Table of Contents [TOC]
Is Your Joomla website hacked or infected with a malware. You can’t log in, your users get redirected to another site, there are malicious codes injected in the templates, website is defaced and the list goes on. Even the best CMS can fall victim to sneaky computer viruses, security breaches and malicious codes injected by hackers that can lead to negative consequences for your websites.
Have you ever wondered how to fix hacked Joomla website? If your site has been hacked, you need to take immediate action. Your visitors will not trust your website again until it is clean from viruses and malware. The best way to keep your Joomla site safe from hackers is by using a Content Management System (CMS) such as WordPress that has built-in security features, which protects your website with just one click. However, no system is foolproof and even WordPress is prone to hacking [Check out: How to hack wordpress site], you might find yourself needing to know ways to fix hacked Joomla site.
If your Joomla site has been hacked either because of lack of updates or due to being targeted by a cyber-attacker. In this blog post, we will be talking about some common ways that Joomla websites can get hacked , easy steps to fix hacked Joomla website and Joomla security measures to avoid falling victim to hackers in the future. Let’s dive in
Joomla is an open-source content management system (CMS) based on an MVC framework. It is currently the 2nd most used CMS on the Internet after WordPress, with a market share of 2.8%. Although that may not seem like a lot, there are millions of businesses and blogs that have chosen to power their websites with Joomla.
As with any heavily used platform, security issues crop up regularly. The risks of being attacked are greater and vulnerabilities are constantly being discovered and exploited.
Follow our comprehensive guide to harden the security of your Joomla installation and help you prevent the risk of being hacked or falling victim to the next brute force attack.
According to CVE Details, a site listing security vulnerabilities, there have been 321 Joomla vulnerabilities reported so far since 2005.
As compared to Drupal and WordPress security vunerabilities, Joomla’s vulnerability rate is lower if we compare the market share of these CMS to their incident rate (at least in the last seven last years).
Thus, if we refer to these data, it appears that Joomla is the most secure CMS.
What types of security vulnerabilities affect Joomla? According to CVE Details, 39% of Joomla vulnerabilities are related to remote code execution.
You can stay tuned for security incidents and vulnerabilities by subscribing to the official Joomla Security Announcements RSS Feed.
You can also consult the full list of Joomla security vulnerabilities at CVE details.
Stay ahead of Joomla hacking,
Protect your Joomla website today!
Dont forget to check out our INDEPTH How To guides on
Hacked Woocommerce Site | Hacked Drupal Site | Hacked WordPress Site | Hacked Prestashop Site | Hacked Shopify Website | Hacked Magento Store
If your Joomla website has been hacked, you need to act as soon as possible, because Google and other search engines will start removing your pages from their index.
If you frequently scan your Joomla website for malware, there’s a good chance you’ll catch a hacking attempt before it takes over your entire site.
But if you don’t, the symptoms that your site was hacked will show up in the form of altered web pages, with messages, links, images or ads you didn’t put there, or redirects to sites you don’t own.
You should also suspect that your site has been hacked if you notice subtle changes in behavior, such as an unexpected log out from the admin account, new admin names appearing, an unexpectedly large amount of traffic, or slow loading of your site. pages.
You must keep an eye on the given signs:
At first, you may think that these aforementioned symptoms are superficial and that the strange messages or images are not really worrying. Do not trust.
Any symptom of hacking is detrimental in many ways. For starters, it can affect the SERP (search engine results pages) ranking of your pages. Search engines, particularly Google, check the sites they crawl to see if they are safe for regular users.
If they detect that your site has been hacked, they will display a warning along with the metadata, and will also lower your SERP ranking in favor of other pages with similar content that have not been hacked.
Symptoms that your site has been hacked will appear in the form of altered spam web pages with japanese text, with messages, links, images, or advertisements that you did not place there, or redirects to sites that do not belong to you.
Scan your Joomla site with WP Hacked Help to identify malware locations and malicious code in your Joomla installation directories.
Thereafter, check for any modified files including JOOMLA core files. You can do so by manually checking your files via SFTP. WP Hacked Help has a team to audit for malicious user accounts and administrators.
