Has Your Joomla Website Been Hacked?

A Joomla website that is not properly maintained is potentially vulnerable and can become a target of a hacker. I've come across several hacked websites over the past few years and none are the same. So there is also no 1 solution, but if you follow these steps, you are most likely to be able to recover your website (for the most part).

How do you find out your website has been hacked?

Sometimes you see it immediately, when you open your website a message appears from the hacker.

Sometimes they operate invisibly, your website continues to function and you don't really notice anything. Meanwhile, the hacker places various files and scripts on the website that can be used to send malware (such as viruses) or spam, for example. At some point it is discovered by Google and they will block your website.

The report of your website can be found at: http://www.google.com/safebrowsing/diagnostic?site=jouwdomeinnaam.nl (replace the last part with your own domain name)

How can you clean up your website?

It is important that you take your time! Do not start deleting files in a panic, because this could make recovery impossible.

1) What is the cause of a hacked website?

To clean up a hacked website, you obviously need to know where and how it went wrong. In many cases, a hack can be prevented by:

Choosing a good hosting party that ensures optimal security. As with so many things, here too: "Cheap is expensive."
Using secure passwords, not only in your Joomla environment, but also with FTP and database.
Using secure extensions. If you want to know if the extensions you use are safe, take a look at the Joomla Vulnerable Extensions List
Keeping your Joomla environment and its extensions up-to-date.
Using good anti-virus software on your PC.

It is advisable to also inform your hosting party and look at the cause together. In addition, they can already take technical measures or give advice.

2) Scan your computer for malware

It is possible that your computer is also infected. It certainly can't hurt to scan your computer with MalwareBytes AntiMalware, for example. In some cases, malicious software may have retrieved your username and password and gained access to your website.

3) Take the website offline

To prevent further infection, I recommend taking the website offline. Just "display offline", when you can still get into the administration screen of Joomla, is certainly not enough. After all, the hacker may just have access to all the data. Have the DNS data point to a static page on another server that uses the HTTP status code 503 to quarantine your website.
Use FTP and phpmyadmin to copy the website so you can restore it offline.

If you have a backup of the Web site, remember that it may also be infected. If you also have older backups then it is useful to compare these files. The outdated but clean backup you can choose to restore. You may have lost some data, such as newly registered users or an article you had written last week.

4) Change the passwords

Change passwords for all site users and accounts. This includes logins for FTP, databases, email accounts, accounts for system administrators and Joomla itself of course.
If you forget this step, chances are you will be hacked again within days of recovery.

5) Cleaning up the system

If you don't have a clean backup, then you need to clean up the system to remove such a the hack.

During this step, you run through all folders to see if any foreign files have been added. Since existing files can also be modified, overwrite the files with the joomla core files. Make sure you do this with the latest version from the joomla series you are using. It makes no sense to overwrite a Joomla 1.5 system with Joomla 3 files. So grab the most recent version of Joomla 1.5.x for this.

It is also important to reinstall the extensions, again make sure you always use the latest version.

And finally, the database must be checked for suspicious content. This can be, for example, text fields that now suddenly contain iframes or scripts.

Once the cleanup is complete, you can put the website back online. Don't forget to notify Google that security has been restored and that the block can be lifted. You can do this in the Google webmaster tools.

6) Planning for the future

As you can see, it takes quite a lot of time and effort to restore a website. What are you going to do about it to avoid this in the future?

For starters, you need to start making sure your website is updated or migrated to the latest Joomla version.

Make use of security extensions such as Akeeba Admin Tools

Make regular backups, and check them!

If you don't feel like or have time to constantly update the website yourself, consider a Joomla maintenance contract.

Has your website been targeted by hackers? Please let me know!

Contact me directly

Want to know more?

Wondering if I'm the right partner for your project? Then take a look at my portfolio, see what my clients say or contact me directly.

About Jeroen

I have been working with the Joomla! CMS since 2006. Besides building and maintaining Joomla! websites and webshops, I am also familiar with search engine optimization (SEO), Joomla hosting and developing templates and extensions. Furthermore, I am a frequent visitor and speaker at JoomlaDays and various Joomla user groups.

I am committed to the Joomla! community as a member of the Extensions Directory team and the organization of Joomla user group Breda and JoomlaDagen Netherlands. In short: Are you looking for a Joomla Specialist, you should contact me!