J3.x

Joomla 3.8.8 notes about the changed default settings

From Joomla! Documentation

Other languages:
Deutsch • ‎English • ‎español • ‎eesti • ‎français • ‎Nederlands • ‎português do Brasil

Updated site security recommendations

Text Filters

As of Joomla 3.8.8, the default text filtering settings will no longer allow the default Administrator user group to enter unfiltered content. We encourage site owners to review their text filtering configuration and apply the same change to future enhance your site security.
You can find the current text filter settings in the Administrator area.
Administrator area    System    Global Configuration    Text Filters

It is recommended that you change Text Filter Settings    Administrator Filter Group from No Filtering to Default Blacklist.

Text Filters-en.jpg

Not sending the plain text password via email

As of Joomla 3.8.8, the “Send Password” option in the User Manager will no longer be enabled by default. We recommend you to check this setting on all existing sites. To do so, go to:
Administrator area    System    Global Configuration    Users    Send Password

Send Password-en.jpg

Upload Settings

We recommend you to check the allowed list of upload file extensions as well as the allowed upload MIME types. As of Joomla 3.7.3, we have changed the allowed upload extensions and MIME types. Flash files are no longer allowed as uploading Flash files without proper review can have several security concerns. It is recommended to block Flash files to be uploaded through Joomla.
Therefore we recommend removing the following values from your upload configuration in the Media Manager to prevent the upload of Flash files:

  • Legal Extensions (File Types): "swf"
  • Legal MIME Types: "application/x-shockwave-flash"

To remove these values, go to:
Administrator area    System    Global Configuration    Media

Flash Options-en.jpg

Mail to Friend

Together with the changes mentioned above, we are also going to disable the Mail to Friend feature by default for new installs.
We recommend to check if you are still requiring this feature on your sites.
Please note that it can be configured in different places:

  1. In the article and in the menu item you can find it in the "Options"-tab.
  2. You can also find it in the Global Configuration from the Articles component.

If you want to disable the setting globally, go to:
Administrator area    System    Global Configuration    Articles (you need to scroll down a bit)

Mailto-en.jpg