Hello JoomShaper Support,
I am experiencing an issue with the Joomla extension update checker on our production website.
When I go to:
System → Update → Extensions → Check for Updates
Joomla displays the following errors:
Update: Could not open update site #213 “SP Simple Portfolio Module”
Update: Could not open update site #216 “Helix Ultimate Framework”
Update: Could not open update site #219 “shaper_helixultimate”
Update: Could not open update site #221 “SP Simple Portfolio”
Update: Could not open update site #222 “SP Easy Image Gallery”
Update: Could not open update site #225 “SP Page Builder”
I rebuilt the Joomla Update Sites list, but the same problem continued.
I then tested the update endpoint directly from the VPS:
curl -I https://www.joomshaper.com/updates/com-sp-page-builder-pro-next.xml
the server receives:
HTTP/2 403
content-type: text/html; charset=UTF-8
cf-mitigated: challenge
server: cloudflare
cf-ray: a1ac62620c876dd6-DFW
The response body is a Cloudflare page with the title:
Just a moment...
the same HTTP 403 response occurs when accessing the JoomShaper homepage and the Helix Ultimate update XML endpoint directly from the server.
This indicates that Cloudflare is presenting a browser challenge to requests coming from our VPS. Joomla’s server-side update checker cannot execute JavaScript or complete this challenge, so it cannot retrieve the XML update files.
Example affected endpoint:
https://www.joomshaper.com/updates/com-sp-page-builder-pro-next.xml
Could you please review the Cloudflare security event associated with this Ray ID and verify whether our server IP or hosting network is being challenged or blocked?
Please also consider excluding the /updates/ XML endpoints from browser-based Cloudflare challenges, since Joomla and other automated extension update clients cannot complete them.
This issue prevents Joomla from detecting available maintenance and security updates for SP Page Builder, Helix Ultimate, and other JoomShaper extensions.
Thank you for your assistance.
Best regards,
Leandro Lourenzo
P.S. Could this Cloudflare challenge also explain why our Joomla installation did not receive or detect the SP Page Builder update that was required to prevent the recent security incident on our website?
Our site was compromised before we became aware that SP Page Builder needed to be updated. We understand that updating alone does not remove malware already present, but we would like to know whether the blocked update endpoints may have prevented Joomla from notifying us that the security update was available.