In case your Joomla site shows as blacklisted by Google or other website security authorities, you can check the security status of your Joomla by following tips:
Use Google diagnostic tools to check the security status of your Joomla! site.
To check your Google Transparency Report:
On this page you can check:
If you have added your site to free webmaster tools like Google Webmaster Central or Bing Webmaster Tools, you can check their security ratings and reports on the website.
You have two options: hire a service that does the cleaning for a price or clean yourself. If you’re a DIY fanatic, make a pot of coffee and get ready to do some serious cleaning work by following the steps below.
First of all, we remind you that a Joomla site must be backed up regularly.
This avoids the loss of data and allows you to restore your site quickly in the event of an attack. If you have a recent backup of your site, then the easiest way will be to restore it.
This operation must still be followed by an audit of your site. Indeed, restoring does not mean filling the gaps!
This backup will contain traces of malware, but you should still save it to your local computer in a quarantine folder if you need to find any files or content that aren’t anywhere else.
You can do this from the Joomla backend, via FTP, or simply by modifying the .htaccess file on your server to allow access only from your own IP address.
Use an online malware scanner tool to do this job and use your local antivirus to detect infected files in the backup made in step 1. If the antivirus detects infected files, those files should be removed from the backup and from the hosting.
Using FTP and your own trained eye, scan the directory structure for fake files and delete them. Look particularly in folders like /tmp, /cache or /images for malicious files disguised as legitimate ones; a couple of common examples: test.html, tests.php, contacts.php, cron.css, css.php.
If it finds any file that does not belong in the folder, it is activated, it deletes it without thinking twice.
If you are unsure whether the full site scan you performed in step 2 removed the infected code files, then your manual scan should include scanning the PHP files for malicious code.
Note that this code could be obfuscated or masked by functions like base64_decode, gzinflate, evalor others related to regular expressions. You can use a PHP decoder or online service to analyze the obfuscated code and reveal what it actually does.
Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. (see Local Security below)
Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site.
//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http: or ../../../../../../../../../../../../../../../../proc/self/environ
At the root of your Joomla site is a configuration.php file.
This file contains all the parameters necessary for the proper functioning of your site. In the case of a Joomla, hack find and modify the error reporting level.
To do this replace:
public $error_reporting = 'default';
in
public $error_reporting = 'maximum';
This will locate the file and line that caused the error on your site. Note: this technique requires a mastery of the PHP language. Do not modify your site files without knowledge.
Check Joomla user accounts, especially administrators and super administrators.
To check malicious users in Joomla:
Moreover, use Google diagnostic report to find the cause. It gives you a comprehensive view of your site. If your site is blacklisted by google work closer with Google. The diagnostic report will give you the cause for blacklisting. Use it to find and weed out the infection!
New or recently modified files may be the result of hacking. The core files of Joomla! should also be checked for any malware injections.
The fastest way to confirm the integrity of Joomla! is to use the diff command in the terminal. If you are not comfortable with the command line, you can manually verify your files via SFTP.
You can find all versions of Joomla! on GitHub. Using an SSH terminal, you can download Joomla! local. The following commands use version 3.6.4 as an example “clean” file and public_html as an example location of your Joomla!
To verify the integrity of the Joomla! core, you can use the following SSH commands:
To manually check recently modified files:
Finally, the diff command here is comparing the contents. This time we are looking at the public_html file. Similarly, you can check multiple files. Moreover, the files can be manually checked. Just log in using any FTP client and check files. SSH enables you to list file modifications.
$ find ./ -type f -mtime -15
Here this SSH command reveals the files modified in the last 15 days. Similarly, you can change the time stamp. Look out for any recently modified files!
you need to clean that infected database. Joomla SQL injection can create new database users and you need to check those newly created after a specific date, use the following code:
A mistake that is frequently made by Joomla administrators is the massive installation of extensions. Supposed to expand the functionality of the site, they can turn out to be real security vulnerabilities.
Often installed to be simply tested, it is sincerely recommended to uninstall the extensions which are not or are little used on your site to protect yourself from any Joomla piracy.
