How to perfectly fix a hacked Joomla website?

How to perfectly fix a hacked Joomla website?

Is your Joomla website really hacked? Check first!

Obviously, this article is thoroughly dedicated to those seeking help to fix their hacked Joomla website, but do you know, in most of the cases, your site is actually not hacked, and there are just a few malfunctions.

Certainly, there are several ways a Joomla site can be hacked, and to deal with that; there is a bunch of solutions as well. But the very first appeal is – Check your website to fully ensure that it’s actually hacked before falling into tension.

How will you check it? Well, just keep reading!

How to check if Joomla website is infected or was hacked?

Red indicators for hacking attempts

If you happen to find that one of the following situations is really the one you’re in, then your site was probably hacked. You’re not the only one, and it is not the end of the world as well. There’s always a way to stop and prevent something before it actually happens.

Indicator How to check it
Your email messages are not getting delivered to all recipients because of the fact that your server IP address is blacklisted. Ping your website with the CMD or Terminal to get your IP address. Then look online for the IP addresses blacklist tool to see if yours is there.
The host suspended website. Ensure you can navigate and visit your website pages regularly.
The Search Engine Results for your website show strange descriptions and keywords. Look up the website name on Google or any other Search Engines to see if results are the ones you would expect to see.
Browser is redirecting the users to any other sites, and links aren’t working, or some contents are unique from the ones you made. Ensure to visit all pages of your website and try to follow links, especially to PDF files. Pay attention to strange behaviors.


Yellow indicators for hacking attempts

The following indicators show many situations where your site was violated or not hacked. However, you basically had some silly visitors who wanted to cause you a little bit of trouble. Don’t panic if you happen to find some of the situations below; your site is probably just intact and safe.

Indicator How to check it
SPAM messages for the contact request or newsletter sign up If you are receiving a ton of fake contact requests from strange clients or with strange contents, don’t panic because the website was not hacked. There is that kind of people who have fun in making bots that send fake contact requests. The only solution is to allow a captcha verification system inside the contact form and to stop sending any confirmation email to the sender. This is just because they primarily want to put server IP address inside the blacklists by sending SPAM messages to real recipients through the website.

New user and Many Malicious accounts in the Joomla Users List.

Open the page of Users Management in Joomla to see the list of all users you have. If you see a ton of malicious users listed inside there, then it means that someone wants to occupy some thousands of records in the database. Nothing to be worried about because Joomla permits (by default) the registration of any new user. You could either turn it off from the Users Settings or if you have this function, you could make the registration much more secure by allowing the captcha verification system. Please keep in mind that bots or hackers would always utilize the Joomla native registration form to add unwanted users to your site. So you could avoid third party components because there are a lot of, and “attacks” are predictable; they’re always the same!
Contact requests containing code. If you see few contact requests which contain pieces of code where you asked for the “name,” or the “email address,” the “subject,” then it means that someone is to hack the website using SQL injection. In this case, it’s not a bot or a computer, however a real person. But, this does not mean your site was already hacked! For those who might not understand a ton of code, just pay attention to these type of words like “drop,” “delete,” “select,” “truncate,” “insert,” “alter”… It’ is like looking for a scratch in latch on the door to see if any thieve tried to force it.


Why did your Joomla website get Hacked?

WordPress, Drupal, and Joomla are three of the world’s most popular open-source CMS (content management systems). Though each one of them has unique and special characteristics, Joomla has a ton of distinct attributes, which the other two CMS lack.

Joomla was the result of Mambo –an open source Content Management System project; Joomla is utilized to build dynamic websites and powerful web applications. Worldwide a few of the well-known companies and organizations, including Harvard University, Danone, Porsche, Barnes, and Noble, utilize Joomla to power their websites.

Though Joomla is stuffed with functions, provides scalability and flexibility, it has its share of privacy & security concerns that require to be addressed so as to make full utilization of this wonderful open-source CMS.

In the native form, the risk of the Joomla site getting hacked is high. Basically, you would come across a Joomla site filled with hidden malicious code or content that could be determinant to your data; thus, taking eligible timely measures to ward off this kind of vulnerability is paramount.

