Joomla! is a PHP based Content Management System which makes use of MySQL databases for publishing content on the Web and intranets. The Joomla! system includes numerous features and extensions such as RSS feeds, printable versions, news flashes, blogs, polls and extensive search optimisation along with page caching to improve performance. Joomla! is the perfect Content Management System for managing and developing your website with one of AUSWEB’s cPanel Hosting

Joomla! is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. You can install it easily on your Version-next  account using the Fantastico autoinstaller system, included with all of our cPanel hosting accounts.

Follow these steps to install Joomla 1.5 on your version-next account:

1. Login to cPanel, and scroll down to the Fantastico link. Click on it to access the Fantastico control panel.

2. Now click on the Joomla 1.5 link in the navigation bar on the left.

3. The main Joomla 1.5 installer page will now be displayed. Click on “New Installation” to proceed.

4. You will now be presented with the setup form. Fill this out, and double check that all the settings you specify are correct. When you are done, click on “Install Joomla 1.5″.

5. You will now be presented wtih a confirmation page. Click on “Finish installation”.

6. Joomla has now been installed! Take a moment to note where you login to the administrator area. You can also send the installation details to an email address of your choice.

This tutorial covers some of the basics for improving the performance of your Joomla site. The performance increase obtained will vary from site to site depending on variables like server hardware, type of hosting etc that you have for your Joomla site.

To view our Joomla demo site with a custom template installed, please click on the thumbnail to the right. The site also includes other customizations made by our development team including Simple Image Gallery which is a great way to show off images and create photo galleries withing page content.

Hosting Options

Dedicated Server Hosting

From a performance point of view the dedicated hosting solution is the ideal option for your Joomla site because you will be the only site using the CPU / Memory / Disk and MYSQL resources. This means your Joomla site is less likely to suffer from any major performance issues. Dedicated hosting starts from $259 dollars per month, but if you want a stable, fast server environment then this is the solution for you. Also remember memory plays an important role when it comes to server preformance, the more memory you have the better. Information and pricing on our dedicated server solutions.

Shared Hosting for Joomla

Shared hosting is the most popular choice because it is affordable and includes lots of functionality, bandwidth and disk space. The down side from a performance point of view is you will be hosting on the same server as 100 other web sites who will be using the same resources ( CPU / memory / Disk space / ) as you. If you have a high traffic site with lots of members this could have an impact on the performance of your Joomla! site.

All Ausweb’s shared Linux hosting accounts include Fantastcio Deluxe (an automated application installer) in your control panel. With a few mouse clicks you can have Joomla installed and ready to go.

Joomla Template

The template you use for your Joomla content management system can have an impact on the performance of your site if not optimized correctly. When choosing or developing a Joomla template for your site take into consideration the following points

• Make sure the template uses valid XHTML / CSS code. If the code is incorrect it will take more time for the browser to render the page. There are lots of online tools available which you can use to check / validate your code.
• Optimize your images, the smaller the file size the better
• The less images the better. You can create an effective, eye catching template for Joomla using CSS without the use of images.
• Check the code ( CSS / Index.php ) for images which may not be referenced correctly in the CSS.
• Try and avoid using Flash or Java script.

Disable statistics reports

Disabling the Joomla statistics function can improve the performance ( page load time ) of your CMS. If this is enabled, every time some visits your site data is written to the MYSQL database. To disable this option select site / global configuration and statistics. All Ausweb hosting packages include AWStats which gives you detailed information on traffic and visitors.

Enable Caching

By default the cache option for Joomla is not enabled but by enabling this option for your site you will see a performance increase. You can configure caching for page content as well as module content.

Modules

As well as the included Joomla modules there are many 3rd party modules available to add extra functionality to your Joomla site. The more modules you add to your front page the longer it will take to load, if you plan to use modules then assign them to specific pages.

Error reporting

Switching off error reporting for Joomla is another action that can improve the performance of your site. To switch off error reporting select Global Configuration / Server Tab / Set the error reporting to None.

Mambots

Check the mambots you have enabled and disable the bots your no longer require. Enableing mambots that you are not using just slows down your site.

---

Upgrading 1.5 from an existing 1.5x version

From Joomla! Documentatio:

It is risky to upgrade a live site without testing the upgrade process first. So before upgrading the live site you need to set up a test site which is as close as possible to the configuration of your live site, then test the upgrade on that. When you are happy with the process you can apply it to the live site (having taken a fresh backup of the live site first, of course).

