Signs your website has been hacked
Apart form an obvious defacement, signs your website may have been hacked include some or all of the following:
- degraded performance
- unexplained activity such as new user accounts or content you didn't create or unusual files uploaded to the website (e.g. php files in your image folder)
- warnings from your web browser when you try to visit the website
- a warning or suspension notice from your web hosting company
- critical files such as .htaccess or index.php have been updated unexpectedly
- unexplained CRON jobs in the hosting control panel
Often there are no obvious symptoms of hackers who have commandeered your website for nefarious purposes.
Why did my Website get Hacked?
Websites aren't necessary targeted specifically. Hackers scan the web for vulnerable websites which can then be commandeered to send spam emails or similar.
How did my Website get Hacked?
Hackers gain access to your website through various means such as:
- a third party extension or plugin with a vulnerability
- a Joomla, WordPress or other Content Management System (CMS) vulnerability
- another website with a vulnerability in the same web hosting account
- poorly configured or maintained hosting environment
- compromised local computer which has website credentials stored on it
- weak password(s) cracked using brute force attacks
Using a minimal number of well supported third party extensions or plugins from reputable developers is good practice but remember also that you need to keep Joomla, WordPress and third party extensions and plugins up to date so that vulnerabilities are patched before they can be exploited by hackers.
Unhacking a Website
There are a few ways that you can recover a hacked website.
Restore from a clean backup if one is available. Update the CMS, if you are using one and all third party extensions and plugins to the latest versions.
This can be a good solution if you know when the website was compromised but exact timing can often be difficult to determine with any confidence.
Wipe the website and rebuild from scratch using up to date versions of the CMS and third party extensions or plugins.
This is not usually a practical solution because of the work involved but can provide a high degree of confidence that the infection is eradicated.
Clean the website using the commercial myjoomla.com security tool or sucuri.net or similar, restoring any changed core files back to the originals, removing malicious files and reinstalling third party extensions as needed. Update the CMS and all third party extensions/plugins to the latest versions.
In practice, option 3, "Cleaning" is usually the most practical and cost effective solution.
Joomla website owners should check the Vulnerable Extensions List at vel.joomla.org to ensure no vulnerable extensions are installed.
Update the CMS, hosting and database passwords.
Securing a Website
Some recommendations for securing a website are listed below. Following these suggestions greatly minimises the risk of your website being hacked.
- Use strong passwords.
- Minimise the number of administrator accounts.
- Disable or remove unused user accounts.
- Minimise the number of third party extensions or plugins and where third party extensions are necessary, use well supported extensions from established developers you trust.
- Regularly apply the latest updates to Joomla, WordPress or other CMS and third party extensions/plugins including security hotfixes for Joomla EOL versions where applicable.
- Subscribe to appropriate mailing lists to stay informed about CMS security updates.
- Subscribe to appropriate mailing lists and social media accounts to stay informed about extensions/plugin vulnerabilities.
- Use good quality secure web hosting including an appropriate PHP file handler such as suPHP or FastCGI and security extensions such as mod_security. A good quality web host will provide the most recent version(s) of PHP and you should keep upgrading to supported versions of PHP.
- Rather than relying solely on your web hosting provide backups, regularly perform your own backups of the website, copy the backup files off-site and regularly run test restores to check the quality of your backups.
- Implement a web application firewall e.g. the professional version of Akeeba Admin Tools for Joomla website owners.
- Change the default administrator user name to something else where applicable.
- Enable 2 factor authentication for administrator accounts where applicable.
- Repeat the above steps for other websites that share the same hosting account or ideally, separate websites to their own web hosting accounts to prevent cross contamination.
- Ensure the personal computers of website administrators are similarly secured. For example, implement a good quality virus and malware scanner. This helps protect any website credentials that are stored on personal computers. Ideally use an encryption tool or an application to store website and other credentials such as LastPass or similar.
Website Security Audit
If you are unsure whether your website has been hacked or what needs to be done to secure your website, order a Security Audit for $220.
The Security Audit includes:
- a report on the Joomla configuration
- a report on third party extensions
- a report on the suitability of your web hosting
- a report on all the vulnerabilities discovered on your Joomla website
- recommendations on how best to address any discovered issues
Note that no changes are made to your website during the Joomla Security Audit without consulting you first.
The cost of a Website Security Audit is refundable if you purchase a 12 month Website Maintenance and Backup Subscription within 30 days of the audit.
Unhack My Website
Unhack your website from $220.
Unhacking your website includes:
- checking for any known vulnerability or other issues with currently installed extensions and updating, disabling, removing or replacing as appropriate
- updating the CMS and all third party extensions/plugins to the latest versions
- malware scanning and remediation
- checking for malicious accounts and disabling or removing as appropriate
- resetting passwords as appropriate
- recommendations on improving security to prevent a recurrence