Stop Right There
Stop right there, I gotta know right now, Before we go any further
Are you prepared for a long read that will shock and enrage you. A tale so fantastical that it is hard to believe but one I can assure you is 100% true and told without embellishment or exaggeration.
Have you removed all sharp objects from your desk? Are you sitting in a comfortable chair with a soft cushion or toy nearby? You will need to be prepared for the facepalm moments below.
The Back Story
Last week I responded to a call for some help with a Joomla website via twitter. Turns out that the site owner is a really really famous TV star in the UK so I thought why not. I mean how hard could it be to show someone how to do a few small edits on their Joomla website - that’s what I do all the time. (The fact that I had an evil plan of connecting this to J&Beyond was just a small benefit).
The Web Site
The site was a simple one page web site created in Joomla using a template from a well known template club (no names - no blame) that had been built by a "professional" (I will leave it to you to conclude the skills of this professional at the end of this tale).
At first glance it looked nice. Great graphics and had all the content I would expect.
It was a simple request. Update some of the content and change the copyright date. And maybe make some suggestions for improving its google ranking and page speed.
Discovery Stage - OMG
52 CSS files
1.9 Mb of images
I've seen worse, not often and usually with this same template club, but there is definitely going to be a few simple changes I could make to improve that. I was a little surprised at all the duplicated css and js files though so I took a quick look at the generated code of the page. This was my first OMG moment!
Right there in the middle of the source code was a huge menu, a really really big menu. But wait didn't you say that this was a one page web site. Yes that's right its a one page website with no menu so what is this. Hopefully you all know that in order not to display a module on a joomla site that you just unpublish it. Not this "professional". He had manually added the following css to every menu item style="display: none; overflow: hidden;"
OK so that's a pretty stupid thing to do but read on it gets worse. Remember it is a one page web site so what is in this mega menu. Yep you guessed it this menu was for all the sample content that came with the template. All published and of course because it was only made "invisible" to human eyes and not to google. That clever little monkey of a search engine had seen all those "invisible" links and had of course indexed 65 pages of sample content.
But that’s not going to be too much of a problem to fix. I can just unpublish the menu module, unpublish the sample content and disavow the links at google.
How big is that?
Again not too difficult to resolve - compress the images and another quick win.
Each slide in the accordion had a link. Each link opened a popup. Each popup was an article. Again not that crazy but the content needed updating and this TV star wanted to update the text themselves. Not an unreasonable request for a CMS.
If only I could find the content
The article manager only listed all those (now unpublished) template club sample articles. So where was the ruddy content. 20 minutes later I found it. Each of those articles was a standalone html file. Yes that is right. The "professional” has built a website with Joomla, a CMS, using an advanced template from a template club and was not only not using the template but was also creating their content as static html files.
It gets worse
Hard to believe I know but all the static html files were obviously recycled from another project as many had metadata from another site .
The site was certainly not responsive even though it was built with the latest version of Joomla 3 and was using a responsive template. Not a problem I told the TV star, I can fix that too.
This mobile site was completely separate to the main web site. There was no shared content. Even the media files were loaded from a separate place.
Now I know that the address bar on a mobile browser is usually hidden but this "professional" had forgotten to change the url for the mobile site - it was still on an IP address.
This is getting ridiculous
So instead of sitting with this TV star and quickly showing him how to update the content on his web site I was going to be leaving the meeting with a long todo list. The final thing on his todo list was to update the copyright date in the footer. At least I was going to be able to do that right there and then - after all how hard can it be to change 2014 to 2015.
I know what you are thinking - it is hard coded into the template - but you will be wrong it was a module. Of course it was a module called "Sample footer-b" so it took a while to find amongst the 96 modules that were included by the template club sample data but I found it.
Could it really be true? Was I going to be able to complete one task on the todo list. Yeah that's right you guessed I wasn't. The text "Copyright 2014" in 10 point arial was an image. A bloomin' image for two words in a standard font. This was definitely a website that needed to be rebuilt from scratch the correct way.
As my head crashed on to the table and spilled coffee all over my newly cleaned laptop I called it a day.
Before leaving the meeting I was given my own password for ftp access to the site - great to see that even a TV star knows about password security and was using a password manager and not sharing or reusing passwords.
So there I sat on the sofa of a friends house downloading all the assets from the server ready to build a new web site. There were a couple of strange folders - old and new. New was empty so that's ok it was probably for a test site that had been removed but what was in old? Yep it was the pre-2014 version of the web site written in some unidentified php script.
Being the nosey guy that I am I wanted to see how bad this site was. It must have been pretty awful to be replaced by the current one. Actually it was ok if a little old fashioned and had probably been created several years earlier. But there was one file that caught my attention as I tried to determine which script had been used to build the site. upfff.php just doesn't sound like the type of filename that any developer would use. Guess what the first characters of this file were. eval(base64_decode
Yep the server was hacked. This file, that had been on the server for a very long time (pre the joomla web site install) would give anyone full access to the server if they knew the secret params required to open that file.
Every long tale should have a happy ending and this one is no different. The TV star now has a brand new Joomla web site, the hacker scripts have been removed and he will be making a special guest appearance at J&Beyond in a few weeks to say thank you.