Below are some of the tough reasons why your Joomla site gets hacked time and again.

Keeping the script kiddies and hackers at a distance isn’t rocket science; however, at the same time, it shouldn’t be taken lightly either. Below are some of the basic yet least understood reasons why hackers many times become successful in hacking your Joomla website. Have a look at these points and take precautions to make your Joomla site secure and safe.

1.) Keep your Joomla version updated

Keep your Joomla version updated

This is pretty obvious, yet some of them do not follow this effective and simple way to keep Joomla site hacker proof. Joomla Content Management System regularly releases its new updated version by removing the existing malfunctions and bugs and adding improved security functionalities.

Keeping your site up-to-date with the latest version of the Joomla could fix many of the problems regarding vulnerability and keep your site safe.

Though it’s quite a task to keep on updating to the newest version when you’ve plenty of extensions like plugins, templates, components, modules, and languages to upload however all the hassle is worth it to make sure the security of your site.

2.) Change the default database prefix (jos_)

Change the default database prefix

Hackers are a unique breed. They do all they could to hack any website, and one of the most basic ways is to write a code that would try to retrieve data from the database, specifically the jos_users table.

This helps them to receive all the passwords and usernames from the administrator of the site. To safeguard the website from such type of attack, we highly suggest to change the default prefix to some random prefix.

3.) Change your .htaccess file

Change your .htaccess file

This is one more weak point through which a hacker could gain control over the website. Joomla CMS, by default, has written permissions to the .htaccess file since the Joomla has to continuously update it when you’re utilizing SEF (Search Engine Friendly) URL.

Due to this, your site becomes pretty vulnerable to attacks, so it’s advisable for you to set your .htaccess permission to somewhat 440(r-r–) or maybe 444(r-r-r-) or something identical.

4.) Remove version name and number of extensions

Remove version name and number of extensions

You’re a developer, and you should know the ABC of the Joomla security yet how many times you’ve slapped your hand to the head in dismay to understand that you just forgot to trash the version name and number of the extension providing easy entry to hackers. It is better late than never. If you’ve not done this, then do it right away.

5.) Get away with old extensions and trash leftover files

Get away with old extensions and trash leftover files

Even though it’s pretty simple to take notice of yet a lot of developers provide it a miss and ultimately pay with foolishness. Keep your extensions up-to-date, delete the unsupported and old extensions and discover a suitable alternative it.

Many times it does happen that you’ve installed an extension; however, due to many reasons, you do not like it, or it doesn’t serve your purpose, then what do you do? Let it be there forever, or keep it unpublished?

This is close to compromising your site. You have to utilize a harmless and simple uninstall feature, get rid of those unwanted and useless extensions, and have a sigh of relief.

6.) Don’t give write permission on your any .php files

Don’t give write permission on your any .php files

This is one more reason why hackers exploit your site. Providing write permission on the Joomla *.php files could be a very reason why Mr.Hacker visits your site and hack it effortlessly. You must always make an effort and set the permission of all *.php to 444.

7.) Don’t give all possible permission to the database users

Don’t give all possible permission to the database users

After setting up the Joomla website, it’s essential that a database user must not be given all the permissions like UPDATE rows, INSERT rows, DELETE rows or CREATE tables, etc. Joomla database users must be given only the required permission to prevent hacking through vulnerable exploits to the minimum.

8.) Don’t give execute permission on public directories

Don’t give execute permission on public directories

We become engrossed with our creation, which we totally forget something very important and basic to keep those hackers at bay. One of these is providing execute permission on the Public directories.

These directories let all users upload their files, and if the directories permit scripts to run and if that basic script turns out to be quite malicious, then it becomes pretty easy for hackers to get the site infected. Just provide permission of 766 on all of those public directories and deduct the chances of hacking your site.

9.) Hacking through vulnerable web-server

Hacking through vulnerable web-server

Users and developers are so much inside website development that they might sometimes overlook the actual reason for their site hacking. They go by the rule book of the Joomla site hacking, which doesn’t mention that sometimes going for unreliable and cheap web-hosting could be the reason.

