How to Fix a Hacked Joomla Site
A couple of indicators point out that something is wrong with your Joomla platform – maybe it’s a white screen, or a dark background with strange text on it, gets redirected to another site, or shows spammy links and unwanted ads. It’s a simple conclusion and a not-so-simple clean-up process – your Joomla platform has been hacked. If not any of these signs, there will be an email from your host supporting software claiming that your site has been hacked and infected with malicious software, possibly suspending your account as well.
Here’s a couple of things you can implement to get your Joomla site back on track:
- Start with the back-up
If you’re the unfortunate victim of multiple hacking attempts, you’re probably already ready with the back-up version of your Joomla site. It is the only way to ensure your content is stored safely in an offline location where it cannot be compromised with further. Be sure to keep a copy of your website database as well and secure it on your computer hard drive.
- Identify the problem
We start with a simple scan to find out what exploited a potential vulnerability and caused the entire situation. Many online tools are available for this purpose such as Astra’s Joomla website scanner, Is it Hacked?, etc. They will ask you to input your website URL and show you warning messages when they detect malicious content. However, most online tools do not fully scan file-to-file and specific folders, so a preliminary scan may not tell you about all the hidden problems.
Next up, scan your files from the backed-up copy using any available anti-malware tools – if any files are mentioned, delete this immediately (or request the scanner if the option is available).
For example, they will look through the ‘public_html’ files for potential viruses, trojan horses and other malware inserted by hackers.
Your host software will also provide extensions that are capable of running a scan on the content after these preliminary checks – running these initially is not advised since they only detect the problem and do not provide removal mechanisms.
You can also check the ‘security’ tab under your Google webmaster if their scanner has detected issues or they have blacklisted your site
Make sure you pay special attention to the Joomla core files – if you’re unsure whether they are clean or infected, compare them with clean installation files available online or Extension packages. If the doubt persists, you can afford to delete the core files, since Joomla core files are easily replaceable.
- Get your site offline
Take down your site and bring it to its offline version, so that you don’t lose your customers. This is possible through the backend or FTP servers on the Joomla platform – find out the ‘configuration.php’ file and edit this to make it offline. Otherwise, you can disable the site and allow specific access from your IP address. This effectively stops any hackers (and customers) from entering your site to edit any of your files or the Joomla database.
There is also a possibility that search engines will blacklist your site and block it to stop any infections, making it a better option if it is done from your side. For this, you can edit your ‘.htaccess’ file to allow access only from your IP address.
- Manual scan using FTP
This is a possibility but is a hard obstacle to cross, considering the tricky loops and maneuvers that require years of dedication and experience to navigate. If you’re interested in moving forward anyway, the first step is to check for ‘php’ files in your folders, and remove all without doubt. The tricky part about malicious files is that they can be hidden as legitimate files such as ‘adm1n’, ‘admin2’, etc.
Also, search for files that contain the ‘base64’ which is commonly used by hackers, but exercise caution because this can be a part of files or components that are not harmful.
Often, they might upload backdoor files that allow them to access the site again. There are facilities like PHP decoders that allow you to simplify malicious code and analyze them.
- Change passwords and other login credentials
If your site is compromised then there must be a possibility that your login credentials have also been compromised so make it a point to change all the passwords, especially for the Joomla Super User account, and any other platforms that require administrative access. If you change and update your MySQL password, make sure to update it in the ‘configuration.php’ file.
- Update and Uninstall
Always update to the latest Joomla version, including all plug-ins, modules, components – the Extension Manager provides details on the latest version updated. Clean up and get rid of anything that you don’t use currently to permanently clean all damaged and compromised files.
A firewall is the best option that one can implement to stop attacks in real time. Astra’s Joomla firewall offers tailored features – https://www.getastra.com/blog/cms/joomla-security/joomla-firewall-joomla-antivirus/
Finally, make sure that you resolve the issue with Google and get your site back online as quickly as possible in order to avoid losing any customers or their loyalty. Make it a priority to strengthen your existing security levels for the Joomla platform and conduct frequent security checks to maintain the safety.