3.1.0 release announcement at joomla.org

Since this release improves security, we recommend that all users perform an Joomla upgrade immediately. If you are unable to perform the recommended update to Joomla 3.1 the project has also made Joomla 3.0.4 available for manual installation, it is exactly the same as Joomla 3.0.3, except for the 7 security fixes.

Users of sh404SEF® should install the latest version of sh404SEF® before upgrading to Joomla 3.1, see the sh404SEF® 4.1 release announcement for details.

A Joomla upgrade can be performed directly in the Joomla administrative backend. For users with multiple sites, we recommend updating all your sites from Watchful.li — a centralized site manager for Joomla.

 
 

Get the latest updates on our extensions