Default Joomla Admin User Changer

For those of you who use Joomla regularly to develop your website you may not have realised this but each install you do has one common element with almost every other Joomla installation out there on the internet. Now for some of you reading this you are probably thinking “oh sure… whatever… you are definitly smoking alot of heavy drugs…” or “What are you on about?!?!?”… Sure there are alot of common elements between each joomla install that you make and after building a few Joomla sites you have a series of steps you take each time you install the software on your new site(s). Here is a couple of basic things that you should do to secure your installation of Joomla. This information I have colated after about 4 years of using Joomla right from version 1.0.9.

  1. If you are not using any of the default templates installed with Joomla do the smart thing and delete them from the install. Hackers will attempt to use those default templates to hack Joomla based sites.
  2. If you are using a default Joomla template change the files you need and then set the file permissions for the template to 644 via ftp in the /templates/templatename/ folder.
  3. Make sure that all the components you have used are up to date regularly.
  4. If you have logged in to the admin area (http://www.yoursitename.com/administrator/) using the username “admin”. A smart move is to login and change the username.
  5. Make sure that you have a reliable and functional .htaccess file that not only has the default Joomla settings in it (there is a file installed by default with joomla called “htaccess.txt” you can use this and rename it to .htaccess to use the SEF url feature of Joomla), but make sure that you have successfully added a function called “disable_functions”. This will ensure that some common functions used to hack a joomla site are disabled.
  6. Create a second super administrator username / password just incase you need it.
  7. Finally Change the user id for the default Joomla “admin” user account.

With the last point of changing the default user id for the user account “admin” I did not realise that each install of the user account is the same out of the box. Now you are probably wondering why or how does that affect you? This is something that until a few weeks ago I discovered that every Joomla installation you do has the same default user id. For example in Joomla 1.0.x through to Joomla 1.5.20 the default user id is set as 62. In Joomla 1.6 it is user id 42. So why should you change this number? Well, I have a site that is a couple of years old now. I do not update it often, let lone visit it and make sure it is up and running. A few people say to me “you are mad you should make sure your own site is up and running!!!” Yes they are right, I should, however this site is not overly important to me. But for some reason I decided to visit it about a week ago to see if it is still there (eg working and not hacked)…. Did I get a shock!!! it had been defaced and not in a normal way. All of my template files had been modified and even my content… I went to login and I found out that the admin password had been changed. I did some research and found out that the hackers used a simple query string to update the user table to reset my admin user password.

After a bit more investigation I decided to investigate as to why this happened and how I could fix it. One of the things that Joomla Security Strike Team recommends is that you change the default user id in the database so that the hackers cannot use it as a back door. It is a bit of a long winded process and one that I found frustrating. In turn after a bit of research and development I have got a script that will now change your default admin username and user id in the database to make your site that little more secure. It takes about 5 minutes to configure but I am sure it will save you endless headaches in the future.

I have provided a copy of the script for you to download. This one I am charging $5 USD for as it something that I believe with the research and developments done for it to be made available it is worth it.

Click here to get your copy of the Joomla Admin User Changer.