This feature allows you to reset Joomla! Update to its factory default settings. This is meant to be your last resort to fixing issues with updating your site.
You should only use this feature if you get an error while checking for Joomla updates, the wrong update is displayed (e.g. an unstable alpha, beta, or Release Candidate version), or you seem to see no new updates despite knowing the Joomla! project has already published a new version AND you have exhausted any other options. Kindly note that the aforementioned issues are the only issues which can be addressed by this feature.
Please note that this will NOT magically fix all possible update issues. The following issues cannot be fixed:
Your host is caching update information and/or update files on their end, using a transparent proxy. This can only be fixed by the host; your site – therefore Admin Tools – does not have access to that configuration.
You have network connectivity issues causing inability to download or very slow downloads when trying to download Joomla update information or update packages. This will cause timeouts during the update discovery and/or update installation process. This can only be fixed by the host; your site – therefore Admin Tools – cannot possibly change how your host's servers are connected to the Internet, and how their traffic is routed to the Internet.
You cannot see new major update versions. This is NOT an issue with Joomla Update! It's a configuration issue. Go to System, Update, Joomla, Options and set the Update Channel to Joomla! Next, then click on Save & Close. Remember, Joomla! 5.0 and later versions automatically revert the update channel to Default after upgrading your site from a previous Joomla! major version. This is poorly documented correctly, and may catch you by surprise.
Any issue concerning the download or installation of a Joomla update package i.e. what happens after you click the Start Update button in Joomla! Update.
Important | |
---|---|
This feature merely restores Joomla! Update settings to the state they are in a new installation, as explained later on this documentation section. This allows Joomla! to retrieve and process the update information it would if it was a new installation of the same version of Joomla! as the one you were using on your site at the time you used this feature. That's the beginning, middle, and end of what this feature does, and the extent of the process for which we can provide technical support. The Joomla! project and OpenSourceMatters Inc (the legal entity behind the Joomla project) is solely responsible for the code retrieving and processing the update information, the code which downloads and installs the update packages, and the contents of the update packages themselves. As a result, Akeeba Ltd cannot accept any responsibility or provide support for any issues regarding update information retrieval and processing, update package download and installation, or any issues whatsoever arising from the content of the update packages including but not limited to performance, and reliability issues of your site upon installing an update. |
Joomla! 2.5.2 and later versions come with a built-in component, Joomla! Update, which discovers updates to Joomla itself (colloquially called “core updates”), and lets you install them.
Discovering core updates is no different to discovering extension updates. In fact, the same mechanism is used for both kinds of updates. When you install Joomla, it installs a pseudo-extension called “Joomla CMS” and of the type File; you can see it in System, Manage, Extensions. This pseudo-extension has an update site called “Joomla! Core”; you can see it in System, Update, Update Sites. This update site always has an ID of 1 – this value is hard-coded into the Joomla! Update component.
Here we have the first possible set of problems. The aforementioned pseudo-extension may be missing, or disabled, thus preventing Joomla from even knowing it should check for core updates. The aforementioned update site may be missing, disabled, have the wrong ID (anything other than 1), point to the wrong URL, have the wrong type, or even be duplicated. All of these problems will prevent Joomla from detecting updates to itself. Moreover, the update site may have stored the wrong last checked timestamp with a value well into the future, meaning that Joomla will not be checking for updates until that point in the far future.
Joomla will check for core updates in the following circumstances:
When a Super User visits the backend of the site, and the the Joomla! Update button quick icon (“Quick Icon - Joomla! Update Notification” plugin) is visible on the control panel page.
When a Super User goes to System, Update, Joomla.
When you have an enabled scheduled task of the type “Joomla! Update Notification”, and it does run periodically.
When you run the core:update:check or update:extensions:check CLI command
When third party code, such as Akeeba Panopticon, asks Joomla if there are any core updates available.
The latest available version, and where to download it, is stored in the #__updates database table. Moreover, the Joomla update site record in the #__update_sites database table is updated with the current date and time put into its last checked timestamp.
