How to Fix Your Hacked Joomla Site

Posted on December 24th, 2019

Joomla is an open-source Content Management System (CMS) used to create websites and online applications. It separates into front-end templates, back-end templates, and they are free and extendable. Joomla has powerful built-in features like user manager, content manager, banner manager, template manager, media manager, contact manager, weblink manager, menu manager, etc. It is flexible and customizable.

When your Joomla site is hacked or broken, you need to fix it as soon as possible because your hard work and online reputation are on stake. It is critical to identify and address the issue immediately because a broken or hacked Joomla site might have its content altered or even deleted altogether.

How Joomla Sites Get Hacked

Joomla is usually resistant to hacking efforts, but its add-ons and plugins make it open for attack. Usually, the themes and extensions are vulnerable to Cross-Site Scripting (XSS) attack. The XSS is a code injection attack that allows the hacker to inject malicious JavaScript into your user’s browser. These attackers choose the Joomla site as a medium to deliver the malicious JavaScript to the site users.

Another popular hacking method in the Joomla site is to use Structured Query Language (SQL) injection. In this attack, the hackers inject an SQL command into the site database to retrieve pieces of information. But retrieving pieces of information like customer login details, the hackers can access more areas of the site.

Signs of a Hacked Joomla Website

Here are some signs that you can check to determine if your Joomla is hacked or not.

1. In the meta description of a Google search, it may show “This site may be hacked” error.
2. You can notice cryptocurrency mining in the background.
3. The website may redirect to some other spam site.
4. The hackers deface or replace the Index page.
5. Automatic log out from the admin account.
6. Notice new admins.
7. Loading of the site becomes slow or bulky.
8. Google backlist the website for malware or phishing.
9. Broken Firewall or CMS.
10. Unnatural traffic on your site.

 

Fixing the Hack

Before doing anything, you need to make sure that the hack is limited to your site and not to the other websites on your server. Please note that a repaired site on an infected server remains vulnerable to future attacks. If you are not comfortable to work on the restoration yourself, then you can contact our support team, and they can help perform the restoration process for you.

Also, create a backup of your website, just in case you delete something important while cleaning up the site.

1) Database Cleanup

Joomla SQL injection can create new database users. You can check if any new users have been created by using the below code:

Select * from users as u

AND u.created > UNIX_TIMESTAMP(STR_TO_DATE(‘My_Date’, ‘%M %d %Y ’));

If you found any rogue users, then you need to delete them using the SQL statement “Drop User;”. It can avoid future infections along with that it can sanitize the user input, restrict the database permissions for that user account, etc.

2) Securing the Server

Faulty servers can cause a Joomla hack, even after a secure installation. So, it is essential to remember the below key points to secure your server.

1. Close open ports, if any.
2. Remove all the unused subdomains.
3. Keep a regular check on configuration issues.
4. Always use a VPN or subnetting while sharing a server.
5. The error message leaking info needs to be blocked.
6. Always secure your FTP accounts and database using a strong and random password.
7. Make sure you use some security solutions or firewall.

3) Setting Permissions

It is crucial to set permission to all your files and folders in such a way that the visitors can use the site smoothly. You need to keep the below points in mind while setting the file or directory permissions.

1) Ensure that users can upload only image files and not any executables like .php, .aspx, etc.

2) The most sensitive file in a database is the ‘.htaccess file’, so make sure that no users can make any changes in them.

chmod 444 .htaccess

or

chmod 440 .htaccess

3) Ensure that no one can overwrite your PHP files.

chmod 444 *.php

4) There are many alternative extensions available for Joomla files. Always use the popular file extension because it gets updates fast in case of vulnerability.

 

4) Check Modified Files in Joomla

The hackers inject spam into your site during the attack. It may be recommended to do a fresh installation, so always ensure that you keep a backup. All the Joomla files are available on Github publicly. So, you can use these files to make a comparison with your existing files. To check the core file integrity with SSH commands, you can follow the below steps:

1)  Create a directory named ‘joomla’ and switch over that.

