CG Secure component protect your Joomla forms and admin access by checking IPs from AbuseIPDB, giving country/spammer status.
Version 1.3.0 : Check Joomla Version
Version 1.2.0 : PHP 8.0 compatibility
Version 1.1.14 : check error before rewriting htaccess file
Version 1.1.13 : block bad robots, fix php error on abuseipdb error
Version 1.1.12 : block htaccess update if already in progress
Version 1.1.11 : check country code parameter against country.io/names.json
Version 1.1.10 : block brute force, backup directory
Version 1.1.9 : adding parts of 7G firewall
Version 1.1.8 : adding htaccess security
Version 1.0.15 : 127.0.0.0 = localhost
Version 1.0.14 : bypass com_users.profile in com_contact
Version 1.0.13 : unknown country = reject
Version 1.0.12 : wrong spammer status
Version 1.0.11 : redirection
Version 1.0.9 : JED Compatibility
Version 1.0.8 : allow all countries, but still block spammer
Version 1.0.7 : Joomla 4.0 compatibility (2019 October)
Version 1.0.6 : first release (2019 October)
CG Secure component uses CG Secure and CG Country plugins, centralizing their parameters.
Important : When migrating to Joomla 4.0, CG Secure plugins are being disabled and enabled again by package update.
You may authorize one or more countries to connect to your admin/website. Any connection from another country must be a hacker trying to access unauthorized parts of your website.
For your information, even if you did not define any private access, any user may access to Joomla identification form by adding /index.php?option=com_users&layout=edit&id=0 to your website address. If you did not de-activate user registration (activated as default value in older Joomla version, prior 3.7.0), welcome to our open bar.
Once running, CG Secure protects /administrator using a password, after checking IP's country code, spammer status in AbuseIPDB. It also hides forms to unwanted users.
IP is checked against AbuseIPDB database which returns country code and spammer status.
In case of an unauthorized country, you may report this IP to AbuseIPDB. You must register to AbuseIPDB to report an IP (it's free).
Banned Ips may be logged in cgipcheck.trace.log file in your logs directory. I use View Logs component to check my log files.
Rejected user won't even see your forms.
Banned IPs are also stored in your database (table #__cg_rejected_ip). They remain in your database depending on your "IP life time' parameter from your CG Secure configuration menu. You may see these IPs through CG Secure Logs menu.
- Plugin System CG Secure (event onAfterDispatch) : check /administrator access (hacker trying to access your adlmin via /administrator address),
- Plugin User CG Secure (event onContentPrepareForm): check IP before displaying Joomla forms(com_users, com_admin) (hacker connecting via Joomla forms),
- Plugin Authentication CG Secure (event onUserAuthenticate) : if authenticate is done, check if IP can really do it (hacker trying to enter without using any Joomla forms, mostly php codes).
Note : if you are using other forms components (VisForm, RSForm,...), you may easily write your own plugin to block unauthorized countries/spammers. Visforms uses onVisformsFormPrepare($context,$form,$params) event, RSform checks rsfp_f_onBeforeFormDisplay($array) event. If you need Visforms or RSFOrm plugin, just ask me, because I already prepared them.....
CG Secure version 1.1 introduces .htaccess security.
This only works with Apache 2.4.x server.
It has been created from https://docs.joomla.org/Htaccess_examples_(security), https://perishablepress.com/category/htaccess/ and AESecure. The difference from other solutions is to block found hackers (doing XSS attacks, SQL injection,...) at .htaccess level, so it stops attacks as soon as possible, keeping them away for the time defined in your IP life time parameter.
- Multiaddresses : you have multiple addresses to access your website,
- Subdir : your site is in a sub-directory.
When activating, if you have no .htaccess file, CG Secure copies Joomla default htaccess.txt to your site root..
After saving current htaccess file, CG Secure adds its lines in .htaccess file from administrator/components/com_cgsecure/assets/cgaccess.txt file.
If you wish to use your own .htccess file, you may create a custom.txt file in the same directory than cgaccess.txt. Then, custom.txt will be used instead of CG Secure default file.
Attention: Working with .htaccess file may breaking down your site badly. Older versions of .htaccess files are saved in administrator/components/com_cgsecure/backup directory.
Note : Communication between .htaccess file and CG secure component are secured via a random number which is calculated each time htaccess security is actived. To create a new one, de-activate htaccess security, clicking No to Activate parameter, then, click on Yes, so you'll get a new security key.
How access to your administration once CG Secure has been actived ?
Note: if you did not enter any password, administrator access is done as usual, IP checking is performed anyway.
- HTTP Authentication: standard Apache authentication. You'll have to enter a password in "Password" field, "Username" field may remain empty as it's not checked,
- Compatibility: you'll have to enter http://www.yourwebsite.com/administrator?yourpassword — "yourpassword" being the password you entered in CG Secure plugin.
Default CG Secure component behaviour protects Joomla connection forms (com_admin, com_users). If you wish to extend this to contact forms, just add com_contact to Components List parameter.
Entering * in Countries list will autherize all countries, but still check spammer status from IP address.
If you are a registred AbuseIPDb user, you may see your report history, in your user account, tab "Rerports.
Comment column shows reported hackers : 2 first letters from your website name,e = error/w = warning, followed by an error number if it's coming from .htaccess security, other errors being created by CG Secure plugins (Authentication, System, User).