Server protection

Server protection (partial screenshot)

This feature is based on the principle of ‘nothing runs on my site unless I explicitly allow it’ a.k.a. ‘deny-first’. This is a great policy which puts you in total control of your site, greatly reducing your attack surface area.

By blocking access to front-end and back-end elements (media files, Javascript, CSS and PHP files) it makes it extremely hard —but not outright impossible— for an attacker to hack your site, even if he manages to exploit a security vulnerability to upload malicious PHP code to your site. Additionally, it will deny direct access to resources not designed to be directly accessible from the web, such as translation INI files, which are usually used by attackers to find out which version of Joomla and its extensions you are running on your site to tailor an attack to your site.

On the downside, you have to explicitly enable access to some extensions' PHP files which are designed to be called directly from the web and not through Joomla!'s main file, index.php.

Do note that enabling this feature will kill the functionality of some extensions which create arbitrarily named PHP files throughout your site. In our humble opinion the security risk of having your site unprotected greatly outweighs the benefits of such extensions. As a result, we strongly suggest disabling these extensions.

There are three sections of configuration settings controlling the functionality of the Server Protection feature. In short, you have controls for protecting the backend of your site (everything under the administrator directory), the frontend of the site (everything NOT under the administrator directory) and exceptions to these rules.

Starting with the backend section we see the following options:

Back-end protection

Disables direct access to most back-end resources, except those in the exceptions lists. It is generally recommended to turn it on to enhance the protection of your site.

Back-end directories where file type exceptions are allowed

This is a list of back-end directories (that is, subdirectories of your site's administrator directory) where you expect media files to be present. Place one directory on each line. Subdirectories of those directories are automatically added to the exceptions list without having to explicitly list them here. You can add more lines using the + buttons. You can remove a line using the - button. You can rearrange the order of the lines by clicking and dragging the button that looks like four arrows pointing North, South, East and West. You must not type the administrator/ prefix. As you can see, it's already added for you and can't be removed. You do not need to type a trailing forward slash. Please note that the path separator is the forward slash (/), even on Windows.

The default list is:

  • components

  • modules

  • templates

Back-end file types allowed in selected directories

The extensions of back-end files which allowed to pass through the server protection filter, as long as the files with those extensions are in the list above. Do not type the leading dot for each file extension. Add file extensions by clicking at the end of the list, typing the extension and pressing ENTER. Delete file extensions by pressing the X next to them. Extensions are case–insensitive as of 7.0.6; this means that entering pdf will also match the extensions PDF and Pdf. The convention is to type in the extensions in lowercase. Regardless of the case–insensitivity of Admin Tools, it is a good idea to have the extensions of the files you upload in lowercase to avoid issues with third party extensions, Joomla itself and software running on case–sensitive–aware Operating Systems such as Linux.

The default list is: jpe, jpg, jpeg, jp2, jpe2, png, gif, bmp, css, js, swf, html, mpg, mp3, mpeg, mp4, avi, wav, ogg, ogv, xls, xlsx, doc, docx, ppt, pptx, zip, rar, pdf, xps, txt, 7z, svg, odt, ods, odp, flv, mov, htm, ttf, woff, woff2, eot, webp, ico, xsl, json, bpe

Disable client-side risky behavior in backend static content

Certain static media types, such as HTML and SVG, may contain client-side scripts in JavaScript. It would be possible for an attacker to use a legitimate site feature or a vulnerability on your site to upload such an HTML or SVG file to one of the “Back-end directories where file type exceptions are allowed” folders or otherwise trick a Super User to do that. Then, they could exploit a well-meaning, legitimate feature of your site or otherwise trick a Super User into opening that file on their browser while they are logged into your site as a Super User. The client-side script could therefore “steal” the Super User's cookie, send it to the attacker who can now impersonate the Super User on the site.

When you enable this option, the allowed static media types in these directories will have a Content-Security-Policy header forcibly applied to them which tells the browser to not let them load any external script or execute any inline script or scriptable attribute, thereby neutering client-side script execution.

If you have a few select files which need client-side scripting, e.g. forms, animation demos etc, we recommend that you allow them explicitly in the Exceptions section described further below this documentation. If you can't enumerate all of these files you can disable this option but bear in mind that this reduces the security of your site.

Next up, we have the front-end section:

Front-end protection

Disables direct access to most front-end resources, except those in the exceptions lists. It is generally recommended to turn it on to enhance the protection of your site.