Review the release notes for the new version. When upgrading from a version that is not the most recent

Step 1: Download the upgrade file

To download the most recent patch package and to obtain the MD5 hash:

• Proceed to the Joomla Download page.
• Locate the row that matches your current installation version.
• On that row, select the patch package (zip, tar.gz and tar.bz2) that is most convenient for you.
• Verify the download using the MD5 hash listed in the right column on the same line as the package you selected.

To find the MD5 hash:

1. On the Joomla Download page, click on “Download other Joomla 1.5.x packages”
2. Click on the bold text in ‘Release Name’ column. For example, if you want to find the hash for 1.5.9 to 1.5.10 patch, click on ‘Joomla1.5.10updates’.
3. On the next screen click on the ‘Files’ tab, where you will see the hash for each package.

If you have questions about these instructions, read the Additional Information below this table.

Step 2: Backup your site

Before you actually upgrade, you really should make a backup of your site. Backup your existing Joomla site files and store all the files and database in case something gets messed up, you wont have any problem reverting back.

All upgrades should be first tested on a copy of your site before being applied to a live site.

Step 3: Install the upgrade file

There are different ways of installing a package file depending on your particular circumstances. If you have difficulty with one of these methods, then simply try another.

• Alternative 1: Unpack the package file on your local computer then use an FTP client to upload them to your site.

• Alternative 2: Use an FTP client to upload the package to your site, then use a terminal session (eg. SSH) to connect to your site and unpack the files there.

• Alternative 3: If your hosting provider gives you access to your site via some sort of web control panel like CPanel or Plesk, you can use the control panel file manager to upload the package, then use a terminal session (which might also be available via the control panel) to unpack the package file and overwrite all changed files on the server.

Step 4: Check your live site to make sure it is working correctly

Don’t assume that the upgrade will work flawlessly just because the test upgrade worked. Check to make sure that nothing untoward has happened. It could be that differences between the live site and test site platforms will bring out a problem that you did not notice during testing. If you find a problem and it cannot be resolved quickly you might have to rollback the upgrade using the backup copy you created in step 2.

Hopefully all will be well and you can relax. If you have any questions before, during, or after the upgrade then please ask them on the Joomla! 1.5 Migrating and Upgrading Forum.

Description

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

Affected Installs

All 1.5.x installs prior to and including 1.5.5 are affected.

Solution

Upgrade to latest Joomla! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
   $this->setError(JText::_('INVALID_TOKEN'));
   return false;
}

Reported By

Joomla! Bug Squad Member Marijke Stuivenberg.

http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html

Joomla! is the perfect Content Management System for managing and developing your website with one of AUSWEB’s cPanel Hosting plans.

---

Joomla! is the perfect Content Management System for managing and developing your website with one of AUSWEB’s cPanel Hosting plans.

While installing Joomla to your Version-next hosting account can be simply done using Fantastico Deluxe, there are some occasions where you want to transfer an existing Joomla site to your Version-next hosting account. This may be because you already have a Joomla site hosted elsewhere and are changing hosting providers or you have a Joomla site that you have developed on a test server.

The process involves 3 steps
1. Upload your existing Joomla site files to your hosting account.
2. Export (or dump) your existing MySQL database, then create a new database and import the data.
3. Change your Joomla configuration settings.

To view our Joomla demo site with a custom template installed, please click on the thumbnail to the right. The site also includes other customizations made by our development team including Simple Image Gallery, which is a great way to show off images and create photo galleries withing page content.

Uploading Files

There are 2 ways to go about uploading the files. You can use FTP to upload all the Joomla files to your hosting account, but as there are 1000′s of files that make up a Joomla site, this can be a long tedious process.

The better option is to compress all the files and folders into a .zip or .gz file, this file can be uploaded to your hosting account and then unpacked/unziped/extracted depending on the file format. Login to cPanel for you hosting account an go to File Manager.

1. Upload the zipped file to your public_html (Main directory, subdirectory or subdomain) directory in File Manager, or use FTP (upload as binary).
2. Click on the file name (not the icon this time) to select the file. A gz file
   
3. Look at the menu on the right side. Click the link which says Extract File Contents. Extracting/unzipping/unpacking
   
4. All files are unpacked, unzipped and placed in the same relationship as packaged. All folder names and contents the same.

Now that all files and folders are uploaded we need to check that file and folder permissions are correct. There are a number of folders that must be writable for Joomla to function. You can change folder and file permissions using either FTP or cPanel file manager.

