Is Your Joomla website hacked or infected with a malware. You can’t log in, your users get redirected to another site, there are malicious codes injected in the templates, website is defaced and the list goes on. Even the best CMS can fall victim to sneaky computer viruses, security breaches and malicious codes injected by hackers that can lead to negative consequences for your websites.
Have you ever wondered how to fix hacked Joomla website? If your site has been hacked, you need to take immediate action. Your visitors will not trust your website again until it is clean from viruses and malware. The best way to keep your Joomla site safe from hackers is by using a Content Management System (CMS) such as WordPress that has built-in security features, which protects your website with just one click. However, no system is foolproof and even WordPress is prone to hacking [Check out: How to hack wordpress site], you might find yourself needing to know ways to fix hacked Joomla site.
If your Joomla site has been hacked either because of lack of updates or due to being targeted by a cyber-attacker. In this blog post, we will be talking about some common ways that Joomla websites can get hacked , easy steps to fix hacked Joomla website and Joomla security measures to avoid falling victim to hackers in the future. Let’s dive in.
Joomla is an open-source content management system (CMS) based on an MVC framework. It is currently the 2nd most used CMS on the Internet after WordPress, with a market share of 2.8%. Although that may not seem like a lot, there are millions of businesses and blogs that have chosen to power their websites with Joomla. As with any heavily used platform, security issues crop up regularly. The risks of being attacked are greater and vulnerabilities are constantly being discovered and exploited.
As compared to Drupal and WordPress security vunerabilities, Joomla’s vulnerability rate is lower if we compare the market share of these CMS to their incident rate (at least in the last seven last years).
Signs Of A Hacked Joomla Website
If your Joomla website has been hacked, you need to act as soon as possible, because Google and other search engines will start removing your pages from their index.
If you frequently scan your Joomla website for malware, there’s a good chance you’ll catch a hacking attempt before it takes over your entire site.
But if you don’t, the symptoms that your site was hacked will show up in the form of altered web pages, with messages, links, images or ads you didn’t put there, or redirects to sites you don’t own.
You should also suspect that your site has been hacked if you notice subtle changes in behavior, such as an unexpected log out from the admin account, new admin names appearing, an unexpectedly large amount of traffic, or slow loading of your site. pages.
You must keep an eye on the given signs:
- Your home page is redirected to another website
- Your Google Search Console account receives notices and site blacklisted warnings for having malicious code on your website. By clicking on the “Security issues” section, you will be able to see if Google has detected any potential security threats.
- Searching for your website on google with the site: yourweb.com returns results like: “viagra” or other “pharmaceutical products”.
- White Screen of Death (WSOD) where your site loads a blank page.
- A screen appears, with this warning: “This site may have been compromised” which you can see when visiting your website with your browser.
- A sudden drop in website traffic
- Dangerous links injected to your website
- The front page of your site looks disfigured
- You can’t login to Joomla
- Unknown files and scripts on your server
- Your website is slow or unresponsive
- Suspicious scheduled tasks
- Deceptive site ahead warning in SERPS
- SEO Spam pop-up ads on Fake Phishing Sites
At first, you may think that these aforementioned symptoms are superficial and that the strange messages or images are not really worrying. Do not trust.
Any symptom of hacking is detrimental in many ways. For starters, it can affect the SERP (search engine results pages) ranking of your pages. Search engines, particularly Google, check the sites they crawl to see if they are safe for regular users.
If they detect that your site has been hacked, they will display a warning along with the metadata, and will also lower your SERP ranking in favor of other pages with similar content that have not been hacked.
Symptoms that your site has been hacked will appear in the form of altered spam web pages with japanese text, with messages, links, images, or advertisements that you did not place there, or redirects to sites that do not belong to you.
How To Identify Hacked Joomla Website?
Scan your Joomla site with WP Hacked Help to identify malware locations and malicious code in your Joomla installation directories.
Thereafter, check for any modified files including JOOMLA core files. You can do so by manually checking your files via SFTP. WP Hacked Help has a team to audit for malicious user accounts and administrators.
In case your Joomla site shows as blacklisted by Google or other website security authorities, you can check the security status of your Joomla by following tips:
Use Google diagnostic tools to check the security status of your Joomla! site.
To check your Google Transparency Report:
- Visit the Safe Browsing Site Status site.
- Enter your site URL and search.
On this page you can check:
- Site security details: information about malicious redirects, spam and downloads.
- Testing details: Google’s latest scan detected malware.
If you have added your site to free webmaster tools like Google Webmaster Central or Bing Webmaster Tools, you can check their security ratings and reports on the website.
Steps To Fix Hacked Joomla Website
You have two options: hire a service that does the cleaning for a price or clean yourself. If you’re a DIY fanatic, make a pot of coffee and get ready to do some serious cleaning work by following the steps below.
Make a full DB backup
First of all, we remind you that a Joomla site must be backed up regularly.
