Early last week, we had a case where a malicious extension was subtly installed on the Joomla website for one of our clients. Luckily, our extra security measures prevented actual harm, but still, we were confident that if the person who installed that extension was a bit more persistent, he could have wiped out the entire website.
What was surprising, though, was not the fact that that person was lazy (generally malicious users are very, very lazy), but it was the fact that he was able to install the malicious extension on a super protected Joomla website. We needed to find out how it was done to prevent it in the future…
So, we examined the logs thoroughly, and it didn’t take us log to find out how that malicious extension was installed: it was installed through Joomla’s backend. So, our next job was to check how the user gained access to the backend, and it also didn’t take us long to find out that he logged in with a valid username and password, which meant that the username and password of one super user were compromised! What was even worse was that there was no evidence that the malicious user tried to login through brute force, which meant that he knew the username and password in advance! A horrible thought, probably more horrible than the reaction of Jimmy the Tulip after realizing that there’s mayonnaise in his burger! Why is it that horrible, you might wonder? Well, because you can’t do much to protect a website with a compromised set of credentials other than just changing the password!
But we decided to do more, we decided to protect the website with an additional login: the .htpasswd login! In case you’re wondering what it is, the .htpasswd login is an Apache based login that will protect a specific directory on the website with a username and a password. Here’s how we did it:
- We generated the .htpasswd file using an online tool (just google “generate .htpasswd” and typically the first link is what you want). You can also generate the htpasswd file from the command line if you have root access to the server hosting your Joomla website. (Note: We re-generated the .htpasswd using the command line for that website as we weren’t very comfortable using a set of credentials that we generated using an online tool).
-
We copied the .htpasswd file to the /home folder on the server and we ensured that Apache (e.g. the Joomla website) has read access to that file.
-
We created an .htaccess file under the administrator directory of the Joomla website and we added to it the following lines:
AuthName "Authorisation Required"
AuthUserFile /home/.htpasswd
AuthType Basic
Require valid-user
ErrorDocument 401 "Authorisation Required" -
That’s it! Now anyone who wants to login to the website has to provide an additional set of credentials!
We know – this is ridiculously easy! What’s even more exciting is that any brute force attack will be automatically blocked by the CSF (ConfigServer Security and Firewall) firewall after (usually) 5 failed attempts.
But how did the malicious user know the username and the password of the super user?
We’re not exactly sure, but we’re inclined to say it was because one of the major staff members had a virus on his machine, which probably transmitted the Joomla credentials to the malicious user. Of course, you might say that the same can happen for the .htpasswd credentials, and our answer is “you’re correct”, but the company implemented a policy of daily scanning their entire network of PCs ever since the incident, immediately disconnecting any infected machine.
We hope that you found this post useful! If you did, then we did a good job! If, however, you feel that you need help password protecting your Joomla website with an .htpasswd file, then you can just contact us. Our rates are affordable, our work is quick and professional, and we love, we really love, our clients, and our clients love us!
A good explanation! I’m glad you added the :
ErrorDocument 401 "Authorisation Required"
A couple of times I've used Admin Tools Core to set up .htpasswd and it's not added the above line leaving me locked out of the website.
And don't forget Joomla! now has the ability to work with two-factor authentication. For me it's simpler than trying to remember another pair of passwords. I wonder how many people set their .htpasswd credentials up the same as the Joomla! admin login just so they don't have to remember another set?