This is where we can have another set of problems. The the #__updates database table may be broken, or otherwise the entry created by Joomla about its core updates may not be replaced when Joomla checks for core updates. This would prevent Joomla from “seeing” new versions. Moreover, the updates are cached for a period of time, by default 6 hours. This is defined in System, Update, Extensions, Options (NOT Joomla! Update itself!). While Joomla will only allow you to set up a value of 0 to 24 hours, it is possible that a direct database edit or third party software increases this time to several thousands of hours, essentially telling Joomla! to never check for core and extension updates.
Beyond that, Joomla! 5.1 and later use a more secure method for handling updates using the TUF (The Update Framework) protocol. While this is a very secure protocol, common real world issues such as a wrong file being cached in Joomla's update CDN, or your host erroneously returning a blank file with an HTTP 200 OK response through its transparent proxy instead of serving the correct file will result in Joomla! Update entering a state where it will either display a PHP error (exception), or otherwise be unable to “see” any future updates. Moreover, if you have not checked for updates in a very long time, if you restored a backup from a long time ago, or if you try to set up a very old Joomla! version (more than approximately a year old) the secure updates feature may decline to check for updates because the so-called “TUF root metadata” is past its expiration date. All of that can only be fixed by resetting the TUF metadata after the underlying issue has been addressed.
In most cases, addressing Joomla! Update issues with some manual intervention is possible.
First, make sure the Joomla core pseudo-extension exists and is enabled:
Go to System, Manage, Extensions
In the search box enter joomla
and
click the magnifying class icon next to it.
Click on the
button.In the - Select Type - drop-down select File.
There should be a Joomla CMS extension of type File with a Status showing a lock icon in a circle.
If the extension is missing, you will have to use the Reset Joomla! Update feature to fix this issue; manual intervention is very complicated.
Then, we can make sure the Joomla update site exists and is valid:
Go to System, Update, Update Sites.
Look for the Joomla! Core item.
If it exists, check if the ID is 1. If not, you will have to use the Reset Joomla! Update feature to fix this issue; manual intervention is very complicated.
If it exists, make sure the Status is a green circle. If not, click on it.
Next up, we want to make sure that Joomla Update's configuration is correct, and the Joomla update site points to the correct URL.
Go to System, Update, Joomla.
Click on
.Set the Update Channel to a different
value, e.g. Custom URL
.
Set the Minimum Stability to
Stable
.
Click on
.Set the Update Channel to
Default
.
Click on
.We now need to make sure the updates caching is set up correctly:
Go to System, Update, Extensions.
Click on
.Set Updates Caching (in hours) to
6
.
Set Minimum Extension Stability to
Stable
.
Click on
.Finally, we can check for updates again:
Go to System, Update, Joomla.
If an update is detected, it is already displayed.
Otherwise, click on
.If you still do not see any updates and you know that a newer version of Joomla has been released, or if you see an update to an earlier or unstable (alpha, beta, Release Candidate) version you will have to use the Reset Joomla! Update feature to fix this issue; manual intervention is very complicated.
The Reset Joomla! Update feature tries to address all of the aforementioned issues by executing a series of actions:
Asks MySQL to checks the #__extensions, #__update_sites, #__update_sites_extensions, #__updates, and #__tuf_metadata (Joomla! 5.1 or later only) database tables for errors, and attempt a repair if needed.
Resets the Extension Updates and Joomla Update options so that updates caching and retrieval is returned to factory settings (6 hours caching, stable updates only, Default update channel).
Makes sure that the Joomla core pseudo-extension exists, and has the correct configuration variables – even those you can neither see nor edit in the System, Extensions, Manage page.
Makes sure that there is only one Joomla core pseudo-extension.
Makes sure there is a Joomla core update site, and it's enabled.
Resets the Joomla core update site's last checked timestamp to force Joomla to look for updates again.
Makes sure that there is only one Joomla core update site, it's of the correct type, and points to the correct URL.
For Joomla! 5.1 and later: makes sure that the TUF metadata database record exists, and resets its data, reloading the root metadata from Joomla's update server. Please read the next section for security information about this action.
