jHackGuard - Security Joomla Extension by SiteGround
jHackGuard is designed by SiteGround to protect Joomla websites from hacking attacks. Just add it to your Joomla and it will be safe against SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!
- Author: SiteGround
- jHackGuard Support Forum →
We have initially developed jHackGuard to protect our Joomla hosting users. It comes as part of any Joomla installations made through our system and it has been successfully used by thousands of SiteGround customers during the past few years. Seeing the value of this protection, we have decided to make the plugin publicly available to all Joomla users, no matter if they use our hosting services or not.
jHackGuard is a combination of a security plugin (that does the system work) and component (handles all the configurations and provides logs), that protects you by filtering the data from the users' input and implements additional PHP security settings. At the same time the plugin is disabled for the authenticated administrators so that its filters don't prevent them doing administrative tasks.
Our security extension comes pre-configured with a set of rules that are suitable for the majority of the general Joomla websites. Still, if you'd like to tweak it, you can do through your Joomla administrator area. jHackGuard plugin also created its own log and you can debug any unexpected behavior.
jHackGuard 2 is compatible only with Joomla 3 and higher. If you need to protect an older Joomla version you can download the appropriate versions of our plugin from the following links: jHackGuard for Joomla 1.5, jHackGuard for Joomla 2.5. However, we strongly recommend that you update your site to Joomla 3 as soon as possible.
1. Download the plugin to your local computer.
Get jHackGuard for Joomla 3 now!Download
2. Install jHackGuard to your Joomla.
Once you have the package downloaded, you need to login to your Joomla admin panel, go to the Extensions Manager and upload the zipped jHackGuard package that you have downloaded to your local machine.
That's it! jHackGuard is now installed on your Joomla website!
How To Configure jHackGuard v2
There are two configuration pages for the jHackGuard system. The first one handles the relation between the extension and your Joomla application. It can be accessed through Global Configuration -> jHackGuard. There are few tabs with configuration options that you can configure:
The configurable parameters for the SiteGround Joomla security system are separated in several groups:
General jHackGuard Settings
- Enable jHackGuard - this is the general power switch. If set to NO, the extension will not work, no matter if installed and enabled.
- Log Level - how much information should be logged. "Standard" is the default setting while "Debugging" (not for daily use) will log everything.
- Log Rotation - how long old logs will be kept.
- Enable admin keyword & admin keyword value - turn on and off the "Additional administrator area protection" option and set a keyword for it.
- Whitelisted Groups - with this option you can exclude one or more groups form being filtered (i.e. Administrators, Publishers, etc.).
File Uploads Settings
- Disable all file uploads - this will block all attempts to upload files on your site.
- Scan uploaded files - we will scan all uploaded files with our build-in rules for malicious code.
- Use Cymru DB - if enabled, all uploaded files will be checked through the Cymru DB service
BotScout is a free database of spam bots (http://botscout.com/). Enable if you want to make it check requests to submit data to your site.
- Enable BotScout IP checks - The general on/of switch of this check.
- Enable user registration check - check whether the requests come from registered users.
- Your BotScout API Key - enter the API key you can obtain for free from the Botscout site.
Here, you can set the access to the jHackGuard extension each user group has.
The second group of options handle the way jHackGuard protects your website. You can access it through Components -> jHackGuard. On this page you will find the following settings:
- IP Firewall - here you can blacklist/whitelist IP addresses from your website.
- Input Filters - here is a table with all the rules that we're using to protect your website from a variety of hacking attacks.
- Output filters - you can use those to modify the site content using Regular Expressions rules. Works for your front end only.
- Botscout Cache Data - check all records from the Botscout service.
- Filter Maintenance - Update, Reset or Rebuild your Input Filters.
- Events Logs - check out the logs that jHackGuard has stored for your site.
- General jHackGuard Settings
How To Configure jHackGuard v1
The default rules of jHackGuard have been preset by our Joomla specialists, based on their experience in fixing a huge number of different Joomla websites vulnerabilities. We recommend the use of the default rules for best plugin performance. However, if you want to make specific changes to its settings, you can do this from the Plugin Manager page in your Joomla Administrative area.
The configurable parameters for the SiteGround Joomla Security Plugin are separated in several groups:
- Log File - Here you can enter the file name where the logs about the plugin activities will be kept. The default file name is jHackGuard-log.php. It is stored under the logs folder.
- Enable Logging - You can decide whether the plugin activities will be logged.
- Filter $_POST - Filters variables coming from the HTTP POST method.
- Filter $_GET - Filters variables passed to the script through URL parameters.
- Filter $_COOKIE - Filters variables coming from HTTP Cookies.
- Filter eval() - Filters the result of the evaluation of a string as PHP code.
- Filter base64_decode - Filters the result of the base64 encoded data decoding.
- Filter SQL Commands - Filters the execution of SQL commands. This solution prevents SQL injection attacks.
- Allow_url_fopen - Disables the option to retrieve files from remote FTP or Web server. This solution protects your web site against code injections.
- Allow_url_include - Disables the option to include URLs in PHP requests. In this way your web site will be protected against Remote URL Inclusion attacks.
- Strip Code From User-Agent - strips any PHP and HTML code from the user-agent variable preventing possible attacks.
- Scan Input Keys - scans the input keys for malicious characters. Previously only the values were scanned.
- Disable Upload For Guests - File uploads are disabled for guest users. Members and administrators will still be able to upload files without any problems.
- Link Back To SiteGround - adds a link to our site.
- Logging Options
- Plugin split into Component + Plugin system.
- Dynamic protection filters.
- BotScout anti-spam protection added.
- Improved user interface.
- Improved logging system.
- Multiple new protection filters added.
- Whitelisting and blacklisting of IPs.
- Improved logging of recorded events.
- Added Joomla 3.0 support.
- Fixed bug with the file upload filter check.
- Plugin now can be updated via the internal Joomla auto update system.
- A brand new "Strict XSS Mode" section has been added in the plugin configuration page.
- Location.href will now be filtered when strict mode is enabled.
- String.fromCharCode will now be filtered when strict mode is enabled.
- Input keys will now be scanned as well (only values were scanned previously) for malicious characters. This might cause issues with 3rd party extensions and as such, a separate option is added to the plugin control panel, which allows you to enable/disable this behavior.
- Plugin will now strip PHP and HTML code from the user-agent variable, preventing possible attacks.
- All SQL injection rules will now check the context in which they are used and keywords will no longer be stripped from normal sentences.
- "Union", "and", "or", "select", "update" and "delete" keywords are now properly detected when URL encoded characters are used (e.g. %6F/%4F and %72/%52 for "or").
- File uploads are disabled for guest users. Members and administrators will still be able to upload files without any problems. A control panel option for this feature has been added as well, in case a 3rd party extension requires guests to be able to upload files.
- Eval() and base64_decode() functions match is now case-insensitive and will trigger properly.
- Fixed a bug in the php.ini file lock obtaining logic. The plugin will now sleep for 0ms - 100ms and will try a maximum of 15 times to obtain a lock on that particular file.