Enabling this feature will prevent web access to all folders in your site's root, not just Joomla's folders (such as components). If you need to enable direct access to a folder you will need to place it in one of the front-end directory exception lists in the Fine-tuning or Exceptions section.

Front-end directories where file type exceptions are allowed

This is a list of front-end directories (that is, directories in your site's root) where you expect media files to be present. Place one directory on each line. Subdirectories of those directories are automatically added to the exceptions list without having to explicitly list them here. You can add more lines using the + buttons. You can remove a line using the - button. You can rearrange the order of the lines by clicking and dragging the button that looks like four arrows pointing North, South, East and West. You must not type the administrator/ prefix. As you can see, it's already added for you and can't be removed. You do not need to type a trailing forward slash. Please note that the path separator is the forward slash (/), even on Windows.

Use this to allow access to specific types static media files inside specific directories. This is the least permissive exception to front-end blocking. Use this for folders which have a mix of public and private content, as long as the private content is NOT of an allowed file type (see below).

The default list is:

  • components

  • modules

  • templates

  • images

  • plugins

  • media

  • libraries

Front-end file types allowed in selected directories

The extensions of front-end files which allowed to pass through the server protection filter, as long as the files with those extensions are in the list above. The same controls and rules as “Back-end file types allowed in selected directories” apply.

The default list is: jpe, jpg, jpeg, jp2, jpe2, png, gif, bmp, css, js, swf, html, mpg, mp3, mpeg, mp4, avi, wav, ogg, ogv, xls, xlsx, doc, docx, ppt, pptx, zip, rar, pdf, xps, txt, 7z, svg, odt, ods, odp, flv, mov, htm, ttf, woff, woff2, eot, webp, ico, xsl, json, bpe

Disable client-side risky behavior in frontend static content

Certain static media types, such as HTML and SVG, may contain client-side scripts in JavaScript. It would be possible for an attacker to use a legitimate site feature or a vulnerability on your site to upload such an HTML or SVG file to one of the “Front-end directories where file type exceptions are allowed” folders or otherwise trick a Super User to do that. Then, they could exploit a well-meaning, legitimate feature of your site or otherwise trick a Super User into opening that file on their browser while they are logged into your site as a Super User. The client-side script could therefore “steal” the Super User's cookie, send it to the attacker who can now impersonate the Super User on the site.

When you enable this option, the allowed static media types in these directories will have a Content-Security-Policy header forcibly applied to them which tells the browser to not let them load any external script or execute any inline script or scriptable attribute, thereby neutering client-side script execution.

If you have a few select files which need client-side scripting, e.g. forms, animation demos etc, we recommend that you allow them explicitly in the Exceptions section described further below this documentation. If you can't enumerate all of these files you can disable this option but bear in mind that this reduces the security of your site.

Exceptions

Finally, we have the Exceptions section. This allows specific files or all files in specific directories to pass through the Server Protection filter without further questions. This may be required for several reasons.

For starters, some extensions need to directly access PHP files, without passing them through Joomla!'s main files. One such example is Akeeba Backup Professional's restore.php used in the integrated restoration feature, as it would be impossible to use the index.php of a site which is in a state of flux while the restoration is underway.

Other examples are CSS and Javascript minifiers, either included in your template or installed in your site. Forum extensions are also part of the same problem, as they tend to create a dedicated directory for their attachments, avatar icons and so forth. Moreover, some extensions place PHP files inside your site's tmp and cache directories and expect them to be directly accessible from the web. While this is a frowned upon behaviour, contrary to the design goals of Joomla! itself, you still need a way to work around them and we have to provide it. Finally, you may have a third party script which doesn't install as a Joomla! extension. The Server Protection feature would normally block access to it and you still need a way around this limitation. So here we have those workarounds:

Allow direct access to these files

Place one file per line which should be exempt from filtering, therefore accessible directly from the web. The default settings include Akeeba Backup Professional and, of course, Admin Tools itself.

Please remember that you are entering the file path relative to your site's root, not a URL. If you want to allow the URL http://www.example.com/mysite/components/com_example/foobar.php?test=1&whatever=2 and your site is hosted at http://www.example.com/mysite you need to enter components/com_example/foobar.php here. Here's how we figured this out. Start by removing the question mark from the URL and everything that's to its right. Then, remove the site's root URL from the left part of the remaining URL. Finally, remove the leading forward slash — as you can see, it's already included for you and you can't remove it.

