Content Notice!

This post is really old, and no longer reflect my skill level, views or opinions, it is made available here for archival purposes (it was originally on my old WordPress blog).

Keep that in mind when you read the contents within.

How to Fix a hacked Joomla Site

In the advent of numerous recent Joomla Vulnerabilities malicious hackers have created automated tools to find, scan and exploit vulnerable Joomla websites throughout the web.

If you have noticed strange files, spam, weird search results regarding your website or a notable bump or drop in website visitors, you might be compromised.

If you belive you might be compromised, read on.

How to protect your Joomla website from hackers.

1. Install RSFirewall!

RSFirewall is a WAF(Web Application Firewall) built by the excellent developers RSJoomla, that gives you extended logging capabilities, allows you to monitor core Joomla files for changes and identify backdoors that have been placed on your server.

The advantage of using this tool as opposed to going through your system all manually is that you save a tremendous amount of time since these kinds of attack will leave behind backdoors in random locations inside your Joomla installation, this way you have no way of knowing which files are legitimate and which are malicious.

Sometimes malicious code is even injected into core system files in clever ways that might not be detected for a long time.

RSFirewall finds all of these files for you by scanning and monitoring the system.

2. Remove malicious files from Joomla! installation

Once you've installed RSFirewall you should perform a System Check, you can figure out how to do this by visiting the RSFirewall Documentation.

Once the check is finished it is time to go deep into the the system files to clean them up.

In the Scan Result area you have 4 items of interest.

  1. Scanning the integrity of your Joomla! (CMS) files
  2. Scanning your folders
  3. Scanning your files
  4. Scanning your files for common malware

You can expand each of these if any issues were found, now, most likely RSFirewall will tell you that some files/folders have insecure permissions, you can let the program fix these automatically by clicking the green "Attempt to fix the permissions (755) on the selected folders" button.

The more interesting results are in the common malware section, these files might be backdoors or compromised core files, what you should do with these are to open an FTP program(such as FileZilla) and navigate to them, download them and open them in a text editor,

If the files have long weird looking strings and variable names with illogical names, it is probably a backdoor and you should remove the file from the server.

However, sometimes these backdoors are injected into system files that are used by the Joomla CMS (or extensions), therefore simply deleting them might cause the entire website to stop working.

So what you have to do is to remove the malicious code from the system files by in most cases just opening the file in a text editor, removing the backdoor code (often a long string of gibberish text at the very top of the file) and then saving the file and uploading it back to the server.

3. Backup your website with Akeeba Backup

Akeeba Backup is a free website backup tool that you install as an extension in your Joomla website, Akeeba Backup can then create a full backup of your entire website that you can download and restore the website with if needed.

In the event that your website is hacked again in the future it is smart to setup Akeeba Backup to generate a full backup of your website every week or day, depending on how often your website content changes.

Akeeba has some great video tutorials on how to install, setup and use their backup tool, you can find these videos here.

4. Put your website behind CloudFlare

CloudFlare is a service that secures your site by acting as a proxy between your website and your visitors, CloudFlare also activly monitors the connection and will block a lot of common hacking attempts, Denial of Service attacks as well as speed up your website a little.

To enable CloudFlare on your website, you will need to have access to your Domain Registrar and Hosting Provider administrator accounts, if you are the owner and creator of your website, you most likely already have these, if however you hired a web developer or third party to create and maintain the website for you, please send them this article and let them do it for you.

CloudFlare has extensive documentation on their website on how to get started with their service, start with this article.

5. Update Joomla! and your extensions

Keeping your Joomla Installation up to date is very important, this gets you the latest security and bug fixes.

However if you are running on a considerably older version of Joomla!, upgrading might not be a viable option since new versions of extensions might be imcompatible with your theme or other extensions.

This is why step 3. is so important, always generate a full backup before trying to update your Joomla site, this way you can easily restore it back to the previous state if something breaks.

Trust me, I learned the hard way.