Joomla 3.8.8 notes about the changed default settings
From Joomla! Documentation
Updated site security recommendations
As of Joomla 3.8.8, the default text filtering settings will no longer allow the default Administrator user group to enter unfiltered content. We encourage site owners to review their text filtering configuration and apply the same change to future enhance your site security.
You can find the current text filter settings in the Administrator area.
Administrator area → System → Global Configuration → Text Filters
It is recommended that you change Text Filter Settings → Administrator Filter Group from No Filtering to Default Blacklist.
Not sending the plain text password via email
As of Joomla 3.8.8, the “Send Password” option in the User Manager will no longer be enabled by default. We recommend you to check this setting on all existing sites. To do so, go to:
Administrator area → System → Global Configuration → Users → Send Password
We recommend you to check the allowed list of upload file extensions as well as the allowed upload MIME types. As of Joomla 3.7.3, we have changed the allowed upload extensions and MIME types. Flash files are no longer allowed as uploading Flash files without proper review can have several security concerns. It is recommended to block Flash files to be uploaded through Joomla.
Therefore we recommend removing the following values from your upload configuration in the Media Manager to prevent the upload of Flash files:
- Legal Extensions (File Types): "swf"
- Legal MIME Types: "application/x-shockwave-flash"
To remove these values, go to:
Administrator area → System → Global Configuration → Media
Mail to Friend
Together with the changes mentioned above, we are also going to disable the Mail to Friend feature by default for new installs.
We recommend to check if you are still requiring this feature on your sites.
Please note that it can be configured in three different places:
- In the article and in the menu item you can find it in the "Options"-tab.
- You can also find it in the Global Configuration from the Articles component.
If you want to disable the setting globally, go to:
Administrator area → System → Global Configuration → Articles (you need to scroll down a bit)