Removes the Joomla core update record(s) from the #__updates table, so that Joomla can check for new updates.
Effectively, this resets Joomla! Update to stock configuration, and makes sure that secure updates (Joomla! 5.1.0 or later) will be able to see updates.
Important | |
---|---|
The update channel is changed to Default. If you want to upgrade Joomla! to a newer major version you MUST go to System, Update, Joomla, Options and change the Update Channel to Joomla! Next, then click on Save & Close. This will let Joomla know that you want it to check for updates to the next major version. Only do that if there is a new major version released; changing the update channel before a new major version is released will cause your site to not receive ANY updates! |
As noted above, one action taken by the Reset Joomla! Update feature is to reset the TUF metadata, replacing the root metadata with fresh information retrieved from Joomla's update servers. This effectively bypasses the security features offered by TUF (secure updates), but is necessary when the TUF metadata is missing, corrupt, or so out of date that it cannot be automatically updated.
Since the new root metadata is retrieved from Joomla's update server, this can cause a number of security concerns. None of them are likely, but you should be aware of them nonetheless.
If Joomla's update server is compromised, the attacker can replace the root metadata with a malicious copy which allows them to trick you into downloading and installing a malicious update, compromising your system.
If your host's server is compromised, an attacker may capture and modify the response of the Joomla update server in various ways such as directly changing the response data, resolving the Joomla update server to a malicious server under the attacker's control etc. This is, however, a very theoretical and rather improbable security concern. If someone has this kind of absolute control on your host's server, they can already hack your site directly instead of fooling you into maybe downloading a malicious update if their actions go undetected in the meantime.
If you are concerned about these possible attacks, there are many alternatives you can try if you suspect that your site is not being updated due to a TUF metadata problem.
First, you can install the update manually (it addresses updating your site, but not fixing the TUF metadata issue). Go to https://downloads.joomla.org/ and download the Upgrade Package for the Joomla! version you want to upgrade to in ZIP format. Then go to your site's System, Update, Joomla and click on Upload and Update. You can now use the ZIP file your downloaded to update Joomla.
Note | |
---|---|
The question is, if you do not trust Joomla's update server to not be compromised, why do you trust Joomla's download server to not be compromised either? If you suspect your network is insecure, how do you trust it to download Joomla? This is the main reason why we do not consider the "Joomla's update server might be compromised" to be a real security concern. You either trust the Joomla organisation, or not. If you have a valid reason to suspect that you are being targeted, you can try to verify the update files. Compare the file you download from Joomla's download servers with the file you download from Joomla's GitHub Releases page. The sizes (down to the byte) and checksums (MD5, SHA-1, SHA-256, and SHA-512) of the two files MUST be identical. If they are not, something is wrong. Your network may be caching files for too long (very likely), your network / Internet gateway is compromised (less likely, but we've actually seen that before, affecting only the clients one tiny ISP in a sparsely populated area in the USA), or Joomla itself is fully compromised (astronomically unlikely). |
As noted, this does not fix the cached TUF metadata issue which might be why you are not receiving updates. To fix that, you will have to edit the #__tuf_metadata record for Joomla in the database. You will need to remove the contents of the targets, snapshot, timestamp, and mirrors columns. You will also need to replace the contents of the root column. Which brings us to the next question. Where can you get this information from?
The safest place to get that information from is another site, which is known to be reliably locating updates for the same Joomla version as the stricken site. Copy that information from the known good site to the stricken site. Then go to System, Update, Joomla, and click on Check For Updates if necessary.
The other place you can find this information is Joomla's update server: https://update.joomla.org/cms/root.json. However, this is exactly where Admin Tools retrieves this information from. If you do not trust your host's server you can check the information Admin Tools retrieved with what you retrieve from two separate network connections (e.g. your regular wired Internet connection, and a mobile Internet connection – make sure to turn WiFi off on your mobile device!). If the information matches, you can trust your host's network and let the matter rest. If the information is different, fix it in your database and let your host know that they have a problem: they are either caching this information on their end for too long (most likely), or their server is compromised (least likely).