last month a customer came to me with the question if I could help him: his site was compromised and his business customers attended him that his joomla website was serving porn. He was losing business... big time when the word spread...
I checked his site and could not find anything hacked, but further investigation learned that when googling his site, all kinds of porn and abuser URL’s where pointing to his site, with his domain name as the domain name in the URL. So Google was using porn URLs that when clicked would redirect you to his site.
How is that even possible?
How is it possible that in the Google search results there are links to your website that are not on your website... but that work anyway?
Well it is actually very simple as it turned out. The ‘hackers’ who targeted his site to hurt his business used good old Google and a ‘vulnerability’ in Joomla 3 (that is even present in Joomla 4) to give him a (very) bad online reputation.
So how does it work?
Let’s replicate my customers issue for the joomla.org website...
Let’s target the main joomla.org website as a proof of concept.
Joomla is bad for SEO
Did you know that Joomla actually is the worst when it comes to Search Engine Optimisation, all people looking for tips and best pratices know that. You can read all about it on the Joomla site it self where there is a very valuable blog post addressing this and giving you tips and tricks on how to migrate seamlessly to Wordpress that is way better at SEO and isn’t vulnerable to hacks. Read it on the Joomla site here: https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla
Hummm, everybody can type this (italics) text on their website, so what is the issue?
The issue is the URL provided! Note that this is a OFFICIAL Joomla.org URL that will resolve without issues (as in a 404). Go ahead, click it!
So the Google crawler visits my site / this article, tries to follow the links on my page to index those and behold... the https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla resolves okay!
Google will now add that specific (bogus) link to their database WITH the context they found describing that URL.
Because the link comes from joomla.org itself it gets a high authority score and will most likely end up on the first search page for people searching for reasons NOT to use Joomla (as that text is in the actual URL, another high SEO ranking value).
And you know.... when joomla themselves tell you they are never to be used, then it must be true!
So how to prevent this ‘feature’
After finding out this ‘business’ vulnerability, I contacted the Joomla Security Strike team... it took some time for them to respond and they told me that this wasn’t a security issue, so not much they could do...
Then I looked at why this was happening: why is the Joomla router (the part of joomla responsible for resolving the URL to the correct page) resolving ‘bogus’ links instead of stopping them from being indexed?
I did a deep dive into the Joomla router code and found that the Joomla router only looks at the number in the URL, not at the alias that is behind the id. So no matter what alias you type in, as long as the ID is existing it will resolve to the article with that ID. Where you would expect a 404 to be thrown because the alias is not correct.
Next I looked at the Joomla 4 code and found out that there the exact same logic is implemented. So I decided to create a PR for Joomla 4 addressing this issue. My plan was to get this fixed in Joomla 4 and then do a PR for Joomla 3.
That Joomla 4 PR is still pending after weeks and is not likely to get implemented as... for the obvious reasons > the ones deciding do not have the issue because they configured their site NOT to use the ID’s in the URL.
What can you do to prevent your site and business from being hit with this vulnerability.
Make a URL redirect plan, switch your site to the modern router AND disable the ID’s in the URL. Note that the modern router (even the one in Joomla 4) still has this issue when using the article ID in the URL!
Be aware, switching of the ID will change your URL and without doing redirects to the new pages without the ID you will loose your SEO score as that is retained by Google on a URL basis.
If switching to the modern router WITHOUT article ID is no option for you (it wasn't an option for my customer as he has over 90.000 articles and redirects would 'kill' his site), then you need to apply my PR manually (and redo that with every Joomla update).
What if you are hit by this vulnerability and want to get rid of the bogus information about you / your site on Google?
Well good luck then. It is possible to remove URL’s from the Google search index, but for that you need the exact URL’s... no wildcards allowed. and If you do not switch to the modern router without article ID's, chances are high that the bogus links will be back within a week after you removed them from the index.
My customer had thousands of porn URL’s pointing to his site, so it took some time to find these and to remove them from the search index.
So there you have it.
I hope this helps you to keep not only your site safe, but also your business!
need to find some time to decouple that functionality from my customers 'toolbox' plugin. Try to do it this week.
Will do an update on this topic so you will be notified
I wrote this article after discussion with the Joomla Security Strikeforce. If you aren't going to fix it at least make people aware of the issue and what potentially can be done about it.
The isue here is that the people 'in charge' of doing something about it, do not have the isue: IMO it is as simple as that.
I did a PR for it for Joomla 4 (which also has this issue), but the only feedback I got was code styling, then nothing. So I closed that PR to get the attention back on the original issue. github.com/joomla/joomla-cms/pull/32500
What the PR did was give the user a choice: loose resolving (the way it is now), or strict resolving (require both id and matching alias)
As said, due to lack of interest I pulled that PR. I know Phil taylor al did a number of PR's for Joomla 3 but again, stranded due to no feature (?) requests anymore for Joomla 3.
Because I don't want to make sites unprotected (by doing core changes) I have created a system plugin for a customer who was facing this exact issue. It will check the article id with the alias in the url and matches that with the alias of the article: if not the same 404 / 410. This is only on the article alias, not the category alias (which again can be anything)
If you are interested I can create a standalone system plugin for that and push it to github