Signs your Joomla website has been hacked
Apart form an obvious defacement, signs your website may have been hacked include some or all of the following:
- degraded performance
- unexplained activity such as new user accounts or content you didn't create or unusual files uploaded to the website (e.g. php files in your image folder)
- warnings from your web browser when you try to visit the website
- a warning or suspension notice from your web hosting company
- critical files such as .htaccess or index.php have been updated unexpectedly
- unexplained CRON jobs in the hosting control panel
Often there are no obvious symptoms of hackers who have commandeered your website for nefarious purposes.
Why did my Joomla Website get Hacked?
Websites aren't necessary targeted specifically. Hackers scan the web for vulnerable websites which can then be commandeered to send spam emails or similar.
How did my Joomla Website get Hacked?
Hackers gain access to your website through various means such as:
- a third party extension with a vulnerability
- a Joomla vulnerability
- another website with a vulnerability in the same web hosting account
- poorly configured or maintained hosting environment
- compromised local computer which has website credentials stored on it
- weak password(s) cracked using brute force attacks
Using a minimal number of well supported third party extensions from reputable developers is good practice but remember also that you need to keep Joomla and third party extensions up to date so that vulnerabilities are patched before they can be exploited by hackers.
Unhacking a Joomla website
There are a few ways that you can recover a hacked website.
Restore from a clean backup if one is available. Update Joomla and all third party extensions to the latest versions.
This can be a good solution if you know when the website was compromised but exact timing can often be difficult to determine with any confidence.
Wipe the website and rebuild from scratch using up to date versions of Joomla and third party extensions.
This is not usually a practical solution because of the work involved but can provide a high degree of confidence that the infection is eradicated.
Clean the website using the commercial myjoomla.com security tool or sucuri.net or similar, restoring any changed core files back to the originals, removing malicious files and reinstalling third party extensions as needed. Update Joomla and all third party extensions to the latest versions.
In practice, option 3, "Cleaning" is usually the most practical and cost effective solution.
Check the Vulnerable Extensions List at vel.joomla.org to ensure you are not using any vulnerable extensions.
Update the Joomla, hosting and database passwords.
Securing a Joomla Website
Some recommendations for securing a Joomla website are listed below. Following these suggestions greatly minimises the risk of your website being hacked.
- Use strong passwords.
- Minimise the number of administrator accounts.
- Disable or remove unused user accounts.
- Minimise the number of third party extensions and where third party extensions are necessary, use well supported extensions from established developers you trust.
- Regularly apply the latest updates to Joomla and third party extensions including security hotfixes for Joomla EOL versions where applicable.
- Subscribe to the Joomla Security News feed so you are kept informed of core Joomla security updates
- Subscribe to the Joomla Vulnerable Extensions List (VEL) so new vulnerabilities can be quickly attended to. You can also follow the VEL on Twitter.
- Use good quality secure web hosting including an appropriate PHP file handler such as suPHP or FastCGI and security extensions such as mod_security. A good quality web host will provide the most recent version(s) of PHP.
- Rather than relying solely on your web hosting provide backups, regularly perform your own backups of the website, copy the backup files off-site and regularly run test restores to check the quality of your backups.
- Implement a web application firewall such as that provided with the professional version of Akeeba Admin Tools.
- Don't use the standard table prefix.
- Change the default Super Administrator user name and ID to something else. The professional version of Akeeba Admin Tools has a tool to change the Super Administrator ID.
- Restrict access to the Joomla Admin by IP. Only allow trusted IPs.
- Enable 2 factor authentication for administrator accounts (applies to Joomla 3.2 and later).
- Repeat the above steps for other websites that share the same hosting account or ideally, separate websites to their own web hosting accounts to prevent cross contamination.
- Ensure the personal computers of website administrators are similarly secured. For example, implement a good quality virus and malware scanner. This helps protect any website credentials that are stored on personal computers. Ideally use an encryption tool or application to store website and other credentials.
Joomla Security Audit
If you are unsure whether your website has been hacked or what needs to be done to secure your website, order a Security Audit for $220.
The Security Audit includes:
- a report on the Joomla configuration
- a report on third party extensions
- a report on the suitability of your web hosting
- a report on all the vulnerabilities discovered on your Joomla website
- recommendations on how best to address any discovered issues
Note that no changes are made to your website during the Joomla Security Audit without consulting you first.
The cost of a Joomla Security Audit is refundable if you purchase a 12 month Joomla Maintenance and Backup Subscription within 30 days of the audit.
Unhack My Joomla Website
Unhack your Joomla website from $220.
Unhacking your Joomla website includes:
- checking the Joomla Vulnerable Extensions List for any known issues with currently installed extensions and updating, disabling, removing or replacing as appropriate
- updating Joomla and all third party extensions to the latest versions
- malware scanning and remediation
- checking for malicious accounts and disabling or removing as appropriate
- resetting passwords as appropriate
- recommendations on improving security to prevent a recurrence