Is your Joomla hacked? If you’re looking to know if your site has actually been hacked, here are a few behaviors that are common. Suspicious browser behaviors, blacklist warnings from Google, McAfee, Bing, etc, the presence of spam keywords in your search engine content, and file modifications or addition of new users to the admin dashboard without your knowledge are some of the symptoms one must look out for to understand if your Joomla is hacked.
Coming to the main topic, what steps should be taken to fix a hacked Joomla site?
Secure your user accounts
This is an important step where you check for backdoors intentionally left by hackers for opportunities for further hacking and misuse. In hacked Joomla sites, the appearances of such backdoors are very common, in various files, and of different kinds.
Often, they may be found in files that look legitimate and are from the official Joomla framework. The key is to note down which official directories they are found in such as /components, /templates, etc.
Also, keep an eye out for the following PHP functions – base64, eval, exec, str_rot13, etc.
You can also remove backdoors from files by comparing them to their previous versions. For this, you need to confirm the Joomla version through ‘System Information’, download core files of the same version from the official repository, log into the server via SFTP or SSH, create a back-up, and compare.
If any existing files do not seem similar to their approved versions, or new files do not match in size or content, flag them down.
Check and clean hacked Joomla website files
Once you’ve put your site through scanning or any diagnostic pages reveal malicious content, payloads, or domains, you get enough information to find out the hacked Joomla files by comparing them to previous clean versions, backed-up or any available on the official repository.
For manual removal of malware from the hacked Joomla site, log into the server via SFTP or SSH, create backups, search files for malicious content, detect and analyze any changes made to check for legitimacy, conduct core integrity checks using diff command and check files flagged during it, remove suspicious files and restore clean versions. Finally, after making any changes, ensure that the platform is still operational.
If manual checks don’t find anything, check the web for known malicious content and then try searching for that specifically.
Cleaning hacked Joomla database tables
For removing malware infections from your hacked Joomla database tables, open up the database admin panel PHPMyAdmin, or use tools like Search-Replace-DB.
For manual removal, step onto the database admin panel, make backups before making any changes, check for suspicious keywords or links, and manually remove them. After ensuring that the site is operational after any changes made, make sure to remove any database access tools that you uploaded.
You can also manually search for common malicious PHP functions as base64_decode, preg_replacs, str_replace, etc. However, your Joomla platform may also use these for legitimate functions, so make sure of their purpose and don’t accidentally break the site.
Fixing Malware warnings
In case you’ve been blacklisted by search engines like Google, McAfee, Bing, etc, or any other web authorities, after fixing the hack, you can request for a review process to get your site back up on these search engines without the malware warnings. Since there is a limit to requesting such reviews (Google offers once every 30 days for repetitive offenders), be sure to request when you can make it count.
Now, to actually remove the malware warning, you need to contact your hosting company or server and provide them enough details for them to remove the suspension – they’ll ask for proof to make sure you’ve removed the malware.
Next, contact each blacklisting authority (Google Search Console, Yandex Webmaster, McAfee SiteAdvisor, etc.) and fill in request forms for reviewing your Joomla site, individually. This process can take several days, so make sure to account for this delay in your schedule.
Once you’re done with fixing the hack, the obvious next step comes with ensuring that such an incident doesn’t occur again and compromise your Joomla platform. Detection and stopping of known security issues are important to preventing future Joomla hacks, compromising its integrity, and restricting such suspicious methods and behaviors. Enhancing security barriers could include updating your outdated Joomla versions which include the extensions as well, resetting and strengthening user credentials like stronger passwords and two-factor authentication, regular scans under your antivirus, placing a rigid and high-quality web application firewall, and maintaining regular backups.
These steps should ensure that future hacks are limited and do not present danger to your Joomla platform, its content and your hard work while optimizing your platform’s performance and mitigate DDoS attacks, brute force attacks, automated bots, to name a few.