A Guide to Fixing Hacked Joomla Websites
Joomla is an extremely popular Content Management System used by tens of thousands of websites. There are many advantages to it and using Joomla is really simple.
But like many other CMS, Joomla website can experience breaches too. In such cases, your site will get hacked or broken. You’d need to act quick to fix your website. In this guide, you’ll learn how to fix a hacked Joomla website.
How Joomla Websites are Hacked?
Joomla is a highly-secure system. It has a dedicated community behind it that looks for security loopholes and fix them.
But it’s the third-party themes and plugins that you install that create the vulnerabilities. These are vulnerable to XXS or Cross-site Scripting attacks. In this type of attack, hackers try to inject JavaScript codes into your browser to leave the website exposed.
Another common hack is SQL injection where the hacker inject malicious SQL command into your database.
In both of these attacks, the hackers gain admin-level access to your website and steal or manipulate the data.
How to Fix the Hack?
Before you start repairing your website, you need to ensure that the breach is limited to your website and other websites on the server are unaffected. So check other websites as well.
You can then move ahead with the fixing process. Here are the steps involved in this process:
You can delete the unnecessary users manually as well by using the SQL Statement “Drop User”.
Here are some steps to take:
If you find any modified files, then remove them.
To ensure the website isn’t hacked again, update regularly and scan using trusted antivirus software. Take periodic updates and keep changing passwords from time to time. With these measures, your website will be less prone to breaches.
Joomla is an extremely popular Content Management System used by tens of thousands of websites. There are many advantages to it and using Joomla is really simple.
But like many other CMS, Joomla website can experience breaches too. In such cases, your site will get hacked or broken. You’d need to act quick to fix your website. In this guide, you’ll learn how to fix a hacked Joomla website.
How Joomla Websites are Hacked?
Joomla is a highly-secure system. It has a dedicated community behind it that looks for security loopholes and fix them.
But it’s the third-party themes and plugins that you install that create the vulnerabilities. These are vulnerable to XXS or Cross-site Scripting attacks. In this type of attack, hackers try to inject JavaScript codes into your browser to leave the website exposed.
Another common hack is SQL injection where the hacker inject malicious SQL command into your database.
In both of these attacks, the hackers gain admin-level access to your website and steal or manipulate the data.
How to Fix the Hack?
Before you start repairing your website, you need to ensure that the breach is limited to your website and other websites on the server are unaffected. So check other websites as well.
You can then move ahead with the fixing process. Here are the steps involved in this process:
- Clean the Database
Code:
Select * from users as u
AND u.created > UNIX_TIMESTAMP(STR_TO_DATE(‘My_Date’, ‘%M %d %Y ’));- Secure the Server
- If there are open ports, close them
- Clear all the unused subdomains
- Regularly check for configuration issues
- When you’re sharing a server, use a reliable VPN service
- Block the error messages that contain the information
- Enable firewalls for added protection
- Set or Reset Permissions
Here are some steps to take:
- Limit the users capability to upload only image and video files and not any executable like PHP
- Restrict all users from accessing the .htaccess file except the admin. You can use this command -
Code:
chmod 444 .htaccess - Restrict everyone from overwriting the PHP files with this command -
Code:
chmod 444 *.php- Check for Modified Files in Joomla and Restore them
- Create a directory and name it “Joomla” and go into that folder using the command: $ mkdir joomla $ cd joomla
- Download the Joomla files into that folder using wget. Use this command: $ wget https://github.com/joomla/joomla-cms/release/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
- Extract the downloaded files using the command:
Code:
$ diff -r joomla-3.6.4 ./public_html- Check for modified files with the command:
Code:
$ find ./ -type f -mtime -15If you find any modified files, then remove them.
- Check Logs
- Log into your Joomla dashboard and navigate to Users >> Manage
- Check for suspicious users with unusual activities. Specifically check for recent users
- If you spot any unknown user, remove them from the list
- Inspect the server log location. This will help you spot XSS and SQL injection attacks
- Use Google Diagnostic Report for users with unknown IPs. Remove them accordingly