To change the permission of a file or folder in cPanel’s File Manager

1. Select the file or folder you wish to modify on the left.

2. Click “Change Permission” link from the upper right corner.

3. Set the options as shown below or type “755″ then click “Change”


The permissions need to be checked and changed, if necessary, to “755″ for all folders listed below.

administrator/backups/
administrator/components/
administrator/modules/
administrator/templates/
cache/
components/
images/
images/banners/
images/stories/
language/
mambots/
mambots/content/
mambots/editors/
mambots/editors-xtd/
mambots/search/
mambots/system/
media/
modules/
templates/

Create Database and Import Joomla Data

You can view the tutorial covering database creation

Modify Configuration File

The last step is to modify your Joomla configuration.php file to suit your new hosting and database. Below is an example configuration file showing the changes that are required. You will need to edit the file configuration.php which is found in the main directory of your Joomla site. You can either modify the file on your PC using a text editor, or modify the file in cPanel File Manager by selecting the file then clicking “Edit File” on the top right section of File Manager.

$mosConfig_MetaAuthor = ’1′;
$mosConfig_MetaDesc = ‘Joomla – the dynamic portal engine and content management system’;
$mosConfig_MetaKeys = ‘Joomla, joomla’;
$mosConfig_MetaTitle = ’1′;
$mosConfig_absolute_path = ‘/home/user/public_html/’; * Change this to suit your server path
$mosConfig_admin_expired = ’1′;
$mosConfig_allowUserRegistration = ’1′;
$mosConfig_back_button = ’1′;
$mosConfig_cachepath = ‘/home/user/public_html/cache’; * Change this to suit your server path
$mosConfig_cachetime = ’900′;
$mosConfig_caching = ’0′;
$mosConfig_db = ‘dbname’; * This is the name of the database created in the previous step
$mosConfig_dbprefix = ‘jos_’;
$mosConfig_debug = ’0′;
$mosConfig_dirperms = ”;
$mosConfig_editor = ‘tinymce’;
$mosConfig_enable_log_items = ’0′;
$mosConfig_enable_log_searches = ’0′;
$mosConfig_enable_stats = ’0′;
$mosConfig_error_message = ‘This site is temporarily unavailable.
Please notify the System Administrator’;
$mosConfig_error_reporting = ‘-1′;
$mosConfig_favicon = ‘favicon.ico’;
$mosConfig_fileperms = ”;
$mosConfig_fromname = ”;
$mosConfig_frontend_login = ’1′;
$mosConfig_frontend_userparams = ’1′;
$mosConfig_gzip = ’0′;
$mosConfig_helpurl = ‘http://help.joomla.org’;
$mosConfig_hideAuthor = ’0′;
$mosConfig_hideCreateDate = ’0′;
$mosConfig_hideEmail = ’0′;
$mosConfig_hideModifyDate = ’0′;
$mosConfig_hidePdf = ’0′;
$mosConfig_hidePrint = ’0′;
$mosConfig_hits = ’1′;
$mosConfig_host = ‘localhost’;
$mosConfig_icons = ’1′;
$mosConfig_item_navigation = ’1′;
$mosConfig_lang = ‘english’;
$mosConfig_lifetime = ’900′;
$mosConfig_link_titles = ’0′;
$mosConfig_list_limit = ’30′;
$mosConfig_live_site = ‘http://yourdomain.com; * This is the URL of your Joomla site
$mosConfig_locale = ‘en_GB’;
$mosConfig_mailer = ‘mail’;
$mosConfig_mailfrom = ‘ you@yourdomain.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it ;
$mosConfig_multilingual_support = ’0′;
$mosConfig_multipage_toc = ’1′;
$mosConfig_offline = ’0′;
$mosConfig_offline_message = ‘This site is down for maintenance.
Please check back again soon.’;
$mosConfig_offset = ‘-10′;
$mosConfig_offset_user = ’0′;
$mosConfig_pagetitles = ’1′;
$mosConfig_password = ‘password’; * This is the password for the database created in the previous step
$mosConfig_readmore = ’1′;
$mosConfig_secret = ‘qYwasdloRtdEwsa’;
$mosConfig_sef = ’0′;
$mosConfig_sendmail = ‘/usr/sbin/sendmail’;
$mosConfig_session_life_admin = ’1800′;
$mosConfig_session_type = ’0′;
$mosConfig_shownoauth = ’0′;
$mosConfig_sitename = ‘My Joomla Site’;
$mosConfig_smtpauth = ’0′;
$mosConfig_smtphost = ‘localhost’;
$mosConfig_smtppass = ”;
$mosConfig_smtpuser = ”;
$mosConfig_uniquemail = ’1′;
$mosConfig_user = ‘dbuser’; * This is the database user created in the previous step
$mosConfig_useractivation = ’1′;
$mosConfig_vote = ’0′;
setlocale (LC_TIME, $mosConfig_locale);
?>

Once you have saved and uploaded the file configuration.php you will now be able to access your new Joomla site.

