Below, we try to answer the most frequently asked questions about the 'Hacker Beware' Joomla security script. The script hasn't been used too widely (it is new after-all), but it has been tested on one or two high profile sites to good effect. It has been used on this site, in one form or another since its inception about a year ago, and a few friends and colleagues have tried the script out on live sites - even on client sites during that period. A certain template site also tried the software and I think it is fair to say we saw a noticeable drop in malicious traffic during that time.

Q: do I need to switch on core sef?

A: Joomla does not have to have SEF enabled - but the server has to have mod_rewrite enabled. This also means the feature is only available on Apache based web servers.

Q: What does this script do?

A: The script protects your site from three types of attack

Attack One: Joomla Hacking

The requests that attempt to pass filenames and internal variables into Joomla to change the way your site functions. Common examples include attempts to load the attackers configuration file via the internet rather than your own configuration file. Following discussions in the Joomla Security Forums, the Joomla Security team introduced code a few versions ago to block specific attempts. This code is effective - but does not ban the hacker permanently - leaving them to keep trying other attacks - perhaps until they are successful. My script borrows this detection method but on the first instance of attempted abuse BLOCKS the IP address of the user permanently.

Attack Two: Site Rippers

Less severe a threat but still an abuse, some people will try to 'spider' (download) your entire site. This could be for 'offline reading' but is more likely an attempt to download documents or files that are intended to be secret - perhaps accidentally linked to or accessible through automatic indexing.

The script detects known bad 'User Agents' the name that such a script uses to identify itself - User Agents include web browsers - and out of courtesy they should identify themselves.

Attack Three: Robots.txt abuse

A robots.txt file is a special file requested by search engines to see if there are any sections of a site that they should steer clear of. Some malicious individuals - and malicious scripts - will request this file to look for these locations and then they head straight on over. 'Hacker Beware' detects this behaviour and bans the IP Address of the offender.

Q: How do I know it's working:

A: Obviously you need to test each of the three abuses that the script protects you against. After being blocked - you will have to unblock yourself before you can continue.

1. To test your Joomla hack protection:

Try to access your site with the following query http://www.[yourdomain].com/?mosConfig_foo=bar You should be shown a blank screen There after you will not be able to access ANY of your site - congratulations - you've been blocked you evil haxxor.

2. To test the Site Ripper protection:

you will need to be able to attempt to access your site with a blocked user-agent. The easiest way to do this is to use the Firefox web browser with the User-Agent switcher available from Chris Pederick's website. Whilst you are there install the Web Developer toolbar if you have not done so already. Also - while you are there - make a donation. If you are a web developer, or if you run a website, Chris's tools will save you a fortune in time and effort.

3. To test your robots.txt abuse protection

attempt to access http://www.[yourdomain].com/bot-trap/

Don't forget to test whether you are blocked after each 'test'. Try to access your site's homepage. You will receive a 'Forbidden' error if you have been blocked. You will need to unblock yourself before you can proceed.

Q: How do I unblock myself?

A: That part is easy - use your ftp program to edit the .htaccess file. You should find an entry at the bottom of the page that corresponds to your IP address

deny from aaa.bbb.ccc.ddd

First identify the line that corresponds to your IP address. If you don't know your IP address - read the e-mail that the website just sent you - if you are the Super Administrator. Alternatively use a website like whatsmyip.com to identify your IP Address. Once you have found the line in question - delete that line - and only that line.

Q: I renamed a file as .htaccess and now I can't find / see it - where did it go?

A: By convention 'dot files' - those files whose filename starts with a dot - are hidden on unix filesystems. Some FTP programs honour this convention and hide the files from view. There is usually an option - either for this session, or for the global settings within the FTP program, that will make these files visible. Look for a 'show all files' option.