Among the popular content management system (CMS), Joomla is well-known for its security features and its robustness.
But using Joomla to build and maintain your site is no guarantee that it will not be hacked. No matter how much effort you put into securing your site, there will always be a vulnerability that you’re not aware of, one that opens a door for hackers to enter and seize your beloved content.
Joomla sites can be hacked in many ways. To begin, the server that hosts your site can be insecure. Many vulnerabilities can be exploited in a server, such as weak credentials, unprotected DNS services, open ports, and many others.
A sadly common one is using the default admin account with a weak password that a brute force attack can obtain. Another one is the failure to update the Joomla core system or the installed plugins or templates.
Joomla’s open architecture is great for the flexibility it offers but creates a potential risk by letting you use insecure extensions. Finally, a threat is common to all websites, regardless of the underlying technology: it could become the target of phishing attacks.
In conclusion, your Joomla site may get hacked, no matter what. The next question you might ask is: How do I know if my website got hacked, and what are the consequences?
The problem with keeping a hacked site
If you frequently scan your Joomla website for malware, there’s a good chance that you detect a hacking attempt before it seizes the whole site.
But if you don’t, the symptoms that your site got hacked will appear in the form of altered webpages, with messages, links, images, or ads that you didn’t put there, or redirects to sites that don’t belong to you.
You should also suspect that your site has been hacked if you experience subtle behavioral changes, such as getting automatically logged out of your admin account, detecting the appearance of new admin names, getting an unexpectedly high amount of site traffic, or experiencing slow loading of webpages.
You may believe that those symptoms are superficial and that weird messages or images are not really harmful to your business. Don’t believe that. Any hacking symptom IS harmful in many ways. To begin with, it can affect your positioning in SERPs (search engine result pages).
Search engines — Google in particular — check the sites they crawl to see if they are safe for regular users. If they detect that your site has been hacked, they will show a warning together with the site metadata, and they’ll also lower your SERP rankings in favor of other pages with similar content that haven’t been hacked.
Besides damaging your SEO and your site’s reputation as a serious business front end, the consequences of keeping a site hacked could include jeopardizing your customers or your users’ private information. A hacking attack such as cross-site scripting could redirect your visitors to anywhere the hackers want. Those visitors will then lose trust in your site forever.
So my Joomla site got hacked. Now what?
You have two options: hire a service that will do the cleaning for a price or clean yourself. If you are a DIY fan, then make a jar of coffee ☕ and prepare to do some serious cleaning work, following the steps below.
- Make a full backup. This backup will contain malware traces, but you should keep it anyway in your local computer, in a quarantine folder, if you need to find some file or piece of content that isn’t anywhere else.
- Perform a full site scan. Use an online tool to do this job and use your local antivirus to detect infected files in the backup copy made in step 1. If the antivirus detects infected files, those files should be deleted from the backup and from the hosting.
- Put the site in offline mode. You can do this from Joomla’s back-end, via FTP, or simply by modifying the .htaccess file in your server to allow access only from your own IP address.
- Do a manual scan. Using FTP and your own trained eye, browse through the directory structure to find rogue files and delete them. Look particularly into folders such as /tmp, /cache, or /images for malicious files disguised as legitimate ones—a couple of common examples: test.html, tests.php, contacts.php, cron.css, css.php. If you find any file that doesn’t belong to the folder, it is on, deletes it without thinking twice.
If you are not sure if the full site scan you did in step 2 cleaned infected code files, then your manual scan should include searching PHP files for malicious code. Take into account that that code could be obfuscated or masked by functions like
eval or others related to regular expressions.
You can use a PHP decoder or an online service to analyze obfuscated code to reveal what it really does.
- Change all passwords and delete rogue users. First of all, change your Joomla super user account password and all passwords for accounts with administrative permissions on the website. From your hosting panel, change the database password and update it in the configuration files (configuration.php). Do the same with the FTP password.
- Update your Joomla installation to the latest version, together with all the plugins and templates. Using the Extension Manager, compare each extension version number with the information on the developer site. If there are extensions you don’t use, delete them.
- Restore your reputation. If you already ran out of coffee, you should consider making another jar. This step is less technical, but it will take more time to complete.
If your site got hacked long before you cleaned it, the chances are that it got blacklisted.
That means that it will not appear on search results to protect users from potential malware infections, and therefore you will not receive any more visitors, and you will lose confidence. Even if you cleaned your site thoroughly, it would continue to be blacklisted for a few days.
To speed things up, once your site is clean and running healthily, use Google’s Search Console to request a review. Google will scan your website, and if it doesn’t find any malware infections, it will stop showing a warning message next to your site’s metadata.
But you will have to wait a couple of days until that happens. Using the Search Console, you can also access the URL Removal Tool to request removing Google’s index of any URL added by malicious hands.
Once you got your site cleaned, take the necessary measures to prevent future attacks, such as regularly scanning your site for malware infections.
Hack repair services
The steps listed above could serve you as a DIY guide to recover your website from a hacking attack. But if you don’t have the time or don’t trust yourself enough to do the job, you can hire an expert to fix hacked Joomla sites.