A vulnerable extension is one that has been found to contain, or contribute to, a security vulnerability.

Vulnerable extensions are not necessarily poorly-coded extensions. As the Web evolves, technical requirements and commonly accepted coding practices also change. Active projects release new versions of their extensions as requirements change. For this reason, it is important to:

1. Know the version numbers of all installed extensions.
2. Use only the latest stable version of all extensions.
3. Completely remove all files of insecure or unused extensions.

To view our Joomla demo site with a custom template installed, please click on the thumbnail to the right. The site also includes other customizations made by our development team including Simple Image Gallery, which is a great way to show off images and create photo galleries withing page content.

This is a list of 3rd party Joomla extensions (components, modules, mambots and plugins) with known vulnerabilities that will allow hackers access to your site. If you are using any of the following compnents please upgrade or remove the component as listed under fix. It is also very important to make sure you are using the latest version of Joomla, currently 1.0.13, as earlier versions have several High Level vulnerabilities. These vulnerabilities dont just effects your website it effects other clients and the entire server as a whole. The current list can be viewed in the

This article will outline the Joomla modules that our tutorials cover. We have a wide range of video tutorials for Joomla modules, each detailing how to use administrative features and how to configure and install the module. The videos guide you step by step through each process, and are very easy to follow.

• JCE
  “ JCE is a content editor for Joomla!, that provides you with a set of WYSIWYG editor tools that makes the job of writing articles for your Joomla! site a little bit easier.”
• VirtueMart
  “VirtueMart is an Open Source E-Commerce solution to be used together with a Content Management System (CMS) called Joomla! (but also works with Mambo). Joomla and VirtueMart are written in PHP and made for easy use in a PHP / MySQL environment.”
• iJoomla : Magazine
  “Whether you need to create an online magazine or just want to make Joomla a lot more powerful and useful, iJoomla Magazine is the ultimate solution.”
• OpenSEF
  “OpenSEF is an open source advanced SEF component for Joomla! which enables automatic and manual text-based search engine friendly URLs for Joomla core components and 3rd-party developer components. SEO Assistant adds many search engine optimization tools”
• Community Builder
  “The Community Builder suite extends the Joomla! and Mambo website user management systems and allows to manage those users. Key features include: extra fields in profile, enhanced registration workflows, user lists, connection paths between users, admin defined tabs and user profiles, image upload, front-end workflow management, integration with other components, like PMS, Newsletter, Forum, Galleries.”
• DOCman
  “DOCman is an open source document management and download system for Joomla! v1.0.x and v1.5. With this component you can manage documents across categories and make them available for download.”

his can be a very effective way to protect your Joomla! administrator directory. Any other directory in public_html can be protected in the same way. This method only works if you have a static IP address assigned to you. Anyone attempting to browse such directories using a different IP Address will get a 403 Forbidden error.

How To Restrict Directory Access by IP Address

1. In the directory you wish to protect, open (or create) a file called, .htaccess. (Note the dot at the beginning of the file name.)

2. Add the following code to this file, replacing 100.100.100.100 in this example with the static IP address you plan to allow:

Order Deny,Allow
Deny from all
Allow from 100.100.100.100

3. Optional: You can enter partial IP Addresses, such as, 100.100.100. This allows access to a range of addresses.

In addition to understanding the threats, and implementing general defensive strategies, it is important to know more specific details about security in Joomla, as well some specific examples of how to implement security strategies.

To view our Joomla demo site with a custom template installed, please click on the thumbnail to the right. The site also includes other customizations made by our development team including Simple Image Gallery, which is a great way to show off images and create photo galleries withing page content.

The developers of Joomla are constantly striving to improve the overall security of the system by employing good programming techniques and addressing security issues as they arise. It is therefore important to try to keep up with the latest version of Joomla – ‘patches’ (collections of replacement files) are released periodically to address bugs and security holes as they are discovered (click here to subscribe to the official Joomla announcements forum)

Input boxes
There are various input boxes that can appear in a ‘vanilla’ Joomla website – for example, search boxes, filters, etc., and the data entered in such features is always validated to ensure it does not contain quote marks – thus protecting against SQL injection attacks.

