Brian's Blog Homepage
What happens when you chose a bad web developer

Stop Right There

Stop right there, I gotta know right now, Before we go any further

Are you prepared for a long read that will shock and enrage you. A tale so fantastical that it is hard to believe but one I can assure you is 100% true and told without embellishment or exaggeration.

Have you removed all sharp objects from your desk? Are you sitting in a comfortable chair with a soft cushion or toy nearby? You will need to be prepared for the facepalm moments below.

The Back Story

Last week I responded to a call for some help with a Joomla website via twitter. Turns out that the site owner is a really really famous TV star in the UK so I thought why not. I mean how hard could it be to show someone how to do a few small edits on their Joomla website - that’s what I do all the time. (The fact that I had an evil plan of connecting this to J&Beyond was just a small benefit).

The Web Site

The site was a simple one page web site created in Joomla using a template from a well known template club (no names - no blame) that had been built by a "professional" (I will leave it to you to conclude the skills of this professional at the end of this tale).

At first glance it looked nice. Great graphics and had all the content I would expect.

The Request

It was a simple request. Update some of the content and change the copyright date. And maybe make some suggestions for improving its google ranking and page speed.

Discovery Stage - OMG

  • 23 javascript files

  • 52 CSS files

  • 1.9 Mb of images

I've seen worse, not often and usually with this same template club, but there is definitely going to be a few simple changes I could make to improve that. I was a little surprised at all the duplicated css and js files though so I took a quick look at the generated code of the page. This was my first OMG moment!


Right there in the middle of the source code was a huge menu, a really really big menu. But wait didn't you say that this was a one page web site. Yes that's right its a one page website with no menu so what is this. Hopefully you all know that in order not to display a module on a joomla site that you just unpublish it. Not this "professional". He had manually added the following css to every menu item style="display: none; overflow: hidden;"

OK so that's a pretty stupid thing to do but read on it gets worse. Remember it is a one page web site so what is in this mega menu. Yep you guessed it this menu was for all the sample content that came with the template. All published and of course because it was only made "invisible" to human eyes and not to google. That clever little monkey of a search engine had seen all those "invisible" links and had of course indexed 65 pages of sample content.

But that’s not going to be too much of a problem to fix. I can just unpublish the menu module, unpublish the sample content and disavow the links at google.

How big is that?

The website had a very nice accordion module as its main (and almost only feature). The images were huge and had not been compressed in any way but again that’s an easy fix and we can easily reduce the page weight here. I was a little shocked that this accordion module was from another template club. I had assumed that it was created with the tools supplied by the first template club. There really was no reason at all to use a template designed by anyone as I can now see that none of the templates "advanced" features were being used. Unless of course you include the 23 javascript and 52 css files that the template included but were not actually doing anything on this web site.

Again not too difficult to resolve - compress the images and another quick win.

Update content

Each slide in the accordion had a link. Each link opened a popup. Each popup was an article. Again not that crazy but the content needed updating and this TV star wanted to update the text themselves. Not an unreasonable request for a CMS.

I could see that the link to open the popup had a class of "jcepopup" and the javascript for JCE Media box was being loaded. That looked promising as clearly JCE was going to be installed on the site so editing the content should be easy. It wasn't - why was I still being surprised by this web site?

If only I could find the content

The article manager only listed all those (now unpublished) template club sample articles. So where was the ruddy content. 20 minutes later I found it. Each of those articles was a standalone html file. Yes that is right. The "professional” has built a website with Joomla, a CMS, using an advanced template from a template club and was not only not using the template but was also creating their content as static html files.

It gets worse

Hard to believe I know but all the static html files were obviously recycled from another project as many had metadata from another site .

Going Mobile

The site was certainly not responsive even though it was built with the latest version of Joomla 3 and was using a responsive template. Not a problem I told the TV star, I can fix that too. 

What are you talking about he said. It looks great on my phone - take a look. Yes you guessed it the "professional" who had built the web site knew nothing about responsive web sites and had included yet another javascript file to test for mobile browsers and then to redirect the site visitor to another web site entirely.

This mobile site was completely separate to the main web site. There was no shared content. Even the media files were loaded from a separate place.

Now I know that the address bar on a mobile browser is usually hidden but this "professional" had forgotten to change the url for the mobile site - it was still on an IP address.

Google Optimisation

Part of the original request was to try and make the site perform better on google. This wasn’t going to be hard. The only visible content on the home page was the "hidden" menu. All the other text on the page was not really text but an image on a slide. And even the links on the slides to those "static files" wasn’t seen by google due to the javascript used to generate them - there isn’t even ANY metadata at all on that page. So all google could see was links to the template club sample content.

This is getting ridiculous

So instead of sitting with this TV star and quickly showing him how to update the content on his web site I was going to be leaving the meeting with a long todo list. The final thing on his todo list was to update the copyright date in the footer. At least I was going to be able to do that right there and then - after all how hard can it be to change 2014 to 2015.

I know what you are thinking - it is hard coded into the template - but you will be wrong it was a module. Of course it was a module called "Sample footer-b" so it took a while to find amongst the 96 modules that were included by the template club sample data but I found it.

Could it really be true? Was I going to be able to complete one task on the todo list. Yeah that's right you guessed I wasn't. The text "Copyright 2014" in 10 point arial was an image. A bloomin' image for two words in a standard font. This was definitely a website that needed to be rebuilt from scratch the correct way.

As my head crashed on to the table and spilled coffee all over my newly cleaned laptop I called it a day.


Before leaving the meeting I was given my own password for ftp access to the site - great to see that even a TV star knows about password security and was using a password manager and not sharing or reusing passwords. 

So there I sat on the sofa of a friends house downloading all the assets from the server ready to build a new web site. There were a couple of strange folders - old and new. New was empty so that's ok it was probably for a test site that had been removed but what was in old? Yep it was the pre-2014 version of the web site written in some unidentified php script.

Being the nosey guy that I am I wanted to see how bad this site was. It must have been pretty awful to be replaced by the current one. Actually it was ok if a little old fashioned and had probably been created several years earlier. But there was one file that caught my attention as I tried to determine which script had been used to build the site. upfff.php just doesn't sound like the type of filename that any developer would use. Guess what the first characters of this file were. eval(base64_decode

Yep the server was hacked. This file, that had been on the server for a very long time (pre the joomla web site install) would give anyone full access to the server if they knew the secret params required to open that file.

Happy Ending

Every long tale should have a happy ending and this one is no different. The TV star now has a brand new Joomla web site, the hacker scripts have been removed and he will be making a special guest appearance at J&Beyond in a few weeks to say thank you.

J o o m l a !

Brian Teeman

Brian Teeman

Who is Brian?

As a co-founder of Joomla! and OpenSourceMatters Inc I've never been known to be lacking an opinion or being too afraid to express it.

Despite what some people might think I'm a shy and modest man who doesn't like to blow his own trumpet or boast about achievements.

Where is Brian?