SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Securing Joomla - Fingerprinting Countermeasures

Article Index

Protect the /administrator URL

Although listed above, this change is important enough to mention again.

One telltale signature of Joomla is the presence of an /administrator URL. Simply visiting a domain and adding /administrator could disclose that the site is running Joomla. Early versions even gave the Joomla version on the /administrator login page. Since those early days, much has been learned by the Joomla core developers and many 3rd party developers.

Years ago, an attempt to make the /administrator URL a dynamic configuration failed due to technical reasons. It was possible, and many did it successfully, but it required constant maintenance and was frequently broken after Joomla updates.

Today, many extensions exist to protect the /administrator area - but which is the "best" solution to secure /administrator, but to also prevent detection.

  1. AdminExile system plugin
  2. Clipper system plugin, with the Admin Protect plugin installed and enabled

Remove the Joomla generator meta tag

The generator tag is a fingerprinting item used by attackers to determine that your site runs Joomla. If configured, your site may also disclose the Joomla version inside of the generator tag content. Many options exist to remove this meta tag.

  1. ByeByeGenerator system plugin
  2. Clipper system plugin, with the Remove Generator plugin installed and enabled
  3. Several others exist, but few are as efficient as the two RicheyWeb options above.

Clean references to com_ajax and other component options

When your site is running with URL Rewrite enabled, most of the links within Joomla are converted to SEF URLs. Some, however, are not. On every page that contains a mod_login, a keepalive javascript will reference (directly) the com_ajax extension with a fingerprintable URL. Any extension that calls upon com_ajax to perform keepalive will do this. Many other extensions make this fingerprinting possible. It is easy to overcome with some simple replacements.

  • Using something like Re-Replacer from Regular Labs - create a new entry that searches the output for "index.php?option=com_ajax&" - replacing it with "component/ajax?"
  • Look in your output for any URL containing "index.php?option=", and use a similar replacement technique to prevent disclosing that your site runs Joomla.

Hiding SQL, XML and INI files

There is seldom a need to directly serve SQL, XML or INI files directly. Usually Joomla output is the favicon, template output, javascript, and CSS (and maybe some webfonts). But every Joomla extension has at least one XML and at least a couple of INI files. Fingerprinting Joomla becomes trivial when you can type a URL to find the EXACT version of Joomla running on a site. Try it out:

https://www.joomla.org/administrator/manifests/files/joomla.xml

You can't do that on RicheyWeb though...

​https://www.richeyweb.com/administrator/manifests/files/joomla.xml

As part of the Joomla installer, JForm, and JLanguage - these files are absolutely essential to Joomla frontend operation and cannot just be removed. So what can an administrator do?

.htaccess to the rescue!

Using just 3 rules, it's possible to make SQL, XML and INI files completely inaccessible from the web - but still accessible to the Joomla processes that need to use them.

RewriteRule .*\.xml$ - [F,L,NC]
RewriteRule .*\.ini$ - [F,L,NC]
RewriteRule .*\.sql$ - [F,L,NC]

These 3 rules block any attempt to access a file ending with .xml, .ini, or .sql.

If you're running NGINX, you'll have to create a location block

location ~ .*?\.(xml|ini|sql) { 
return 404;
}