You can add more lines using the + buttons. You can remove a line using the - button. You can rearrange the order of the lines by clicking and dragging the button that looks like four arrows pointing North, South, East and West. Please note that the path separator is the forward slash (/), even on Windows.

[Note]Note

Files added to this list can be directly accessed regardless of whether their extension is in the "Backend file types allowed in selected directories" or "Frontend file types allowed in selected directories".

These files will NOT be subjected to the restrictions imposed by "Disable client-side risky behavior in backend static content" and "Disable client-side risky behavior in frontend static content".

Files which are made inaccessible because of their ownership, permissions, directory password protection, directives in the "Custom .htaccess rules at the top of the file" or "Custom .htaccess rules at the bottom of the file", directives in the .htaccess of a parent folder, directives in the server's main configuration files, or generally any reason outside the control of Admin Tools and its developers ARE NOT guaranteed to be made accessible. These outside reasons require manual intervention to overcome which may or may not be possible through a .htaccess file.

Default list:

  • administrator/components/com_akeeba/restore.php

  • administrator/components/com_akeebabackup/restore.php

  • administrator/components/com_joomlaupdate/restore.php

  • administrator/components/com_joomlaupdate/extract.php

The first and third items on the list are deprecated. They are there for Akeeba Backup 8 and Joomla versions prior to 4.0.3.

Allow direct access, except .php files, to these directories

Direct access to all files (except for .php files) will be granted if they are inside any of the directories in this list AND their subdirectories. Normally you should only need to add your forum's attachments, avatars and image galleries directories, or other directories where you only intend to store media files. As with all similar options, add one directory per line, without a leading or trailing slash.

This is a middle ground in front-end blocking. You should use this only for folders which have only public content, i.e. if it's in that folder you are OK with it being shared with the rest of the world.

You can add more lines using the + buttons. You can remove a line using the - button. You can rearrange the order of the lines by clicking and dragging the button that looks like four arrows pointing North, South, East and West. You do not need to type a trailing forward slash. Please note that the path separator is the forward slash (/), even on Windows.

[Note]Note

Files in directories added to this list can be directly accessed regardless of whether their extension is in the "Backend file types allowed in selected directories" or "Frontend file types allowed in selected directories", as long as the file name does not end with the string literal .php (case-sensitive).

These files will NOT be subjected to the restrictions imposed by "Disable client-side risky behavior in backend static content" and "Disable client-side risky behavior in frontend static content".

Files which are made inaccessible because of their ownership, permissions, directory password protection, directives in the "Custom .htaccess rules at the top of the file" or "Custom .htaccess rules at the bottom of the file", directives in the .htaccess of a parent folder, directives in the server's main configuration files, or generally any reason outside the control of Admin Tools and its developers ARE NOT guaranteed to be made accessible. These outside reasons require manual intervention to overcome which may or may not be possible through a .htaccess file.

Default list:

  • .well-known

Allow direct access, including .php files, to these directories

This option should be used sparingly as possible. Each and every directory placed in this list is no longer protected by Server Protection AT ALL and can be potentially used as an entry point to hacking your site. To be clear, if an attacker uploads a malicious file in one of these directories by exploiting a vulnerability which allows them to upload predictably named files in predictably named folders they will be able to access it over the web. This is how sites get hacked. As far as we know there are only three cases when its use is even marginally justifiable:

  • If you have installed another Joomla!, WordPress, or any other PHP application in a subdirectory of your site. For example, if you are trying to restore a copy of your site inside a directory named test in your site's root you have to add test to this list. This is the one and only usage scenario which doesn't compromise your site's security.

  • Some templates and template frameworks may wrap their CSS and Javascript inside PHP files in order to deliver them compressed to your browser. While this is a valid technique, it's possible that the list of PHP files is too big to track down and include in the first list of the Exceptions section. In this case you may consider putting the template subdirectory containing those files in this list.

  • Some extensions do something silly: they place files inside your site's tmp or cache directories and expect them to be directly accessible from the web. This is plain wrong because these directories are designed to be protected system directories where direct access should not be allowed, most notably because they might contain sensitive information. However, if you have such extensions you need a way to allow direct access to those directories.

    If you decide that convenience is better than security we can't stop you. Add tmp and cache to this list and wish for the best. You are opening a security hole on your site and you do it at your own risk and potential peril.

It's best to use the Allow direct access to these files feature if possible, allowing access only to very specific .php files.

