Recent discussions in the Joomla! security forum have made it clear that a particular weak point of the Joomla security system is the front-end password reset function. If your site includes any extension that is vulnerable to a relatively common security problem - sql injection - then an attacker can potentially abuse the password reset function to change your administrator password. They can do this even if you do not display the login module in your front-end.

The problem is that vulnerability to sql injection is a fairly common problem, and is likely to remain so for the near future. It is the sort of mistake that even experienced programmers can occasionally let slip through.

So it is strongly advisable to take steps to guard your site against this. As a first step you should always check any extension against the list of vulnerable extensions before installing it. However that is never going to protect you completely, because obviously the list only includes those with known vulnerabilities.

Ideally you want to protect against unknown vulnerabilities as well. This is why we think it makes sense to be able to block the password reset function for administrative users, and it is why we have created our 'block password reset' system plugin. This is a non-commercial plugin (and will remain so), and is freely downloadable.

Unlike other approaches to this problem it does not require any hacks to the core Joomla! code. You just install it like any other plugin and select the users or groups for which you wish to block the password reset function through the plugin parameters. At the moment it is just designed to work with the Joomla! user component, but we plan to extend it to work with other registration systems as well, such as community builder, if there is a demand for it.

If you use this plugin you should be reasonably confident that you are not going to forget your admin password, because will make it impossible to use the password reset function. However if you do forget, and you have access to your site database then you will still be able to reset your password directly through your database admin. There is documentation available on the Joomla! site about how to do this.