It will cost you, but the time you will save could be worth the investment. Keep in mind that each minute your site is offline
— or worse, online but losing reputation — could mean dollars that you lose.
Here’s a list of services you could consider if you need to get your site back on track FAST.
If you have to pay to fix your site, you may want to take the opportunity to hire a service that does more than that. It may cost you more, but you will get peace of mind in return.
Sucuri offers a prepaid plan of $499.99 per year that guarantees a 6-hour response when you need to quickly fix a hacked site.
Once your site gets fixed, you get one year of ongoing protection without paying any additional fees. There are more affordable plans if you can wait more than 6 hours to get your site fixed. The response times vary, but with any plan, Sucuri’s experts will clean your website completely.
To get your site fixed, you just need to follow three simple steps: pick the plan that best suits your budget, creates an account, and send a malware removal request. Sucuri guarantees to put an end to malware, blacklist warnings, hidden backdoors, and SEO spam.
When the work is done, you receive a complete report.
Minutes after you sign up with Astra, its security researchers will start diagnosing your website using sophisticated tools.
All infected files will be identified and removed to ensure your site is clean again, and Astra tools will be deployed to prevent future attacks. Astra’s security experts will quickly remove all website malware, blacklists, phishing, defacements, SEO spam, and other issues.
Astra offers three different plans tailored to fulfill different needs.
- The Pro plan costs $ 19 a month and is designed for small business websites. It includes malware cleanup with a response time of 12 hours, together with a website firewall, automatic malware scanner, blacklist monitoring, and many more features.
- The Advanced plan costs $ 89 a month and reduces the response time for malware cleanup to 8 hours. It adds an interesting set of features for e-commerce sites and small businesses, such as quarterly security audits and more than 300 security tests.
- Finally, the Business plan costs $ 119 a month and is designed for SaaS and big stores, offering a response time of 6 hours and specialty features, such as business logic testing, managed bug bounty, an account manager, and up to 6 team members.
Behind this service is Phil E. Taylor, a full-stack PHP developer, and a renowned Joomla expert.
For a single set fee of £88 or £138 — depending on your Joomla version — Phil and his guys will fix your hacked Joomla site.
The fee will not change, and no costs will be added, no matter how long it takes for them to finish the job. They promise to start working right away if you hire the service within UK office hours. In most cases, the problem is solved within the same day.
To get your site fixed, you only need to register, send the details of your site and pay the fee. After that, you can relax while the experts take care of everything.
After you get your site fixed, you can hire additional services, such as securing your site, applying best practices, debugging and fixing PHP error messages, and fixing white-screen-of-death problems. All those services are offered for the same one-time fee each.
With SiteLock, you can opt between a one-time website clean or hiring a repair and ongoing protection plan. The former costs $ 199.99 per domain, while the latter has a cost of $ 41.67 per month/domain. SiteLock promises to work around the clock to get your site back online as soon as possible, making no exceptions.
If you opt for the ongoing protection plan, SiteLock will implement proactive protection, finding and fixing threats before you know they exist and keeping your site away from possible suspensions and blacklists.
It is possible that your hosting provider suspends your website temporarily if it detects a malware infection in it in order to prevent it from infecting other sites hosted on the same shared server. If this is the case, SiteLock will work with you and with your hosting provider to clean your site and get it online as soon as possible.
This service takes a step that most un-hacking services overlook: it sets up a temporary branded holding page while the cleaning experts work on your site. That page will tell your visitors that your site is under maintenance, so they will not get an error and think your site doesn’t exist anymore.
In 24 hours or less, your site will be cleaned entirely and fixed for a one-time fee of $ 149.00. Once you hire the service, you need to provide administrator access details, and then a specialized team will scan both automatically and manually your Joomla site for vulnerabilities and malware.
They will clean all hacked files, database entries, and backdoors, and after that, they’ll update your site core files, templates, and extensions to the latest version of each. They will also run a full security scan and submit a Google Review Request to remove your site from any blacklist.
Mehdi is a Moroccan freelancer who has more than nine years of experience in fixing hacked Joomla sites. Through the Fiverr platform, he has already helped countless people with their hacked sites.
When you hire Mehdi services, he will remove any existing infection from your site, add a security pack to it, upgrade your Joomla to the latest version, erase warning messages from google SERPs, fix all issues related to security or hacking, and make a full backup of your website. If you need more information, you can send Mehdi a message and get an answer in about an hour.
Mehdi offers a Basic Safe Pack, which costs $ 5 and performs a full scan, cleans the website, fixes all permissions, and generates a full report.
It gives a one-month money-back guarantee. There’s also a Standard Pro Pack, which costs $ 25 and offers all the same as the basic plan, plus installing a firewall, checking for vulnerabilities, and giving a two-month guarantee.
Finally, the Premium Expert Pack costs $ 50 and adds the capability of fully fixing a dead website and updating all extensions. The guarantee of this plan is three months.
Turning a crisis into an opportunity
Repairing your Joomla site after it got hacked will cost you either money or time. But don’t think you will be wasting none — instead, think of that as an investment to enhance the security of your website. After fixing and securing it, your site will have gained robustness, and your customers or visitors will put more trust in you and your business.