HTML Editors
It is also possible with Joomla to allow your website’s end users to submit news articles etc., and this opens up the possibility of cross-site-scripting injection where the data is allowed to be entered as HTML. Most HTML editors will not allow javascript or certain other tags to be entered though – for this very reason.

A problem arises here, because with Joomla, the same HTML editor is used both in the back end administrator and in the front end website. So if you, as an administrator, want to add some javascript or other ‘forbidden’ tag, you’re stuck. Some editors (eg. JCE) will allow you to specify which tags are allowed, and therefore give you the flexibility to add javascript etc., if you need to do so – but if you use these options, you must ensure that you don’t allow end users to use that HTML editor.

You can do this either by just not allowing user-submissions at all (which is the safest option), or by using 2 different HTML editors – the default one being restrictive, and an extra one which is assigned to your user record only (definable in Joomla’s User Manager) which can be less restrictive.

User Login
The login features of Joomla – both for the back end administrator and the front end website – make use of one-way password encryption. When you type in your password, Joomla applies an ‘md5 hash algorithm’ to turn your password into a 40-character jumble of unintelligible text – the same 40-character jumble every time. It never actually decrypts this, it just compares the jumbled up version of what you type in with the jumbled up version that is stored in the database against your user record to see if they match.

In order to determine whether or not you are logged in at any given time, Joomla uses a ‘cookie’ – a small text file which is stored on your computer. This cookie does not contain your user name and password – it just contains a session id (or reference number), which Joomla can look up to find out who you are and whether you are logged in. So even if someone could steal the cookie from your computer, all they would get is a reference number – they couldn’t do much with it.

Release Notes
The text files that ship with a standard Joomla installation include release notes such as a ‘change log’ – a list of changes made to the program since the last release. Such information can give away valuable clues about possible weaknesses that hackers can exploit. However, the text files are protected from casual viewing by being named as PHP files and by programatically preventing browsing over HTTP. Even so, it is quite safe to delete such files from your server – that way you can be absolutely sure that nobody can see them. At the time of writing, the release note files that can be safely deleted are: CHANGELOG.php, COPYRIGHT.php, INSTALL.php, and LICENSE.php.

.htaccess File
There is a file which is supplied with Joomla called htaccess.txt. As long as the file is called htaccess.txt, it has absolutely no effect on your site. Once you rename the file to .htaccess (“dot htaccess” instead of “htaccess dot txt”), it influences every request that is made of your site (note: this applies to sites running on an Apache web server, not IIS – if you’re not sure whether your site is running on Apache or IIS, it is probably running on Apache! 99.99% of Joomla sites run on Apache web servers. Apache is the name of the web server software, not the operating system – Apache can be run on Windows or Unix or Linux or FreeBSD, etc. etc. IIS only runs on Windows).

Typically, you would only rename the file to .htaccess if you wanted to use search engine friendly URLs (or SEF URLs) – the instructions in that file allow meaningful page names to be translated internally (or ‘rewritten’) into a format that Joomla can understand. There are many other uses for an .htaccess file though, including setting password protection on a directory, to block users based on their IP address, and various other things. This little file can be very powerful! It is therefore important to ensure no unauthorised person can view it, or worse still, edit it.

In addition to setting the file permissions (see below), you can add the following directive to the top of your .htaccess file to prevent others from being able to read it:

order allow,deny
deny from all

Version 1.0.8 of Joomla introduced significant changes to the supplied htaccess file, but even so it does not include the above directive for some reason. Maybe a future version will. In the meantime, adding the above at the very top of the file will provide an additional layer of protection against abuse.

It is also a good idea to protect your site against HTTP tracking and tracing, and if you use a shared server, the easiest way to do this is to add the following to your .htaccess file (somewhere after the “RewriteEngine On” command):

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

Please note, that making these changes to your .htaccess file is not supported by all server configurations. Always backup your .htaccess file before making changes to it, and if your website starts reporting errors, you may have to undo your changes.

Server Settings
Joomla specifies certain settings that are recommended for proper functioning of the system. A list of the recommended and actual settings is displayed when you install Joomla. One of the recommended settings is to have ‘Display Errors’ switched on. This is not safe for a production website. It is very useful when developing and debugging a site, but there is a security vulnerability in PHP (not Joomla, but the language in which Joomla was written) which allows cross-site-scripting attacks when the display errors option is enabled.

Thankfully, as of Joomla 1.0.8, you can suppress error messages by going to Site->Global Configuration, and clicking on the ‘Server’ tab. Set the ‘Error Reporting’ option to ‘None’. If you are not using the very latest version of Joomla, it would be a very good idea to upgrade!