Remember that an attacker who has found an upload vulnerability on your site can upload a malicious script inside one of these folders and use it to hack you. These folders are totally unprotected. That's why we very strongly advise against using this feature unless it's absolutely necessary - keeping in mind that you are, at the same time, leaving a hole in your security defences.

You can add more lines using the + buttons. You can remove a line using the - button. You can rearrange the order of the lines by clicking and dragging the button that looks like four arrows pointing North, South, East and West. You do not need to type a leading or trailing forward slash. Please note that the path separator is the forward slash (/), even on Windows.

[Note]Note

Files in directories added to this list can be directly accessed regardless of whether their extension is in the "Backend file types allowed in selected directories" or "Frontend file types allowed in selected directories".

These files will NOT be subjected to the restrictions imposed by "Disable client-side risky behavior in backend static content" and "Disable client-side risky behavior in frontend static content".

Files which are made inaccessible because of their ownership, permissions, directory password protection, directives in the "Custom .htaccess rules at the top of the file" or "Custom .htaccess rules at the bottom of the file", directives in the .htaccess of a parent folder, directives in the server's main configuration files, or generally any reason outside the control of Admin Tools and its developers ARE NOT guaranteed to be made accessible. These outside reasons require manual intervention to overcome which may or may not be possible through a .htaccess file.

In order to figure out which custom exceptions you need to add on your site, take a look at the How to determine which exceptions are required section.

[Warning]Warning

Windows users beware! Do not use Windows' path separator (the backslash - \) to separate directories! We are talking about directories as they appear in URLs, so you should always use the URL path separator (forward slash - /) in those settings. In other words some/long/path is correct, some\long\path is WRONG.

Default list:

  • installation

How to determine which exceptions are required

After applying the Server Protection settings you may notice that some aspects of your site no longer work properly or at all. This could be something obviously throwing an error; files being inaccessible with a 403 or 404 error message; or something more subtle, as if CSS and JavaScript no longer load. These are probably caused by the Server Protection settings disallowing access to files. We can find which files need to be accessed and add exceptions to them to restore the functionality of your site.

[Tip]Tip

There is no valid reason for software integrated with Joomla! to require such exceptions for .php files anymore. Since early 2013 Joomla! has shipped with com_ajax, a built-in method to access dynamic content without needing direct access to arbitrarily named .php files. Developers who have not caught up to this technology after so many years are less likely to follow security best practices. Moreover, most of these directly accessible .php files do not load Joomla!, therefore they do not load Admin Tools, meaning that you are no longer protected by Admin Tools' Web Application Firewall if malicious requests are being sent to those files. As a result, adding extensions for their software's .php files to be accessible directly from the web can compromise your site's security.

Exceptions for non-.php files – such as CSS, JavaScript, images, fonts etc – may still be required and are generally not a security issue. Some static content can be a security issue if it's accessible over the web (e.g. JSON files containing privileged information such as usernames, passwords and API keys) but these cases are rare and you shouldn't be overly worried about them.

The process of determining which exceptions are required is made relatively easy by modern browsers. All modern browsers include "developer tools" which give us insight on what is going on when the browser tries to load your page. They even highlight the errors for us, making our work much easier.

In the following example we are going to be using Mozilla Firefox. The process is very similar on Google Chrome, Opera, Safari and Microsoft Edge. If you are not sure how to open the developer tools for your browsers do a quick search on the Internet similar to developer tools <your browser name here>.

Our example makes use of RokBox, an extension by RocketTheme, which causes a problem when used through the Joomla! article editor in the backend of the site. The instructions also apply to the frontend of your site and any other extension which might be causing a problem.

After applying the Server Protection settings in the .htaccess Maker we get the following error when we click on the RokBox button in the editor:

This is a vague error message. We want it to be that way to not give away any information about our site to bad guys. At the same time it makes our life a bit harder. Click on Close to dismiss that non-functional dialog.

Click on Firefox' hamburger menu (the three horizontal lines button towards the top right of its window), Web Developer, Toggle Tools. This opens a side pane. On that pane there's a top menu. Click on the Network option. You may have to click on the >> arrows first to see it. Then click on the RokBox button on your editor. You now see something interesting happen in the Web Developer pane:

The pane shows the request made to your server and its error status 403 highlighted. 403 means access forbidden, 404 means not found. The former is an error code we definitely expect as the result of applying Server Protection. The latter can either mean that the file is genuinely not there or that Server Protection is preventing access to it. If you get a 404 always check if the file exists first. Since we have a 403 here we know it's a Server Protection issue.