We also recommend that you consult the Joomla security experts as there is a lot of useful information. It is also important to note that since Joomla 1.7 they have started using random database prefixes for added security. It is recommended to enable this feature, but there is no need to do so in Joomla.
A Joomla website comes with a .htaccess file (Apache server).
.htaccess files are Apache HTTP server configuration files. Their particularity is their location: in the data directories of the website, instead of the Apache configuration directory. The scope of their configuration is limited to the contents of the directory where they reside…
You can use .htaccess to block users, password-protect certain files and folders, to redirect users to other pages on your website.
An Apache web server uses an htaccess file in the main directory for site-specific configurations. Joomla! offers a preconfigured htaccess file ( htaccess.txt ). It contains instructions for avoiding the most common exploits and implementing SEF URLs. Additionally, it provides some settings that should be checked depending on your environment:
IndexIgnore * Options +FollowSymLinks Options -Indexes RewriteBase / Enabling htaccess.txt means merging an existing .htaccess file with the htaccess.txt and deciding on the above-mentioned settings. Source: https://docs.joomla.org/Preconfigured_htaccess/ Contents of htaccess.txt file for Joomla security ## # @package Joomla # @copyright Copyright (C) 2005 - 2018 Open Source Matters. All rights reserved. # @license GNU General Public License version 2 or later; see LICENSE.txt ## ## # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE! # # The line 'Options +FollowSymLinks' may cause problems with some server configurations. # It is required for the use of mod_rewrite, but it may have already been set by your # server administrator in a way that disallows changing it in this .htaccess file. # If using it causes your site to produce an error, comment it out (add # to the # beginning of the line), reload your site in your browser and test your sef urls. If # they work, then it has been set by your server administrator and you do not need to # set it here. ## ## No directory listings <IfModule autoindex> IndexIgnore * </IfModule> ## Can be commented out if causes errors, see notes above. Options +FollowSymlinks Options -Indexes ## Mod_rewrite in use. RewriteEngine On ## Begin - Rewrite rules to block out some common exploits. # If you experience problems on your site then comment out the operations listed # below by adding a # to the beginning of the line. # This attempts to block the most common type of exploit `attempts` on Joomla! # # Block any script trying to base64_encode data within the URL. RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] # Block any script that includes a <script> tag in URL. RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] # Block any script trying to set a PHP GLOBALS variable via URL. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block any script trying to modify a _REQUEST variable via URL. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Return 403 Forbidden header and show the content of the root home page RewriteRule .* index.php [F] # ## End - Rewrite rules to block out some common exploits. ## Begin - Custom redirects # # If you need to redirect some pages, or set a canonical non-www to # www redirect (or vice versa), place that code here. Ensure those # redirects use the correct RewriteRule syntax and the [R=301,L] flags. # ## End - Custom redirects ## # Uncomment the following line if your webserver's URL # is not directly related to physical file paths. # Update Your Joomla! Directory (just / for root). ## # RewriteBase / ## Begin - Joomla! core SEF Section. # RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # # If the requested path and file is not /index.php and the request # has not already been internally rewritten to the index.php script RewriteCond %{REQUEST_URI} !^/index\.php # and the requested path and file doesn't directly match a physical file RewriteCond %{REQUEST_FILENAME} !-f # and the requested path and file doesn't directly match a physical folder RewriteCond %{REQUEST_FILENAME} !-d # internally rewrite the request to the index.php script RewriteRule .* index.php [L] # ## End - Joomla! core SEF Section.
Source: https://docs.joomla.org/Preconfigured_htaccess/
To block any attempt by hackers to inject malicious code into the PHP files of your Joomla site, use the .htaccess file. Just add the code to disable script injection attacks:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Install a captcha
CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a security measure of the type “authentication by question and answer”. This measure protects your account from spam and prevents any attempt to decrypt your password by subjecting you to a simple test to verify that it is a human and not a computer that is trying to access the account.
For e-Commerce sites, the reason you need an SSL certificate is that the data being processed is sensitive. For other sites, the main reason is to secure your Joomla login page.
If you are not using an HTTPS connection, your username and password will be sent in the clear over the Internet. Many people argue that blogs and news sites shouldn’t run over HTTPS, but how important are your login credentials?
