We have received numerous number of emails and forum posts stating that they are being hacked because user's were able to post and publish blog posts on the site. The team performed some code forensics and there wasn't any real way for anyone without access to publish blog posts on the site. The one and only way for users to do this is when they were given the access to do so. We managed to debug the affected sites and realized that it's just a simple case of bad configuration on the site.
What happened?
By default, Joomla will allow anyone to register on a site, using com_users. Registered users will be automatically set under the ACL group "Registered". EasyBlog 5, by default allows users in the ACL group "Registered" to have access to create and publish blog post. Putting these two default settings together, and you get users registering and spamming sites with unwanted posts.
Who's fault is this?
It's nobody's fault, actually. Joomla! by default allows anyone to register on your site under it's own User's extension (com_users), while EasyBlog by default allows registered users to be able to post and publish blog posts due to the fact that blogging component is different from social networking component; we rarely come across any blogging site that have an open registration such as a social networking site.
Is there a fix for this?
Yes there is. With the latest EasyBlog 5 release, by default the ACL settings for "Registered" group has very limited access. Site administrators will have to configure their ACL's accordingly in order to allow users to post on their site. Should you require any assistance pertaining to this, you can always refer to our ACL's documentation or contact our EasyBlog experts via EasyBlog's Official Forum.
Should you wish to get your hands dirty and set up your ACL by yourself, you can do so by first logging in to your backend and navigate to Component > EasyBlog > ACL.
From there, click on the ACL group "Registered" (or any other groups, depending on the setup of your site).
Set "Allowed to write new post" to "No", click "Save" and you are good to go!
The same concept applies to EasyBlog 3.9.x, navigate to Component > EasyBlog > ACL, click on the ACL group "Registered" and set "Write Entry" to "No".
With the settings above, it ensures that those who are in the "Registered Group" (the default Joomla user group for registered users) will not be able to post any new post in your site.
I want to renew, but I'm worried
Should you have an active license, you are covered by our support policy. You are in good hands! We will assist you with anything related to our product, from deployment up to the configurations. All you have to do is drop us a message in our Official Support forum. Currently, the latest version of EasyBlog is EasyBlog 5.0.17. Just like any other software and application, we highly advice for you to stay in the loop and upgrade your EasyBlog to the latest version. Those who are holding a valid license can immediately download the latest version via your dashboard; while those who are holding a valid license will have to renew your license with us.
We are very serious when it comes to security, so you have absolutely nothing to worry about.