I have an unknown person who is registering for an account on each of my sites one by one. I have not had this problem for years after installing Admin tools. Has a setting changed or is there a new setting I need to check to prevent this? By default I have turned off the ability to register for a user account on almost all my websites.
#33120 Hacker registering as user
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by headcake on Friday, 29 May 2020 10:23 CDT
Wednesday, 27 May 2020 19:24 CDT
headcake
Thursday, 28 May 2020 02:04 CDT
nicholas
Akeeba Staff
Manager
Admin Tools does not have any feature related to preventing registration as a regular user. This is a core Joomla feature. That said, I think that you may have not disabled user registration in Joomla or you have a third party extension which allows users to register on your site even when Joomla's user registration is disabled.
The latter may sound crazy but there are several legitimate reasons for third party software to ignore the Joomla setting. For example, e-commerce extensions need to register user accounts for your clients. Social networking extensions also need to control user registration at the extension level rather than the Joomla level; this lets you disable generic Joomla user registration, forcing users to register new accounts through the social networking extension's flow. Likewise, social media login and Single Sign On extensions have a similar reason for needing to allow user registration despite Joomla's user registration being disabled.
Therefore at the very least I'd ask you to check BOTH whether you've really disabled Joomla's user registration (as opposed to having set account validation to administrator) AND whether you have an extension which allows user registration despite Joomla's setting.
Moreover, I disagree with your assessment that it's a hacker that is registering as an unprivileged user account on your site unless we are talking about the world's dumbest hacker. Most likely this is a spam bot, trying to register a user account in case they can find a forum or other place which allows registered users to post publicly. This is not a compromise of your site. It's abusing what you made explicitly possible. The difference is subtle but important. It's the difference between someone picking a locked door and opening an unlocked door with a "WELCOME" sign.
Finally, you said that someone is trying to register an account on your site but you never told me if they activated said account. If Joomla's user registration is allowed but the activation is set to self or administrator the account will be disabled until the user verifies their email address (self) or an administrator accepts the user account (administrator). The reason for Joomla's user activation checks is that anyone can try to register an account but you want to prevent obvious spam bots from ultimately succeeding.
The latter may sound crazy but there are several legitimate reasons for third party software to ignore the Joomla setting. For example, e-commerce extensions need to register user accounts for your clients. Social networking extensions also need to control user registration at the extension level rather than the Joomla level; this lets you disable generic Joomla user registration, forcing users to register new accounts through the social networking extension's flow. Likewise, social media login and Single Sign On extensions have a similar reason for needing to allow user registration despite Joomla's user registration being disabled.
Therefore at the very least I'd ask you to check BOTH whether you've really disabled Joomla's user registration (as opposed to having set account validation to administrator) AND whether you have an extension which allows user registration despite Joomla's setting.
Moreover, I disagree with your assessment that it's a hacker that is registering as an unprivileged user account on your site unless we are talking about the world's dumbest hacker. Most likely this is a spam bot, trying to register a user account in case they can find a forum or other place which allows registered users to post publicly. This is not a compromise of your site. It's abusing what you made explicitly possible. The difference is subtle but important. It's the difference between someone picking a locked door and opening an unlocked door with a "WELCOME" sign.
Finally, you said that someone is trying to register an account on your site but you never told me if they activated said account. If Joomla's user registration is allowed but the activation is set to self or administrator the account will be disabled until the user verifies their email address (self) or an administrator accepts the user account (administrator). The reason for Joomla's user activation checks is that anyone can try to register an account but you want to prevent obvious spam bots from ultimately succeeding.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thursday, 28 May 2020 11:06 CDT
headcake
Thank you for your insight Nicholas. This makes a lot of sense to me. I do have "Allow user registration" turned off on most of my sites (I checked), but the ones that do need users to register do receive many more of these unwanted users. I never thought about third party extensions that might allow users to register. This gives me greater insight as where to look for a way to stop these. Also, knowing that they are most likely just bots looking for a way to post spam puts me at ease. I don't have forums or blogs on 95% of my sites so these registrations will go no where.
You have been much more helpful than the Joomla forums. This seems to have been an issue for years and no one has any insight to it. Would it be OK if I post your answer on the Joomla forums?
Thank you again!
You have been much more helpful than the Joomla forums. This seems to have been an issue for years and no one has any insight to it. Would it be OK if I post your answer on the Joomla forums?
Thank you again!
Friday, 29 May 2020 01:07 CDT
nicholas
Akeeba Staff
Manager
Yes, of course you can post it on the forum (I typed this reply on a public ticket, I expect it to be public) as long as you put the disclaimer that everyone's case may be different, there is no one size all to security and that the information contained in my reply does not constitute legally binding advice, it's merely for informational purposes. You know, it's the standard "let's prevent the unhinged morons from litigating" kind of disclaimer :)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 29 May 2020 10:23 CDT
headcake
Info shared. Thanks again Nicholas.