Is Your Joomla Site Hacked? & How to Fix It!

Recently, we had to deal with a Joomla compromise. And while you certainly want to make sure to prevent and minimize such hacking activities on your Joomla site, it’s a good idea to have a plan on what to do if such issue does take place.

Here I will list overall steps taken to address a Joomla site compromise. Please keep in mind that addressing Joomla site infections are some of the most complex website administrator activities but at least I should be able to give small business owners and website administrators an idea of work involved in cleaning up the mess.

First, it’s important to verify if your Joomla site has been compromised.

In this particular scenario, it was easy to verify as Google search engine results started displaying page titles and metadata that did not show on the site:

An example of how your site page may show up in Google search results

The site was compromised by modifying existing and injecting additional files in Joomla CMS installation. When googlebot visited the website, the modified website provided Google different page information than it did to regular visitors. This is also called Googlebot cloaking.

Now, to address these issues, you may be able to do so in the following way:

1. Make sure that the compromise is only related to your own website and not a server-wide compromise. Cleaning up an infected website on a compromised server won’t do you any good.
2. Keep the same website database only if you could verify no infections.
3. Revert website files to the latest uninfected version of the website. It’s critical that you have regular website backups on a regular basis.
4. Notify business stakeholders of the infection & keep them updated along the process.
5. Using Google Webmaster Tools, request for a removal of google site cache  so site can be re-indexed.
6. Try to recover the latest file and website changes since your last website backup so you don’t lose any valuable info.
7. Update outdated extensions if any.
8. Run a fresh malware scan on site
9. Check website and server logs.
10. Remove any unnecessary files and test installations.
11. Remove any unnecessary databases.
12. Further tighten file and folder permissions.
13. Change passwords.
14. Monitor extensively for any unauthorized website and server access as well as file and database changes especially in areas where there should be no changes.
15. Create an incident report and act accordingly to minimize a chance of similar issues happening in the future.

Have you had problems with Joomla site compromises? Please post your stories or comments below.