Download
Launch

Extensions

Installing an Extension

Extension Documentation

Before starting it is always wise to read the documentation associated with an extension. Most extensions have home pages and forums, and it is a good idea to look at them first. If there is a README file included with the extension, you should read it. There may be special installation or configuration instructions.

System Install Extensions

The System / Install / Extensions form is fairly well documented in the Help screen. What is not so obvious is that each of the install methods is a plugin. In early editions of Joomla 4 the Install from Web plugin was first in the list and it is possible that is still the case in versions that have been updated. Having that method first is inconvenient if you usually use one of the other methods because it takes a few seconds to fetch data from the Joomla Extensions Directory site.

To change the order:

  • Go to Home Dashboard / Plugins
  • Select installer from the Select Type drop-down filter.
  • Select the Sort Order icon to reveal the sorting grab handles (vertical ellipsis).
  • Drag the Installer - Install from Web item to the bottom of the list.
  • Go back to System / Install / Extensions to view the result.

You are then ready to use one of the standard installation method.

Upload Package File

For most extensions and most users, the procedure will be:

  • Download the extension to your local machine as a zip file package.
  • From the backend of your Joomla site (administration) select System → Install → Extensions.
  • From the Upload Package File tab Select the Browse for file button and select the extension package on your local computer or drag and drop the file from your file manager.
  • The upload and install process begins automatically,
  • Some extensions may provide further instructions on installation.
  • Note that modules and plugins usually need to be enabled before they will work.

Install from Folder

Some extensions may be too large to use the Upload Package File method, usually a limit on the Maximum File Upload Size set by your host. In this case you can use the Install from Folder method.

  • Create a temporary directory on your local hard drive and unpack the Extension's archive file in this temporary directory.
  • Using FTP, upload the contents of this directory (including files and subdirectories) to the /tmp directory of the Joomla root on your server so that you have a path such as /tmp/acmeextension.
  • In the Install Directory field specify the server directory where you uploaded the files and subdirectories of the package, for example /home/username/public_html/tmp/acmeextension.
  • Select the Check and Install button and Joomla! will install the contents of the given directory.

Install from URL

Instead of downloading a zip file to your local computer you can just use the download URL. Joomla will fetch the zip file directly and save the download and upload steps of the previous methods.

Install from Web

This option allows you to install an extension directly from the Joomla! Extensions Directory. The initial list is in order of number of reviews but you can select by Category to quickly find a list of extensions that may suit your needs.

System Install Discover

As described in the Help screen, the Discover function allows you to install extensions that are too big for some systems, especially low-cost shared hosting environments. Something that may not be obvious is that you may have to create folders in different places on your hosting service, typically:

  • Upload site files to siteroot/components/com_mybigcomponent
  • Upload administrator files to siteroot/administrator/components/com_mybigcomponent
  • Upload media (css and javascript) to siteroot/media/com_mybigcomponent
  • Upload site language files to siteroot/language/en-GB if they are not in a language folder in the component site folder.
  • Upload administrator language files to siteroot/administrator/language/en-GB if they are not in a language folder in the component administrator folder.

With that done, Discover should find and allow installation of the component and it might actually work.

System Install Languages

The default language is English GB. It cannot be removed or installed. It may not be obvious but every page loads appropriate en-GB strings first to ensure that language keys used by coders do not appear in the page output. If the user selected language is not English then the user language is loaded, overwriting the English strings. If a language has not been fully translated the result will be a mixture of user language and English strings. This may look strange but it is better than a mixture of user language and coder keys.

From the list of available languages select whichever you need to install. Some are marked with a green button to indicate they are up to date with the current Joomla version. Others are marked with a yellow button to indicate they are not quite up to data. Go ahead and install anyway. You may see some English words in places that ought to be in your selected language. But they may be rare.

The Joomla Extensions Directory

Free and Commercial Extensions

An extension is a package that extends your Joomla! installation in some way. The default features of Joomla are implemented as core extensions. Many more extensions are available from the Joomla! Extensions Directory (JED). Popular items include the free Akeeba Backup extension. Read more:

Vulnerable Extensions

Extension Sources

Anyone may write and distribute a Joomla! extension as a service to the global community. Such third party extensions may be found on professional extension developer's websites, personal blog websites, GitHub and similar repositories and the Joomla Extensions Directory website.

Vulnerable Extensions

Very few sources offer deliberately malicious extensions. Usually, a vulnerable extension is one that has been found to contain (or contribute to) a security vulnerability after initial release.

Vulnerable extensions are not necessarily poorly coded. As the Web evolves, technical requirements and commonly accepted coding practices change. Active projects release new versions of their extensions as requirements change and quickly fix any reported vulnerabilities.

If you are concerned about any of your extensions you should consult the Joomla Vulnerable Extensions list (VEL) which contains information on 240+ mostly old extensions.

The JED Checker

If you are concerned about an extension that does not appear in the VEL you can use the JED Checker extension. This is an extension used to check extensions submitted to appear in the Joomla Extensions Directory list. It is installed like any other extension. In use, it accepts an extension zip file and examines its contents for compliance with JED standards. It is extremely useful even for extensions that do not appear in the JED list. Here is an example screenshot:

jed checker result

The 400 PHP files with missing GPL Licence Notice are in third party libraries with a different Licence. The 30 files identified by the Joomla Anti-Malware Scan Script are also in those third party libraries. There is work to do on the files missing JEXEC security!

Removing a Vulnerable Extension

Make a List of Files to Remove

If you can locate it, read the extension's xml file to determine exactly which directories, files, and database tables were added to your system. The XML file is in the original zip archive used during the extension install process. For example, the zip archive for an extension called mod_vulnerable, would contain an XML file called, mod_vulnerable.xml, and might contain a list of files such as the following:

    mod_vulnerable.php
    mod_vulnerable/vulnerable_file.txt
    mod_vulnerable/another_vulnerable_file.txt
    mod_vulnerable/yet_another_vulnerable_file.txt
    mod_vulnerable/index.html

Uninstall Via the Joomla Installer

Using the Installer in the Joomla! Administrator backend, uninstall the vulnerable extension. You may also need to uninstall related modules, components, or plugins.

Verify that the Uninstall Process was Complete

Don't trust the extension to safely remove all of its files. Compare directories and files on your system to the extension's XML list to ensure that all related files were actually removed.

Optionally, Remove the Related Database Tables

Check your database and remove any tables created by the extension. To ease the upgrade process to new versions, many uninstall scripts do not remove related database tables. You can find the list of tables in each extension's XML file.

If you plan to install a safer, compatible version of the same extension and you want to reuse existing data, you can usually leave the database tables as is.

Remove Menu Links

Simply removing the menu links to an extension, or unpublishing a module is not enough to protect your site! As long as the extension's files exist on your server, you are vulnerable. Note how in the following examples an attacker can bypass the Joomla! index file to directly target any file, of any extension.

    www.your_site.org/components/com_bad_component/vulnerable_file.php
    www.your_site.org/modules/mod_bad_module/vulnerable_file.php