J3.x:Secured procedure for installing Joomla with a remote database

Starting with Joomla! 3.7.4 the Joomla! Security Strike Team (JSST) implemented additional security checks in the install application in order to protect your web hosting accounts from being overtaken by a remote attacker. In case your database is not on the same server as your website we require an extra check that makes sure you are the owner of the website.

Who is affected?

As this is a security issue in the installer application only new installations (or not yet installed) of Joomla are affected. If you want to do a new install by using “localhost” as database server nothing changes.

How to fix

If you want to install 3.7.4 and want to use a remote database server we require you to delete a file in the installation folder that was randomly created by the installer. As this filename is unique to your session we are sure you just deleted the file and we can finish installing as normal.

A special case is the “FTP mode”. In that case Joomla is not able to create files. So we require you to create a file in the installation folder in order to confirm that you are the website owner.

In both cases, the file name will be displayed in a message on your screen with instructions on how to validate the installation.

If you are running in a trusted environment (such as a docker container) then you can also set the environment variable JOOMLA_INSTALLATION_DISABLE_LOCALHOST_CHECK to value 1 in the container, which will skip this check