This avoids the loss of data and allows you to restore your site quickly in the event of an attack. If you have a recent backup of your site, then the easiest way will be to restore it.
This operation must still be followed by an audit of your site. Indeed, restoring does not mean filling the gaps!
This backup will contain traces of malware, but you should still save it to your local computer in a quarantine folder if you need to find any files or content that aren’t anywhere else.
Put the site in offline mode
You can do this from the Joomla backend, via FTP, or simply by modifying the .htaccess file on your server to allow access only from your own IP address.
Do a full automatic site scan
Use an online malware scanner tool to do this job and use your local antivirus to detect infected files in the backup made in step 1. If the antivirus detects infected files, those files should be removed from the backup and from the hosting.
Do a manual scan
Using FTP and your own trained eye, scan the directory structure for fake files and delete them. Look particularly in folders like /tmp, /cache or /images for malicious files disguised as legitimate ones; a couple of common examples: test.html, tests.php, contacts.php, cron.css, css.php.
If it finds any file that does not belong in the folder, it is activated, it deletes it without thinking twice.
If you are unsure whether the full site scan you performed in step 2 removed the infected code files, then your manual scan should include scanning the PHP files for malicious code.
Note that this code could be obfuscated or masked by functions like base64_decode, gzinflate, evalor others related to regular expressions. You can use a PHP decoder or online service to analyze the obfuscated code and reveal what it actually does.
Locate the attack and remove it
Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see Local Security below)
Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site.
- Review Vulnerable Extensions List to see if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for,
//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http: or ../../../../../../../../../../../../../../../../proc/self/environ
At the root of your Joomla site is a configuration.php file.
This file contains all the parameters necessary for the proper functioning of your site. In the case of a Joomla, hack find and modify the error reporting level.
To do this replace:
public $error_reporting = 'default';
public $error_reporting = 'maximum';
This will locate the file and line that caused the error on your site. Note: this technique requires a mastery of the PHP language. Do not modify your site files without knowledge.
Check User Logs
Check Joomla user accounts, especially administrators and super administrators.
To check malicious users in Joomla:
- Log in to your Joomla!
- Click on Users in the menu item and select Manage.
- Review the list, especially those with recent registration dates.
- Delete all unknown users created by hackers.
- Check the last visit date of legitimate users.
- Check users who logged in at suspicious times.
- You can also analyze your server logs if you know where they are stored and how to search for requests in the Joomla!
- Users logging in at odd times or in unusual geographic locations may have been compromised.
- If you see users logging from unknown IPs, remove them.
Moreover, use Google diagnostic report to find the cause. It gives you a comprehensive view of your site. If your site is blacklisted by google work closer with Google. The diagnostic report will give you the cause for blacklisting. Use it to find and weed out the infection!
Check Modified Files in Joomla
New or recently modified files may be the result of hacking. The core files of Joomla! should also be checked for any malware injections.
The fastest way to confirm the integrity of Joomla! is to use the diff command in the terminal. If you are not comfortable with the command line, you can manually verify your files via SFTP.
You can find all versions of Joomla! on GitHub.
Finally, the diff command here is comparing the contents. This time we are looking at the public_html file. Similarly, you can check multiple files. Moreover, the files can be manually checked. Just log in using any FTP client and check files. SSH enables you to list file modifications.
$ find ./ -type f -mtime -15
Here this SSH command reveals the files modified in the last 15 days. Similarly, you can change the time stamp. Look out for any recently modified files!
you need to clean that infected database. Joomla SQL injection can create new database users and you need to check those newly created after a specific date, use the following code:
- Select * from users as u
- AND u.created > UNIX_TIMESTAMP(STR_TO_DATE(‘My_Date’, ‘%M %d %Y ‘));
- Once those unwanted users are found. Delete them using the SQL statement Drop User;.Not only this, to avoid future infections:
- Sanitize the user input.
- Restrict database permissions to the account.
- Block Database error disclosure to locally only.
- Use type casting wherever possible.
Remove unnecessary extensions
A mistake that is frequently made by Joomla administrators is the massive installation of extensions. Supposed to expand the functionality of the site, they can turn out to be real security vulnerabilities.
Often installed to be simply tested, it is sincerely recommended to uninstall the extensions which are not or are little used on your site to protect yourself from any Joomla piracy.
We also recommend that you consult the Joomla security experts as there is a lot of useful information. It is also important to note that since Joomla 1.7 they have started using random database prefixes for added security. It is recommended to enable this feature, but there is no need to do so in Joomla.
HostForLIFEASP.NET is Highly Recommended for Joomla 4.2.7 Hosting in Europe
HostForLIFEASP.NET is highly recommended for people who are looking for a multi-purpose, reliable, fast and trusted shared web host at an affordable rate. In case that you are planning to have your web presence or move out from your current horrible web host, HostForLIFEASP.NET is one of the best choices you won’t go wrong.