In addition, many sites are used by several authors and they connect from different networks. Using a secure connection can only help strengthen your security in Joomla.
With the SEO benefits of HTTPS and the performance benefits of HTTP/2, there’s no reason not to use HTTPS and an SSL certificate. SiteGround and KeyCDN now offer free SSL certificates through Let’s Encrypt.
Even when the installation is secure, faulty servers can make your Joomla site vulnerable to attacks. Although there is a big list of Joomla security issues. A few key points to remember are:
Primarily, ensure that no user can upload executables like .php .aspx etc. Only image files are to be uploaded to the server.
Now move on to set the file permissions for the server. Perhaps the most sensitive file is the .htaccess file. So, to set proper file permissions.
Set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–).
Also, ensure that your PHP files cannot be overwritten. Therefore you need to set *.php to 444 (r–r–r–).
Most importantly use the popular file extensions. Joomla is a pretty big CMS so alternates are always there. Popular extensions get updates faster in case of vulnerability. So try most of the time to go with popular demand!
This passage directly echoes the previous one: keeping ports open does not pose any particular security risk, and they are sometimes necessary for communication between different services or applications
If you have completed a minimal system installation that includes only a small number of third-party applications, the number of additional ports required is limited. These open ports only become a risk when the program using it has a security flaw, and a hacker takes advantage of it.
As we have seen above, the higher the number of applications, the greater the potential danger, and therefore it makes sense to protect your server against such attacks, by blocking all open ports unnecessarily.
Almost all operating systems have already installed by default a tool allowing to create of fixed rules to regulate the traffic, including the possibility of defining the desired ports, or unwanted ones.
In this last step, you will learn how to solve the problems that allowed hackers to compromise your Joomla! site. You will also need to take essential steps to improve the security of your Joomla! site.
Along with all plugins and templates. Using the Extension Manager, compare the version number of each extension with the information on the developer’s site. If there are extensions you don’t use, remove them.To check and update your Joomla!:
Also Read –
Cyber Security Incident Response Plan Template For WordPress
Website Defacement Attack – How To Fix [3-STEP Guide]
How To Install SSL Certificate On Your WordPress Site?
19 Best SaaS Security Tools for Your SaaS Application [2024]
Best Free Wordfence Alternative To Secure Website 2024
Best Free Sucuri Alternative To Secure Website in 2024
HTTP Status Codes: Full List of Error Codes + Guide [2024]
7 Best FTP Clients for WordPress Mac, Linux & Windows [2024]
The Joomla 3. x is the most stable as they are still actively supported. Users of versions 1.x and 2.x should strongly consider migrating to 3.x.
If you manually update core files, you can safely remove directories that are part of the Joomla! (administrator, components, etc), then manually rebuild those same directories and components.
To verify and update core files Joomla:
If during the first stage, if you have identified other outdated software on your server (i.e. Apache, cPanel, PHP), you should update it to ensure that you have all the security patches available.
If you are already out of coffee, you should consider making another jar. This step is less technical, but it will take more time to complete.
If your site was hacked long before you cleaned it, chances are it’s blacklisted. That means it will not show up in search results to protect users from potential malware infections and thus you will not get more visitors and lose trust. Even if you thoroughly cleaned your site, it would still be blacklisted for a few days.
To speed things up, once your site is clean and running healthy, use Google Search Console to request a review.
Google will scan your website and if it doesn’t find any malware infection, it will stop displaying a warning message next to your site’s metadata. But you will have to wait a couple of days until that happens.
You can also access the URL Removal Tool to request removal from Google’s index of any URLs added by malicious hands.
Once you’ve cleaned up your site, take steps to prevent future attacks, such as regularly scanning your site for malware infections.
To improve Jooml security, always hide its version.
To do so, follow these steps:
Step 1: Via Filezilla, access your Template file: /templates/yourTemplate/index.php
Step 2: Copy the index.php file to your disk, open this file with a text editor and search for the code, using the text editor search function:
<jdoc:include type=”head” />
Step 3 : Once this line is found, add the following code just before:
$ this-> setGenerator (“”);
Step 4: Put the index.php file back on the server.
