End users are seeing malware infection warnings. No wait, now they can’t get in – of course not, your host has just suspended your website. To cap it all you receive a blacklist warning from Google. Perfect!
Having your Joomla website hacked is a nightmare. You will need to work out what happened, clean the site and request removal of the suspension/blacklist warnings. Investigating and cleaning your site will take time, but with decent admin skills, you will recover it. Joomla security is an in-depth subject but we will touch on some of the key points here, including how not to be in this position again.
Scan
Clearly, you’re not the first victim; experts such as Sucuri [1] and Comodo [2] provide tools for scanning websites, and Joomla provides plans for managed websites.
Infected files
Hackers often modify files in the Joomla core. You may be able to spot this by checking for recently modified files, for example:
find ./ -type f –mtime -10 — to list files modified in the last 10 days
A more thorough check is to compare the current system with a reliable backup, or with a clean copy of Joomla from GitHub. Use the diff command with the –r to compare all sub-folders
Check for files that are not present in the clean copy, files in the wrong folder, and for encoded files.
Compromised user accounts
A hacker may have penetrated the website through a user account with a weak password and/or admin rights. Check for possible compromised accounts in the Administrator area:
- Recently added users (registration date)
- Users logged in at strange times e.g. during the middle of their night (for example)
Clean up your website
After checking the file system and user accounts thoroughly, clean up the website.
- Clean the file system by restoring modified files from a backup, or known clean copy
- Clean the database using a tool such as PHPMyAdmin [4] to remove rogue content. De-install the tool as part of your final steps.
- Reset all user passwords. At this point you should insist that all end users run a scan; malware present on a user’s machine can spread to your website
- Local test your website and ask your host to put the site back online
- Request Google etc. to remove the blacklist
Protect your website
Now that your attention is firmly on the consequences of being hacked, it’s a good time to implement Joomla security steps
- Plan how you will keep Joomla updated, especially releases which fix security issues. The current version is 3.9.2 – if your site is running 3.8 or earlier you should update as soon as possible
- Limit accounts with Administrator privileges – set the lowest possible access
- Increase the security for end users – enforce strong passwords and (if this is acceptable for your user base) use two-factor authentication
- Use a firewall to protect against brute force and denial of service attacks
- Establish a backup regime – plan when to take backups and where they will be stored. Importantly – test the process to restore from a backup
- Check your site status using the Google safe browsing report [3]
Keep safe – have a plan for if the worst happens!
[3] https://transparencyreport.google.com/safe-browsing/search