Support

Hello Mena,

As stated by the compatibility icons in our software presentation page, the download page, our Joomla! Extensions Directory listing and our release announcement, Admin Tools is no longer compatible with Joomla! 1.6. Furthermore, as very bluntly stated in our release announcement:

WARNING: This version is only compatible with Joomla! 1.5 and 2.5. It will not work at all on Joomla! 1.6 and we do not support using it on Joomla! 1.7.

Furthermore, there is no point using Admin Tools in Joomla! 1.5.0-1.5.25, 1.6.x, 1.7.x and 2.5.0 to 2.5.3 because, as stated in the release announcement:

We would like to remind you that Joomla! versions 1.5.0-1.5.25, 1.6.x, 1.7.x and 2.5.0-2.5.2 all contain a very high importance security vulnerability which allows an attacker to easily reset your Super Administrator password (Joomla! 1.5) or create a new Super Administrator account (Joomla! 1.6, 1.7, 2.5.0-2.5.2). Due to the way these attacks work, it is impossible for Admin Tools or any other security component to protect you against them. The only secure thing to do is to immediately upgrade to Joomla! 1.5.26 (Joomla! 1.5 sites) or 2.5.4 (Joomla! 1.6, 1.7 and 2.5) sites which, at the time of this writing, are the only secure versions of Joomla!. Using any other version WILL get you hacked, have no doubt about it. The attack for versions 1.6 and later is trivial and widely publicised. If you have an older version of Joomla! you are essentially a sitting duck.

If you wish to ignore our advice and continue using a vulnerable version of Joomla! which is trivial to hack, we can not help you. If you merely wish to reclaim access to your site so that you can upgrade it, please consult the "Installing / updating Admin Tools brought your site down" section of our release announcement.

Hi George,

Joomla! 1.6, 1.7 and 2.5 are different in many, subtle ways. We had to choose between offering subpar performance and experience for Joomla! 2.5 or cease supporting the two obsolete, vulnerable version families of Joomla!. That was an easy choice.

To answer your first question, if you carefully read what I wrote you see that I tell you:
- if you are using Joomla! 1.5.0-1.5.25 => upgrade to Joomla! 1.5.26
- if you are using Joomla! 1.6.x, 1.7.x, 2.5.0-2.5.3 => upgrade to Joomla! 2.5.4
The versions in the parantheses tell you which version of Joomla! the upgrade applies to.

Rant on. I know it's complicated. The entire Joomla! versioning scheme is a big pile of bollocks. Joomla! 1.6 should be 2.0. Joomla! 1.7 should be 2.1. Had this been this way, I'd simply say "if you have Joomla! 1.x upgrade to 1.5.26, if you have Joomla! 2.x upgrade to 2.5.4". Much easier to understand. But, yeah, the version scheme of Joomla! is really, really, REALLY bad. Rant off.

Regarding your question about Akeeba Backup:
- If you have Joomla! 1.5:
--- a. if you have PHP 4.x or 5.0.x, you can't use it.
--- b. if you have PHP 5.1.6 up to and including 5.2.6, use Akeeba Backup 3.2.7
--- c. if you have PHP 5.2.7 or later (incl. 5.3.x and 5.4.x), use Akeeba Backup 3.4.3
- If you have Joomla! 1.6, use Akeeba Backup 3.2.7
- If you have Joomla! 1.7, use Akeeba Backup 3.3.14
- If you have Joomla! 2.5, use Akeeba Backup 3.4.3

Regarding Admin Tools, you canot use Admin Tools 2.1.x or 2.2.x on Joomla! 1.6. You could use version 2.0, but it's no longer available - not to mention it's buggy. Besides, even if you install Admin Tools on Joomla! 1.6 or 1.7, your site can still be hacked. Actually, even an idiot who knows nothing about Joomla! and PHP can follow the widely publicised and very simple instructions to hack your site in less than 5 minutes. Installing a security extension on Joomla! 1.6 and 1.7 is pointless. The exact nature of the vulnerability means that security extensions cannot help you.

I'll tell you how the vulnerability in Joomla! 1.6.x/1.7.x/2.5.0-2.5.3 works. The attacker visits a special URL which presents him the Joomla! user registration page (even if you don't have any links to that page anywhere on your site, the URL still works). Using Firebug, Google Chrome dev tools or any other page manipulation tool the attacker adds a secret field to the form and submits it. This now creates a new user account with Super Administrator privileges and your site is a sitting duck. It's up the hacker to decide how extensive the damage he'll do will be.

So, if you are still using Joomla! 1.6.5 you are a sitting duck. Even worse, it's duck season. Do you really want to be a sitting duck? If not, why don't you upgrade to Joomla! 2.5.4?

Excellent! I am always trying to help people understand not only when they are doing something insecure, but also why it's insecure :)

Joomla! 2.5.4 all by itself is not vulnerable, or at least no known vulnerability exists right now. Potentially, every bit of software we use is vulnerable. On top of that, we rarely use Joomla! all by itself, so yes, there might be vulnerable areas. There are also some "gray" areas, e.g. it's not a vulnerability per se that anyone can try to brute force your Super Administrator password, but you want to protect against it. That's where Admin Tools comes into play: it tries to prevent the most common attacks.

Regarding the registration page, it depends on your site. One easy way is to go to your site's Global Configuration and disallow user registration. Obviously, if your site relies on users being able to self-register, you can't do that. Since that functionality went under extreme scrutiny for the 2.5.4 release, I doubt that there will be another vulnerability regarding the user registration feature for a while and I'd recommend enabling it, as long as you have Joomla! 2.5.4 or later.

Admin Tools does have a log, of course! You can't have active security without some good ol' fashioned log searching. Admin Tools' log can be found at Admin Tools, Web Application Firewall, Security Exceptions Log. Please take a look at the documentation for more information. Joking aside, you should read the documentation. Admin Tools is a power tool, but the only way to really make good use of it is to understand how and why it works. If you read the documentation you'll understand what I mean :)

Regarding removing the Joomla! word, it's complicated and I could write at least three chapters explaining why this kind of protection against fingerprinting (that's how it's called) can never be 100% accurate. Even though Admin Tools can remove all instances of Joomla! from your page, don't do it. Really. It's a bad idea. I'd recommend changing the Generator meta tag and enabling the .htaccess Maker protection. Doing that will prevent the most common fingerprinting methods. If someone really knows what he's doing, he can still understand you're using Joomla! and this can't be prevented without breaking the CMS. The same holds true for all CMS out there, including Drupal and WordPress.

Joomla! 1.6 is exactly 0% secure in comparison to Joomla! 2.5.4. There are at least half a dozen known high priority security vulnerabilities fixed since Joomla! 1.6.5. Any one of them can be used to hack your site. After using Admin Tools on it, it will become only 10% as secure as Joomla! 2.5.4. This means that unless you are attacked by the most dumb wannabe hacker in the face of the planet, you're still a sitting duck.

IMHO you don't need to burden your site with too many security extensions. The other major security extensions do pretty much the same things as Admin Tools. Even if you install more than one security extensions you will not get a much better protection for your site. All you'll achieve is spending more money, make your site slower (security extensions do have a slight performance impact) and make issues undebuggable (if I can pretend that's a real word). What I mean with the last point is that if you have, say, three security extensions on your site and something doesn't work how can you know which security extension(s) cause this and work around it? I can't know that, so if you ask me for support I will not be able to provide it, as it will be impossible for me to know if you need support with Admin Tools or something else (not to mention it will be impossible for me to test a solution on your site and be certain that another security extension doesn't get in the way).

You're welcome, George!