Click on the line with the error code. You will see some details open below the list. Click on the Headers tab on top of those details. You see a lot of information but what is interesting to us is the Request URL. It tells us which URL the browser tried to access and failed to do so. However, it's truncated and doesn't help us any. So right click on it and choose Copy.

Now open a plain text editor application such as Notepad on Windows, TextEdit on macOS, gEdit or Kate on Linux and paste in the URL you copied.

Highlight the stuff between your site's root URL and the question mark (if there is no question mark, highlight to the end of the line). In our example the site's URL is http://test3.local.web and the highlighted portion is plugins/editors-xtd/rokbox/views/rokbox-picker.php which, as you may have guessed, is the relative path to the file blocked by Server Protection. Copy this.

Now go to Components, Admin Tools, .htaccess Maker and find the Allow direct access to these files box.

In a new line paste the relative file path you had highlighted previously. Make sure you do not include the leading slash or the trailing question mark. Click on Save and Create .htaccess in the toolbar to apply your changes. Now the extension works:

In case you see plenty of files or files with random and changing names; or you see files in the cache, tmp and logs folders

Sometimes the above method will show a long list of files; or files with random names; or files whose names change on every page or request. Typically, you see that they are all located in the same few folders. There are two different things you can do.

If the files you see do not have a .php extension the the easy way is to add the path to the folder to the Allow direct access, except .php files, to these directories list. For example, if all files are in the foobar/assets/static folder you need to add foobar/assets/static to the Allow direct access, except .php files, to these directories list.

The drawback to that is that all files without a .php extension in this folder and its subfolders will be accessible over the web. This might be a security risk if the same folder contains files with privileged information. You can mitigate that risk by adding an exception in a harder, but more secure, way. You'd need to add the folder's path to the Backend directories where file type exceptions are allowed or Frontend directories where file type exceptions are allowed lists in the .htaccess Maker. If the folder's relative path starts with administrator/ add it to the first list (backend) after removing the administrator/ prefix.

For example, if the files are in the administrator/components/com_example/media folder you need to add components/com_example/media to the Backend directories where file type exceptions are allowed list. Conversely, if the files are in the foobar/assets folder you need to add foobar/assets to the Frontend directories where file type exceptions are allowed list.

Please note that in this case (hard way) if the file extension is not in the Backend file types allowed in selected directories or Frontend file types allowed in selected directories lists you will need to add the file extension, without the dot, in those lists as well. Keep in mind that capitalization matters. For example, the extensions png, PNG and Png are different and have to be listed separately.

If the files you see have a .php extension things are easier but also more nuanced. You can always add the path to the folder in the Allow direct access, including .php files, to these directories list. This is potentially insecure. It allows direct web access to all files in that folder and all of its subdirectories, bypassing Joomla! and Admin Tools entirely. If there are files with privileged information they will be accessible to everyone. If the .php files have a security issue in them you will get hacked. This is why we DO NOT advise you to do that.

What we do advise you to do is contact the developer of the offending extension and ask them to fix their code to always go through Joomla's index.php files (e.g. using com_ajax). If they decline to do that you should consider using a different extension. There is absolutely no reason whatosever to have directly accessible .php files in Joomla! since 2013. Well, actually, there is one: when you are overwriting Joomla! itself. Since Joomla! is being overwritten with a different version you cannot also use it at the same time, thus making the only valid use case of not going through Joomla. This is exactly what the restore.php files in com_joomlaupdate (the Joomla! Update component which is part of Joomla! itself) and Akeeba Backup (when restoring a backup) do and that's why they are the only two built-in exceptions in Admin Tools. Both files were written by Akeeba Ltd, they are locked when you are not actively updating/restoring a site, they are protected with a password when you are actively updating/restoring a site and they have been audited by independent security researchers several times.

Finally, a special mention is due for extensions which try to access files stored in the cache, logs or tmp directories in the front- and backend of your site. These directories are NOT meant to be web accessible. In fact, they are designed in such a way that it's possible to move them outside of your site's web root. Moreover, their content is supposed to be transient, i.e. it is expected to be deleted at any point in time and the extension is supposed to not break when that happens. Web accessible files generated by extensions are supposed to go into the media folder in the root of your instead. This folder has been available since Joomla! 1.5.0 came out in 2007. Any developer who does not understand a concept introduced over a decade ago is certainly not following security best practices. As a result we very strongly recommend NOT using these extensions, ever, at all cost.