Your site will now hide your version of Joomla. If you update your site, be sure to repeat this process for Joomla security.
First of all, change the password of your Joomla super user account and all the passwords of the accounts with administrative permissions on the website.
Now that you have repaired your Joomla site, it is imperative to change all access to your site.
Here is the list of accesses to change:
You should reset all user passwords to unique and strong passwords to avoid re-infection.
To reset the passwords of your Joomla:
You should reduce the number of the administrator and super administrator accounts in Joomla! and in all systems of your website. Practice the concept of least privilege. Give people only the access they need to do their job.
Joomla! comes with two-factor authentication for user accounts.
To enable 2FA authentication on Joomla
It is advisable to reinstall all extensions after a hack to ensure that they are functional and free from residual malware.
If you have disabled themes, components, modules or plugins, we recommend that you remove them from your web server.
Developers take countermeasures and regularly release updates so that known joomla vulnerabilities can be closed immediately.
Two of the most popular open-source applications are WordPress and Joomla. If you look at the facilities, the numbers are alarming.
It looks even more dramatic with Joomla: Sometimes more than 90% of all Joomla websites are running with an outdated Joomla version.
So keep your web apps up to date!
Plug-ins and other add-ons are usually independent programs. This means that when the web application is updated, these are not automatically updated. Hackers know this and often use targeted security vulnerabilities in plug-ins and add-ons for their attacks.
Extensions; called components, are also popular attack points in the Joomla content management system, which is also widely used.
In the past, updates had to close security holes in the explorer file manager and JCE content editor, for example. The list of affected Joomla components can be extended at will.
You should therefore update your plug-ins and extension components regularly! With WordPress and Joomla, you can easily make these updates through the dashboard.
If your Joomla website has been hacked, it’s usually too late. This can irreparably destroy important data and settings that were on the affected system.
System files are also partially overwritten by updates. This is especially annoying if you’ve made individual theme or template tweaks.
You should therefore regularly back up your web application’s data, databases, and system files.
So much has been written about password security that using complex and secure passwords should be a given. But in practice, passwords are still often used that hackers can easily crack. A strong password must contain at least 8 characters or more.
Use lowercase and uppercase letters, numbers and special characters mixed together and avoid expressions that can be found in a dictionary.
In addition to a strong password, you should also choose a username that is not easy to guess. Instead of using the standard “Administrator”, “admin”, or your real name, use more complex usernames, such as adding years or additional abbreviations, etc. This way, you make it twice as difficult for hackers to break into your system.
Extremely popular entry points for automated attacks on your website are contact forms and guestbooks. You must therefore make them particularly secure.
Captchas are a simple and convenient way to protect yourself from automated requests. When looking for plugin options, it is best to check if it already contains a captcha or not if a suitable captcha plugin is available.
In addition to the basic tips presented, there are of course other precautions you can take to prevent malware hacking and smuggling.
However, implementing these tips requires prior knowledge.
In this case, WP Hacked Help will be happy to help you secure your website after performing the previous tips without any favorable results.
There are websites that are repeatedly attacked by hackers and unfortunately, these attempts weaken the positioning of the site in question and cause an unfortunate loss of customers.
Check our other related posts on security tips for WordPress – WordPress Security Tips & Tricks 2024 – WordPress Website Security Audit – WordPress Security Guide 2024
Do you have security problems with your Joomla website and you don’t know how to solve them? Here is the best security agency that will put all its knowledge at your disposal and meet your needs.
As you can see, there is a lot you can do to protect your website. But even the best precautions cannot guarantee you 100% security against hacking.
You should check your Joomla website regularly. Scan your website with WP Hacked Help for regular checks.
If the scanner detects any malware then you have to act quickly, otherwise, you risk having your website blocked by the host response and you will have to go through the creation of a new website, launch an SEO campaign for positioning on search engines and start your online business as if you have just started your project. It’s pure waste, isn’t it?
WP Hacked Help, can save you at the last minute and help you resume your website even more robust and infallible. We have a team of experienced developers who do a commendable job from the fix to clean up of the website so that in the end it will be put online with respect for all standards.