$ mkdir joomla
$ cd joomla

2) Download the Joomla files from Github using wget command.

 $ wget https://github.com/joomla/joomla-cms/release/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz

3) Extract the downloaded file.

 $ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz

4) Compare the contents in the public_html file with the extracted content. Similarly, you can compare multiple files using the “diff” command. To compare the files manually, you can log in to the FTP client and check the files.

 $ diff -r joomla-3.6.4 ./public_html

5) Check for the recently modified files using the below command.

 $ find ./ -type f -mtime -15

Here it displays the files modified in the last 15days. Similarly, you can change the time stamp to check further.

5) Check Logs

The system logs can give a clear picture of the attack or hack as it records all the activities happening on the site. A record will be available if any XSS or SQL injection takes place. The hackers also create new admin accounts, so if you want to check any suspicious users, then you can follow the following steps.

1. Log in to the Joomla dashboard and click on “Users”. Then select “Manage”.
2. Now check for suspicious users under the user manage option, especially check for recently registered users.
3. Remove unknown users.
4. Check the Last Visit Date.
5. Note the server log location and check the logs to identify the XSS, SQL injection, etc.
6. Remove the users using unknown IPs for logging. You can use the Google diagnostic report to find this cause. If your site is blacklisted, then you can work with Google to remove the same.

After using these methods to solve the hack, follow the below-given steps to make sure it never happens again.

Post Joomla Hack Removal

1. The first step to follow post hack removal is a Joomla update as most of the hacks take place in unpatched files.
2. We recommend you to reinstall all the extensions post-hack to ensure they are functional and malware-free.
3. Remove all the deactivated/defunct themes, components, modules, or plugins from your web server along with all the files related to them.
4. Scan your system with a known antivirus.
5. Protect your site using some security software or website firewall.
6. Reset all passwords.
7. Set up two-factor authentication on user accounts.
8. Always maintain documentation of the attack for reference. Include all the information’s gathered from the logs and the recovering process in this document to help prevent future attacks.

 

Joomla Post Hack Security Tips

1) Regular Update

A new version release enhances security and performs bug fixes, so it is recommended to update your Joomla version, extension, and plugins regularly.

2) Password

Hackers use Brute Force to get user’s credentials and thus compromising the security of the site. They can access your website quickly if you have a weak and easily guessed password. So, it is always recommended to keep a strong and secure password for your website.

3) Periodic Backup

If there is any hack or data loss, then you need to recover the data. So, it is essential to have a periodic backup. Some extensions like ‘Easy Joomla Backup’ helps you schedule backups automatically, and this is valuable while restoring a data or site.

4) Restrict Admin Access

Always replace the default admin login page URL with a specific name. We recommend you to use a strong password for your admin section. Joomla site owners can use some extensions to change their login page URL like Admin tools, RSFirewall, etc.

5) Security Extensions

The Joomla site owners can add some security extensions for their site as it helps to block any malicious activity, hacker attacks, etc.

6) Two-Factor Authentication

You can use the two-factor authentication to improve the security of your website. Even if your password is hacked, the hackers will not be able to access your account.

7) Secure download

Do not download any extensions or plugins from unauthenticated or unofficial sources as it may be corrupted or contain malware.

8) SSL Certification

When user login to your site, the credentials are sent to a server sans encryption. So, when you use an SSL certificate, these credentials will be encrypted before sending it to the server as an additional layer of protection.

9) Disable FTP Layer

FTP layer is disabled by default for Joomla, and it is necessary to keep this that way. If you enable the FTP layer, then it is a significant security hole.

10) File and Directory Permissions

Never give full access permission to any files and directories. Instead, use 755 for the directory, 644 for files, and 444 for configuration.php files.

 

So this is how you fix a hacked Joomla site. If you need any further help, please do reach our support department.