Secured procedure for installing Joomla with a remote database

From Joomla! Documentation

This page contains changes which are not marked for translation.
Other languages:
Deutsch • ‎English • ‎Türkçe • ‎français

Starting with Joomla! 3.7.4 the Joomla! Security Strike Team (JSST) implemented additional security checks in the install application in order to protect your web hosting accounts from being overtaken by a remote attacker. In case your database is not on the same server as your website, we require an extra check to verify that you are the owner of the website.

Who is Affected?[edit]

As this is a security issue in the installer application, only new installations of Joomla are affected. If you want to do a new install using localhost as the database server, nothing changes.

How to Fix[edit]

If you want to install 3.7.4 and want to use a remote database server, we require you to delete a file in the installation folder that was randomly created by the installer. This filename is unique to your session so we are sure you just deleted the file and we can finish installing as normal.

A special case is the FTP mode. In that case Joomla is not able to create files. We require you to create a file in the installation folder to confirm that you are the website owner.

In both cases, the file name will be displayed in a message on your screen with instructions on how to validate the installation.

If you are running in a trusted environment (such as a docker container), you can also set the environment variable JOOMLA_INSTALLATION_DISABLE_LOCALHOST_CHECK to a value of 1 in the container, which will skip this check.