If you have ever been a regular of the Joomla! forums you have most certainly come across some frustrated post of a paniced user whose site has been hacked. The truth is all web applications suffer from the same phenomenon, not because they are insecure by nature, but because most people don't have the slightest clue on what they are supposed to do to protect their site. Security isn't all that hard, but isn't all that straightforward, either. It's a bit like contraception. It's necessary, but no method is bulletproof. As a result, this article is not meant to be a complete guide to Joomla! security, but - very much like the Joomla! Security Checklist - it is just a set of guidelines you can easily follow, for that extra peace of mind.

[span class=notice]This article was originally written in December with the intent of being volunteered to the Joomla Community Magazine. Three months down the road and things are still stagnating for JCM, mostly due to the unavailability of volunteers. I decided to post this article on my site for two reasons. First being, it would become irrelevant by the time JCM would finally be online. The second - and most important - being a call for volunteers. Joomla! needs you. Please, give some of your time to be part of this. Thank you![/span]

This is an excerpt of my guest blog entry on osSupportDesk's blog. There's a link to the full article below.

A few months ago I had presented one way of automatically assigning subdomains on a local testing web server, without having to edit your httpf.conf file all the time. For those who hadn't been following this blog, I'm talking about my “Holy Grail of local web development servers” article, achieving subdomain names in the format myapp.local.web by simply creating the folder myapp on your local web server's root. Even though the solution presented last time was elegant, it lacked that supernatural touch of a really great solution. I could never quite stomach those ugly URL rewriting rules. So, here it is: we revisit this issue and improve the solution!

Whenever someone decides to launch a website, or hired to do so for a client, he’s given three broad choices which will define how they’ll proceed: static HTML, a CMS or Flash. The former being practically dead due to inflexibility and the latter being not only inflexible, but extremely costly to produce, the CMS route seems a dead end; more specifically, the Open Source CMS route.

Dead end it is. Try raising the simple, innocuous question “Which CMS should I chose for my site?” on any public forum and a war seems to spring right out of nowhere. The fighting fractions are what I usually call The Big Three: Drupal, Joomla! and WordPress fans. But is this all there is to it? Does the Open Source CMS universe revolve around only three players? Given the Open Source spirit of Freedom of choice, one would hardly expect this to be the case. In fact, it isn’t. There is more to Open Source CMS than meets the eye.

Read my guest post on the SpeckyBoy.com design magazine

Joomla! is often paralleled to point-and-click presentation software, such as Impress or PowerPoint, in terms of ease of use. Granted, Joomla! makes it extremely easy to build a site having no knowledge of its internal working, or even what HTML is. However, in order to build a stunning site you need a bit more than that. It’s the tricks in the web builder’s bag which determine his success, both in customer satisfaction and financial terms.

Some of the fundamental techniques for creating compelling sites is your ability to master the use of modules. Often overlooked, modules are the most practical way to integrate diverse content on a single page. Leveraging their use from mere content bearers to integral parts of your content can transform your site from boring to intriguing. The following technique has proved itself again and again in a vast array of site genres. I call it the "Faux module positions" technique.

Read the full article on WebAppers.com

If you manage an ad-supported site, you are probably aware of the problem I’m going to discuss. Some of your ads are stellar, some others are stubborn underachievers, to the extent you might consider them a waste of screen real estate. The truth about ads is that they are position sensitive. Where you put them determines, for the most part, their success. You can’t avoid all bad positions altogether but you can create new competent positions no-one has ever told you about. Implementing this in Joomla! takes 5 minutes and requires no programming skills!

[readon url="http://www.cmsmoz.com/improve-adsense-results-with-on-the-fold-ads"]Read the full article on CMSmoz.com[/readon]

If you are a serious web developer, you might have already figured out that performing experiments and untested upgrades on production servers is a disaster waiting to happen, bringing down the live site with them. Staging live servers (in the form of dev.example.com) usually don't cut it either, especially if you have a lot of file transferring or editing to do. However, local development is still a kludge, as you have to develop in a sub-directory, something like http://localhost/mysite. This has all sorts of implications, the most evident of which being that it breaks cross-content links if you try to pack it and deploy it back to the live site.

Ideally, you would need to develop in subdomains, something like http://mysite.localhost, which would mean that you have the flexibility of local development with the peace of mind of not having to develop in a sub-directory. But, face it. Setting up subdomains is an involving process, requiring hacking around your Apache configuration files. This is suboptimal if you want to do it regularly. Unless you come up with a way to turn http://mysite.localhost to automatically understand where it should find its files.

This article will explain you how to combine WampServer and BIND to create this kind of Holy Grail local web development server on Windows. You will configure a single DNS entry and a single virtual host in order to create a server which can handle infinite subdomains! The only pre-requisite is having a fixed IP address for your server. Well, even will do if you can't do anything better than that!


As the maker of JoomlaPack Akeeba Backup – the Open Source utility to backup, restore and migrate your Joomla! site – I often have to face certain challenges. Like when a user told me that as soon as he transferred his site to a different domain, all links in his content would link to the “old” site. Fighting the temptation to dismiss it as a user error, I did some digging around. Throughout this journey I found out some of Joomla!’s link handling deficiencies, their repercussions and coded a workaround.

In this article I am going to talk about how Joomla! handles the link base and canonical URLs, as well as what happens when you migrate your site to a different domain, subdomain or even a subdirectory.

We live in a potentially hostile world. Spammers, scammers, hackers and - alas! - script kiddies are after our site, for all we know. It's bad if - like most people - your site is your personal page. It's humiliating if - like many - it's the internet presence of your company. It's devastating if you are one of those people whose site is their business. Having regular, automated full site backups is a good first step, but they're only good at fixing a disaster after it has happened. Putting restrictions and controls (such as firewalls and tough passwords) is essential, but only if they don't fail. As Einstein bluntly put it "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former". An ingenius hacker, or a stupid script kiddie, might stumble upon a way to bypass your security controls and gain unauthorized access to your site. They can even hack you yesterday and eploit their back door today.

So, what can we do? Sit around, act casual until disaster strikes? No, not at all. What we need is a proactive check of our site files. If anything unusual is added, removed or modified the equivalent of a red alert should go off in our head and force us to take measures to contain and fix the problem before it's too late. It all boils down to an easy way to get a difference between the current state of our site and the last (and also known good) state of our site. This is the question I tried to answer with JoomlaPack SiteDiff.

Today it was one of my most productive days. After a JCE plugin for K2 content items and putting modules inside tabs, I decided to do some PHP hacking, with great results. The object of my pursuit was to create a variation of the Factory pattern, written in PHP5, which can be serialized and unserialized at will. Purists will observe that my implementation is not a direct implementation of the Factory design pattern. In fact, it is modelled as a serializable version of the Joomla! 1.5 JFactory class, which provides static methods for instanciating Singletons. Let's dive to the code, OK?