Question Why Joomla 3 and Joomla 4 are potentially bad for your business / SEO, and what you can do about it.

Read more...

Hi Ruud - thank you for your article. I have disabled the ID in the modern router. In the aftermath i discovered 1) You have to be very carefull not to have duplicate aliases - which lead to a 404 page. and worse 2) the old urls are still accepted... or can be guessed easily  - so i need your PR - There will be no fix from Joomla Development as we both know... - i'm still convinced this is a major threat.
Thank you and best wishes
Martin

Hi Martin,
I wrote this article after discussion with the Joomla Security Strikeforce. If you aren't going to fix it at least make people aware of the issue and what potentially can be done about it.
The isue here is that the people 'in charge' of doing something about it, do not have the isue: IMO it is as simple as that.
I did a PR for it for Joomla 4 (which also has this issue), but the only feedback I got was code styling, then nothing. So I closed that PR to get the attention back on the original issue. github.com/joomla/joomla-cms/pull/32500
What the PR did was give the user a choice: loose resolving (the way it is now), or strict resolving (require both id and matching alias)

As said, due to lack of interest I pulled that PR. I know Phil taylor al did a number of PR's for Joomla 3 but again, stranded due to no feature (?) requests anymore for Joomla 3.

Because I don't want to make sites unprotected (by doing core changes) I have created a system plugin for a customer who was facing this exact issue. It will check the article id with the alias in the url and matches that with the alias of the article: if not the same 404 / 410. This is only on the article alias, not the category alias (which again can be anything)

If you are interested I can create a standalone system plugin for that and push it to github

I would be very thankful for this plugin. I have just published a Joomla Website for a business with few hundred "vulnerable" links and i need to check them.
 

Hi Martin,
need to find some time to decouple that functionality from my customers 'toolbox' plugin. Try to do it this week.
Will do an update on this topic so you will be notified

regards,
Ruud.

So found some time to create the plugin: ochStrictRouter
it a free plugin, get it here: onlinecommunityhub.nl/joomla-extensions/...rictrouter-12-months

When subscribing (free) you have access to support on this plugin (via the forum)

This is a first version, when we have some more (mis) matching data, the plugin will be extended (e.g. also match on category alias, etc.)

Thank you Ruud, for this information and providing Joomla users with a solution.

You are welcome Mary,
I have worked as hired project manager in the banking business and before getting contracted these institutes are obliged by law to do a full background check on you.
I am sure that if there where bogus links on my (personal) website found in Google, I would never be hired as my background check would fail.

So there is more to it then meets the eye :S

Can I use ochStrictRouter on my blog truckercheckin.com on litespeed server and redis cache on top ? I got almost 50000 webpages on my website so redirect can completly slow down.

Hi, I run it.myself on a site with over 90k articles, no performance issues as what it does is a check on the url so no page generation / modification. It should also work on (externally) cached websites.

My advice is to only use this extension when you are facing the described bogus links: as a method to instruct searchengines to delete these links from the searchpages. First run it in dryrun mode and look at the produced log file if it 'redirects' correct. There are complex cases with articles in nested categories where not all categories have a menu assigned where this extension will fail.