Just to save some dollars, users sometimes invest in cheap web-hosting service providers, and by doing that, they compromise on their website security. This is quite easy to solve. All you require to do is change web-hosting services provider and then cheer up.

10.) Thinking you’re invincible

Thinking you’re invincible

Even though you’ve taken all the measures of precaution to secure your site, it’s essential to keep in mind that hackers around the globe are coming out with new methods to hack sites.

Whether you’re a huge multi-billion dollar conglomerate or a tiny business, you’re never safe until and unless you make these measures as a routine exercise. Besides that, Hackers are lurking everywhere just to find a vulnerability to the sites to hack it.

Your financial details, crucial data, and private information will be in peril if we do not provide heed to the wisdom of the Joomla site security. As the age-old proverb goes, “Prevention is better than cure” still holds true tomorrow, today, and forever.

We’re an IT Services, web development, and software company, and our website maintenance services offer you various Joomla site maintenance service plans. Loaded with lots of features and backed by expert team members, this service would permit your business to flourish and scale.

Fixing a hacked Joomla website

Remove malicious and corrupted files from Joomla! installation

Once you have installed RSFirewall, you must perform a System Check; you could figure out how to do this just by visiting the RSFirewall Documentation.

Once the check completes, it’s time to go deep inside the system files to clean them up.

In the Scan Result place, you have four items of interest.

  1. Scanning the integrity of Joomla! (CMS) files
  2. Scanning your files
  3. Scanning your folders
  4. Scanning your files for basic malware

You could expand each of these if you detect any problems; now, most RSFirewall would tell you that a few files/folders have insecure permissions, you could let the function fix these problems automatically just by clicking that green “Attempt to fix permissions (755) on selected folders” button.

The more exciting results are in the common malware; these files may be backdoors or compromised core files; what you must do to solve this, open an FTP program(such as FileZilla) and then navigate to them, download them and then open them inside a text editor,

If these files have long, weird-looking variables and string names with illogical names, it’s probably a backdoor, and you must delete the file from the server.

But, sometimes, these backdoors are injected inside core files of the main system that are utilized by the Joomla CMS or extensions, therefore basically deleting them might cause the whole site to stop working.

So what you have to do is to delete the malicious code from the files by, in most matters, just opening a file inside a text editor and removing the backdoor or malicious code, it’s often a gibberish text and long string at the top of the file, just remove it and save the file then uploading it back to the server.

Put your website behind Cloudflare

CloudFlare is a great service that secures your website by acting as a proxy between your visitors and your website, CloudFlare actively monitors the connection and would block a ton of common hacking attempts, Denial of Service attacks (Ddos), and speed up your website a little.

To allow CloudFlare on your site, you would require to have access to Hosting Provider and Domain Registrar administrator accounts; if you’re the creator and owner of the website, you most likely already have these; however, if you have hired the third party or a web developer create and also maintain the website for you, then please send them this specific article and let them do it.

CloudFlare has extensive Documentation on their official website on “how to get started with their service” start with the article.

Backup your website with Akeeba Backup

Akeeba Backup is a site backup tool that you install as the extension in the Joomla site; Akeeba Backup could then make a full backup of your entire site that you could restore and download the website if needed.

In the event that website attracts any hacker again in the future, it’s smart to set up your Akeeba Backup to make a full backup of your entire website each day or week, depends on how often you are changing the content of your website.

Akeeba has some incredible video tutorials on how to set up, install and utilize their backup tool; you could find these videos here.

Change your passwords

Some complex passwords of websites can’t be decoded by any hacker as they’re stored with a one-way encoding by the Joomla.

But, the database password is specially written by the Joomla in plain text for obvious coding reasons in the configuration.php file, so even though most of the times hackers don’t care about the passwords, you must change the password for the described services and anywhere else you utilized these passwords: Joomla Administrators, FTP, CPanel, Mail Accounts, Database Users.

Update Joomla! and your extensions

Keeping your Joomla version up to date is essential; this gets you the newest security and bug fixes.

