jHackGuard is designed by SiteGround to protect Joomla websites from hacking attacks. Just add it to your Joomla and it will be safe against SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!
This plugin has been successfully used by SiteGround customers during the past few years. Now we make its latest version public, so that you can easily protect your Joomla site. All you need to do is to install jHackGuard and enable it - no additional configuration needed!
On this page you will find detailed information about:
The SiteGround Joomla Security Plugin can be installed in the same way as every standard Joomla extension.
First, the extension package should be downloaded on your local computer. In order to do this press the Download button above and follow the instructions.
If you are installing the extension to a Joomla 1.5 site go to Extensions -> Install/Uninstall page. If you are using the Joomla 2.5 (or the older 1.7/1.6) click on the Extensions -> Extension Manager menu.
In this page, click on the Browse button and locate the extension package on your local hard drive. Then click the "Upload File & Install Button". The plugin will be installed and added to your Joomla application.
Last, go Extensions -> Plugin Manager page. On it locate the jHackGuard plugin and click on "enable" icon next to it. This will activate the plugin.
For more information on how to install the extension check our Joomla 1.5 and Joomla 2.5 tutorials depending on the version you are using.
Advanced jHackGuard configuration
The default rules of jHackGuard have been preset by our Joomla specialists, based on their experience in fixing a huge number of different Joomla websites vulnerabilities. We recommend the use of the default rules for best plugin performance.
However, if you want to make specific changes to its settings, you can do this from the Plugin Manager page in your Joomla Administrative area. Once there, click on the Secuity - jHackGuard Plugin label to enter its settings page. The configurable parameters for the SiteGround Joomla Security Plugin are separated in several groups:
- Logging options
- Log file - Here you can enter the file name where the logs about the plugin activities will be kept. The default file name is jHackGuard-log.php. It is stored under the logs folder.
- Enable Logging - You can decide whether the plugin activities will be logged
- Data Streams
- Filter $_POST - Filters variables coming from the HTTP POST method.
- Filter $_GET - Filters variables passed to the script through URL parameters.
- Filter $_COOKIE - Filters variables coming from HTTP Cookies.
- Filtering parameters
- Filter eval() - Filters the result of the evaluation of a string as PHP code.
- Filter base64_decode - Filters the result of the base64 encoded data decoding.
- Filter SQL commands - Filters the execution of SQL commands. This solution prevents SQL injection attacks.
- Advanced Parameters
- Allow_url_fopen - Disables the option to retrieve files from remote FTP or Web server. This solution protects your web site against code injections.
- Allow_url_include - Disables the option to include URLs in PHP requests. In this way your web site will be protected against Remote URL Inclusion attacks.
- New Parameters
- Strip code from user-agent - strips any PHP and HTML code from the user-agent variable preventing possible attacks.
- Scan input keys - scans the input keys for malicious characters. Previously only the values were scanned.
- Disable upload for guests - File uploads are disabled for guest users. Members and administrators will still be able to upload files without any problems.
- Link back to SiteGround - adds a link to our site.
jHackGuard for Joomla 2.5/3.0 Changelog
- Version 1.4.2
- Improved logging of recorded events.
- Version 1.4.0
- Added Joomla 3.0 support.
- Version 1.3.4
- Fixed bug with the file upload filter check.
- Version 1.3.3
- Plugin now can be updated via the internal Joomla auto update system.
- Version 1.3.2
- A brand new "Strict XSS Mode" section has been added in the plugin configuration page.
- Location.href will now be filtered when strict mode is enabled.
- String.fromCharCode will now be filtered when strict mode is enabled.
- Input keys will now be scanned as well (only values were scanned previously) for malicious characters. This might cause issues with 3rd party extensions and as such, a separate option is added to the plugin control panel, which allows you to enable/disable this behavior.
- Plugin will now strip PHP and HTML code from the user-agent variable, preventing possible attacks.
- All SQL injection rules will now check the context in which they are used and keywords will no longer be stripped from normal sentences.
- "Union", "and", "or", "select", "update" and "delete" keywords are now properly detected when URL encoded characters are used (e.g. %6F/%4F and %72/%52 for "or").
- File uploads are disabled for guest users. Members and administrators will still be able to upload files without any problems. A control panel option for this feature has been added as well, in case a 3rd party extension requires guests to be able to upload files.
- Eval() and base64_decode() functions match is now case-insensitive and will trigger properly.
- Fixed a bug in the php.ini file lock obtaining logic. The plugin will now sleep for 0ms - 100ms and will try a maximum of 15 times to obtain a lock on that particular file.
The SiteGround Joomla Security Plugin secures Joomla web sites by protecting them against different hacking techniques. It filters the data from the users' input and implements additional PHP security settings.
The SiteGround Security extension contains very advanced security / filtering options. It comes with a predefined rule set which works for most cases. Still, if you'd like to tweak it there are many options. Fortunately, it has a log and you can debug any unexpected behavior.
The SiteGround Joomla Security Plugin can be configured through the Joomla administrator area. The plugin is disabled for the authenticated administrators so that the filters don't prevent them doing administrative tasks.