Otherwise, to turn off display of errors, you need to change some settings in a file called php.ini – you might not have access to this file if you use shared hosting, but it might be possible to add your own php.ini file to the root folder of your website which will only affect your site and nobody elses (or you might need to add it to every folder that contains php files). Alternatively, depending on the configuration settings on your server, you might be able to override individual php.ini settings in your .htaccess file.

The settings that need to be specified in php.ini are:

display_errors = Off
html_errors = Off
display_startup_errors = Off
log_errors = On

For additional security it may be worthwhile disabling certain PHP functions. The following 2 lines, when added to php.ini will prevent the listed functions from working. If you have a third party script that relies on one or more of these functions, it will break when you turn them off like this. Joomla does not use these functions, but some third party components might do. Disabling these functions will help to protect your site from hackers though.

allow_url_fopen = Off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, tempnam

If you don’t have access to the global php.ini file, you might be able to add your own. More information about doing this can be found here: http://www.washington.edu/computing/web/publishing/php-ini.html. You might need to ask your host to restart the Apache web server before your overridden settings will take effect (this does not mean rebooting the server, just restarting Apache – which only takes a few seconds). Note: If you encode your PHP files with Zend Optimizer, adding your own local php.ini file can cause PHP to think that Zend Optimizer is not installed even if it is.

If your server configuration allows it, you may be able to just add the following lines to your .htaccess file to override the settings without needing your own php.ini file. Try adding the following to the end of your .htaccess file (if your server does not recognise the directives, you will get an error message when you try to access your site):

php_flag display_errors “0″
php_flag html_errors “0″
php_flag display_startup_errors “0″
php_flag log_errors “1″
php_flag_allow_url_fopen “0″

These settings will cause any PHP errors to be logged in a text file instead of being displayed in the user’s browser window. You could also write a custom error handler in PHP to display a user-friendly message when an error occurs, but that is a task for a developer and is beyond the scope of this article.

File Permissions
Every folder and every file that your website contains has a set of properties called ‘permissions’. These properties define who is allowed to do what with the file or folder. On Unix-based operating systems (including Linux, FreeBSD, etc.), there are 3 actions that can be performed on a file: read, write, and execute; and there are 3 types of user that can perform these actions: owner, group, and other (things are a bit different on Windows, but most production Joomla sites are hosted on servers running a Unix-based operating system).

Typically, the permissions for a file are set using a 3-digit number: 000 being the most restrictive (nobody can do anything with the file – pretty pointless having a file with that level of restriction!), and 777 being the most liberal (anybody can read, write, or execute the file – that is, execute as in run a program, not execute as in chop someone’s head off). The first digit represents what the ‘owner’ of the file is allowed to do (that is, the specific ‘user’ who created the file); the second specifies what other authorised users are allowed to do, and the third says what the world at large is allowed to do. The command used by the operating system to set the permissions of a file is called ‘chmod’ which means ‘change mode’.

To get the balance between security and usability, all folders should be set to 755, and all files should be set to 644 unless a folder or file specifically requires a different setting in order to function properly. Joomla has the ability to set these permissions for you (you can tell it to do this while installing, and through the Site->Global Configuration option in Joomla administrator) when it creates new files. Using 755 and 644 for folders and files respectively generally means that the files cannot be edited – not even by Joomla (unless your server has PHP configured to use SUExec – highly recommended!).

So if you want to install a new component, module, template, or whatever, you are going to need to make sure the relevant folders are writeable (775 and 774 for folders/files respectively, or if that doesn’t work on your server, 777 for both) – otherwise Joomla will not be able to create the necessary files. To see which folders need to be writeable, go into Joomla Administrator, click on the ‘Help’ menu item, then click on the ‘System Info’ link at the top right, then click on the ‘Permissions’ tab. There is a list there of folders that need to be writeable for Joomla to function, as well as an indication of whether or not they are currently writeable on your server.

It is safest to keep files and folders unwriteable most of the time and only make them writeable when you need to – especially with reference to the configuration.php file, which stores your settings from Site->Global Configuration (keep that unwriteable [ie. 644] except when you need to make configuration changes – and make it unwriteable again as soon as you’ve finished making changes). If your website allows for users to upload files though, you will need to make the relevant folders writeable all the time, otherwise the uploads will fail.

You can change the permissions of files and folders using an FTP client, or a hosting control panel such as cPanel or Plesk.