Menu
Sucuri is committed to helping Joomla! administrators identify and clean their hacked websites. We put together this guide to help website owners walk through the process of identifying and cleaning a Joomla! hack.
This is not meant to be an all-encompassing guide but should help address 70% of the infections we see.
Common indicators of a hacked Joomla! site include:
Contents
You can use tools that scan your site remotely to find malicious payloads and malware locations.
To scan Joomla! for hacks:
Tools to scan your website:
New or recently modified files may be part of the hack. Your core Joomla! files should also be checked for malware injections.
The quickest way to confirm the integrity of your Joomla! core files are by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
You can find all Joomla! versions on GitHub. Using an SSH terminal, you can download Joomla! locally. The following commands use version 3.6.4 as an example of the clean files and public_html as an example of where your Joomla! installation is located.
To check core file integrity with SSH commands:
$ mkdir joomla-3.6.4
$ cd joomla-3.6.4
$ wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
$ diff -r joomla-3.6.4 ./public_html
The final diff command will compare the clean Joomla! files with your installation.
To manually check recently modified files:
$ find ./ -type f -mtime -15
Verify your Joomla! user accounts, especially administrators and super-administrators.
To check for malicious users in Joomla!:
Scan Results Example
If your Joomla! site has been blocklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Joomla! website.
To check your Google Transparency Report:
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up as they are free to use:
Now that you have information about potentially compromised users and malware locations, you can remove malware from Joomla! and restore your website to a clean state.
If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Joomla! web server. By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.
To manually remove a malware infection from your Joomla! files:
If you can’t find the malicious content, try searching the web for malicious content, payloads, and domain names that you found in the first step. Chances are that someone else has already figured out how those domain names are involved in the hack you are attempting to clean.
Diff tools to compare suspicious files with known-good copies:
To remove a malware infection from your Joomla! database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.
To manually remove a malware infection from Joomla! database tables:
You can manually search your Joomla! database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
Note that these functions are also used by Joomla! extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.
Scan Results Example
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Joomla! sites.
Backdoors are usually embedded in files that are named just like legitimate files within the official Joomla! framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /components, /modules, and /templates.
To remove backdoors by comparing files:
The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official Joomla! repository.
It is critical that all backdoors are closed to successfully clean a Joomla! hack, otherwise, your site will be reinfected quickly.
If you were blocklisted by Google, McAfee, Yandex (or any other webspam authorities), you can request a review after the hack has been fixed. Google is now limiting repeat offenders to one review request every 30 days. Be sure your site is clean before requesting a review!
To remove malware warnings on your Joomla site:
In this final step, you will learn how to fix the issues that caused Joomla! to be hacked in the first place. You will also perform essential steps to enhance the security of your Joomla! site.
Outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Passwords should also be reset to ensure you are not reinfected if hackers gained access to your credentials.
Update Joomla! Core and Extensions
Update all Joomla! software including core files, components, templates, modules, and plugins.
You should also check your extensions for known vulnerabilities using the Joomla! Vulnerable Extensions List.
To check and update Joomla! extensions:
Extension Update
Joomla! 3.x is the most stable major versions as they are still actively developed. Users on 1.x and 2.x branches should strongly consider migrating to 3.x and keep the core files updated.
If you are manually updating core files, you can safely delete directories that are part of the official Joomla! framework (administrator, components, etc), then manually rebuild those same core directories and components.
To check and update Joomla! core files:
Users on the 1.x branch are strongly encouraged to upgrade to 3.x by following the Joomla! Docs migration guide.
If in the first step SiteCheck identified other outdated software on your server (i.e., Apache, cPanel, PHP), you should update those to ensure you have any available security patches.
Reset User Credentials
You should reset all user passwords with unique, strong passwords to avoid reinfection.
To reset passwords for Joomla! user accounts:
You should reduce the number of administrator and super-administrator accounts for Joomla!, and all of your website systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.
Joomla! comes with built-in two-factor authentication on user accounts.
To enable 2FA on your Joomla! user accounts:
It is advisable to reinstall all extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated themes, components, modules, or plugins, we recommend you remove them from your web server.
Joomla! 2fa
Backups function as a safety net. Now that your Joomla! site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.
Here are some tips to help you with website backups:
Location
Store Joomla! backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
Automatic
Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.
Redundancy
EV certificates require even more documentation for the Certificate Authority to validate the organization. Visitors will see the name of the business inside the address bar (in addition to clicking the lock icon).
Testing
Try the restore process to confirm your website functions correctly.
File Types
Some backup solutions exclude certain file types such as videos and archives.
Sucuri offers its customers an affordable system for secure website backups.
Have all Joomla! users run a scan with a reputable antivirus program on their operating systems.
Sucuri offers its customers an affordable system for secure website backups.
Joomla! can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.
Here are some antivirus programs we recommend:
Paid
BitDefender, Kaspersky, Sophos, F-Secure.
Free
You can harden your Joomla! site by restricting file permissions and implementing custom .htaccess rules. We recommend reviewing the Joomla! Security Docs for more information.
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.
Benefits of using a website firewall:
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
We offer all of these features with the Sucuri Firewall.
Say on top emerging website security threats with our helpful guides, email, courses, and blog content.