However, if you’re still running on an older version of Joomla!, upgrading may not be a viable option because new versions of extensions may be incompatible with your extensions or theme.

This is why step 3. is so essential, always make a full backup before updating your Joomla website, this way, you could easily restore it back to the previous version if something breaks.

Trust us; we learned the hard way with experience.

Is there a way to prevent Joomla websites from being hacked again?

Of course, it’s impossible to make your Joomla website a hundred percent secure. However, you could always follow the below steps to help secure your website.

  • Ensure that you have installed the newest versions of Joomla core and other Joomla extensions
  • Utilize the reliable and strong username and password for Administrator
  • Ignore installing any unnecessary extensions
  • Utilize a security key to log in to the main Admin account
  • Restrict directory permissions and Regulate file paths
  • Make sure to regularly back up your website using a reliable Joomla extension.
  • Strengthen PHP configuration
  • Enable a web application firewall
  • Systematically monitor your Joomla website.
  • Do not set directory or file permissions to 777 as this permits everybody to write any kind of data, and hackers might very well exploit it. All directories and files must have appropriate CHMOD configuration as well.
  • Allow Search Engine Friendly (SEF) URLs as this will mask the information available to any visitor or a hacker.
  • Uninstall nulled plugins and templates that are not in use anymore and have not been updated in a while.

You could always opt for a cloud-based security service like, SiteGuarding, Cloud Flare. These platforms will block the deleterious requests from reaching the webserver.

Additionally, you could employ various Joomla security extensions to increase website security. We’ve compiled some of the useful extensions available.

Safety extensions

Akeeba Backup It allows you to back up with only one click, excludes individual directories/files, and restores. The ideal part of this extension is the convenient management and creation of backups for the Joomla site.
Brute Force Stop It helps prevent your website against hacking by the brute-force approach. It logs failed login attempts, which you could review and take prompt action. You’ve got the choice to set up a reminder alert while a failed login and blocked IP-addresses.
R Antispam It’s perfect to prevent spamming in blogs and forums. It’s based on the Bayesian algorithm and works more efficiently with Akismet.
AntiCopy It restricts copying page contents, web page printing, right-clicks option, and copy using JavaScript. It helps you to secure Joomla website content from everyone trying to copy or misuse it.
Incapsula Utilizing Incapsula for Joomla, you could manage the security of the website and CDN (Content Delivery Network) from the Joomla admin. Incapsula provides performance with protection. Some of its features include detecting vulnerabilities, instant virtual security patching, advanced analytics, exclusive bot detection tech to deduct spam.
Antivirus Website Protection This is a site security software by SiteGuarding that detects/prevents and excludes viruses, malicious threats, and suspicious codes. It could help you detect worms, adware, Trojans, spyware, etc.
kSecure This permits you to utilize an additional security key to log into Admin. It acts as the login protection extension by needing a security key each time you have to access the login page. It‘s basically in the form of a secret word after administrator.

It’s crucial that each website owner must be aware of the risks and threats and take steps towards security. Particularly in Joomla, enhancing site security is essential since it’s based on an open-source CMS and thus is more vulnerable.

What to do when the website gets cleaned and starts working again?

The last and the last things you must do to finish your operation is to request that your IP get removed from the blacklists if it was listed in any (the request method changes from one to another, but you could just wait for a little to be removed) and that the Search Engines Results are showing the correct meta-data for the website of yours.

You can accomplish all of the above things by waiting for some time. For the Search Engines Results, there isn’t much you could do to speed up the operation unless visiting Webmaster Tools for Google.

Instead, to temporarily solve the Email Blacklist problem with the IP address, you must simply set up an SMTP (Simple Mail Transfer Protocol) account for the email sending features in Joomla, using the Global Configuration page.

You could utilize an SMTP service like Hotmail or Gmail if you don’t require to send much of messages. Then, once you know you’re no longer blacklisted, you could keep utilizing your IP address to send email through the PHP Mailer.

(Visited 391 times, 1 visits today)

Leave a Reply

AlphaOmega Captcha Classica  –  Enter Security Code

This site uses Akismet to reduce spam. Learn how your comment data is processed.