Securing the Professional version

Akeeba Kickstart is, by necessity, a script that can overwrite your site with the contents of an arbitrary compressed archive. This is not a bug, it's the very definition of what a backup archive extraction tool is meant to do.

On top of that, Kickstart has to receive commands through the web interface without having to authenticate the user, i.e. it has to do whatever you tell it to do without asking for a username or password. This is a feature by necessity: it's mass distributed software which is meant to be used by users with little to no experience in managing sites. If we were to ask users to edit the file and enter a username / password of their choice we know for a fact that they wouldn't, using the default username and password shipped with the software. Therefore, to save mutual frustration, we decided not to implement authentication for the Kickstart user interface.

Things get a bit hairy when you throw in features like Import from URL and Import from S3 into the mix. Anyone who knows the URL to Kickstart can tell it to download an arbitrary ZIP, JPA or JPS archive from a location under their control, save it to your site and extract it. An enterprising hacker could abuse that to install a hacking script, backdoor or other malware on your site. However, as we said, doing that requires knowing the URL to Kickstart.

Kickstart is a widely used script and has a known name: kickstart.php. Also, because of what it's typically used for (restore a full-site backup) it tends to be on the site's root. So if your site's URL is you can reasonably expect Kickstart to be placed in Hackers are aware of this, as well as the fact that many people forget to delete Kickstart after they're done restoring their backup (they never click on Clean Up), thus leaving behind a backdoor to their site.

Your security is our top priority, therefore we have decided to address this potentially dangerous situation. For starters, we are offering two separate editions of Kickstart: Core and Professional. The Core version only allows you to extract the backup archives which are already present on your server. This means that an attacker could not abuse it to import an arbitrary archive into your site.

The Professional edition does have the features which can import an archive from an arbitrary location but it will not run unless you rename its file from kickstart.php to something which does not contain the word "kickstart" in it. We recommend using a name that's a random collection of letters and numbers, e.g. afdJuoH7lo2.php. Then just access this file through your browser, e.g. to run Kickstart Professional. This makes it unlikely that a hacker would correctly guess the name you used, therefore mitigating the issue.

A few words of warning are still in order, though.

Remember to always delete Kickstart Professional's PHP file when you're done. Leaving it behind increases your risk without a good reason.

Remember that most servers will gladly provide a directory listing to anyone asking unless there is an index.html file. This means that the server will "leak" the random name you chose, putting your site at risk. Always upload a blank index.html file BEFORE uploading the (renamed) kickstart.php file to your site to prevent that issue.

Don't use the Kickstart Professional edition unless you absolutely have to. In other words, if your backup archive is already on the server just use the Kickstart Core edition. It's safer and less complicated.

Do NOT use plain HTTP with Kickstart Professional (or with anything else, really). Requests sent with plain HTTP are as secure as text written on the back of a postcard: everyone who can get it on their hands can read it. If you are using a public network infrastructure (co-working space, coffee shop, library, airport or even your company's network) there's a very good chance that someone can intercept the request and find out not only that you're using Kickstart Professional but also how you've named the file. Always use HTTPS. Since 2015 using HTTPS is incredibly easy and cheap thanks to the free SSL certificate authority Let's Encrypt and the automated tools surrounding it which have been integrated with all major hosting companies and operating systems. Coupled with SNI, the technology which allows shared hosts to have a different SSL certificate for each site they serve, there's absolutely no excuse whatsoever to use plain old HTTP. Upgrade to HTTPS today and mitigate half of the most common security pitfalls!