How to fix hacked Joomla Website and remove Malware?

Among the popular content management systems (CMS), Joomla is known for its security features and powerful functions.
Joomla is the second most popular CMS after WordPress, and it is often the target of hackers.
Using Joomla to build and maintain your website does not guarantee that it will not be hacked. No matter how much effort you put into protecting your website, there will always be a loophole that you don’t know, which opens the door for hackers and grabs your beloved content.
XSS is the most common vulnerability exploited by attackers in Joomla and WordPress. Other reasons for attacking Joomla are Code Injection, SQLi etc.
Unfortunately, the password used for the default administrator account is weak and can be obtained through brute force attacks. The other is that the Joomla core system or installed plugins or templates cannot be updated.
Joomla websites can be hacked in many ways. First, the server hosting your site may not be secure. Many vulnerabilities can be exploited in the server, such as weak credentials, unprotected DNS services, open ports, etc.
Joomla’s open architecture provides a lot of flexibility, but it brings potential risks because it allows you to use unsafe extensions. Finally, regardless of the underlying technology, all websites face the same threat: it may become the target of a phishing attack.
Anyway, your Joomla website may be hacked. The next question you may ask is: How do I know if my website is hacked and what are the consequences and how to fix Joomla hack?
A compromised Joomla website can cause serious trouble. However, before we start the Joomla hack removal process, let us quickly understand the symptoms of the Joomla website being hacked.

Problems with a Hacked Joomla website

If you frequently scan for malware on the Joomla website, you are likely to detect hacking attempts before it hijacks the entire website. However, if you don’t do this, the symptoms of the website being hacked will appear in the form of web page changes that contain messages, links, images, or advertisements that you did not place on them, or redirect to a website that does not belong to you.
If you have made subtle behavior changes, such as automatically logging out of your administrative account, detecting the appearance of a new administrator name, unexpected increase in website traffic or slow loading, you should also suspect that your website has been hacked.
You might think that these symptoms are superficial and that weird messages or images are not really harmful to your business. Don’t believe that, any hacking symptoms are harmful in many ways. First, it may affect your position in the SERP (Search Engine Results Page). Search engines (especially Google) check the websites they crawl to see if they are safe for ordinary users.
If they detect that your site has been hacked, they will display a warning along with site metadata and will lower your SERP ranking to attract other pages with similar content but not hacked.
In addition to destroying your SEO and website’s reputation as a serious business front end, the consequences of keeping your website hacked may also include damage to the private information of customers or users. Hacking attacks such as cross-site scripting may redirect your visitors to wherever the hacker wants. These visitors will lose trust in your website forever.

How to know if a Joomla website is Hacked?

• A Google search showed “This site may have been hacked” in the meta description.
• Page loading too slow.
• Site redirected to spam.
• The index page is defaced or replaced by Joomla hack.
• Log out of your administrator account.
• A new administrator appears.
• Spam messages that did not exist before are beginning to appear on your website.
• The site was blacklisted by Google due to “malware” or “phishing”.
• This spam also includes advertisements and harmful redirects.
• The abnormal traffic on your website has surged.
• You can check all this information using Google Webmaster Tools.
• The CMS or other software may be damaged. Especially the firewall!

So my Joomla website has been hacked. What now?

You have two options: hire a service that will do the cleaning for the right price, or do it yourself. If you’re a DIY fan, make a jar of coffee ☕ and get ready for some serious cleaning work by following the steps below.

Backup the website

Make a full backup. This backup will contain malware traces, but if you need to find files or content that are not available elsewhere, you should save them in a quarantine folder on your local computer anyway.

Scan and Identify the hack

Scan Joomla site to identify malware locations and malicious payloads. For this, you can use the following tools

• SiteCheck
• UnmaskParasites
• VirusTotal

You can also use local antivirus software to detect infected files in the backup copy created in step 1. If the antivirus software detects infected files, they should be deleted from the backup and the host.
If your Joomla website seems to have been blacklisted by Google or other website security agencies, you can check the security status of Joomla. The website uses its diagnostic tool. To check Google’s transparency, visit the “Safe Browsing Site Status” website, where you can check

• Site security details, which provides information about malicious redirects, spam and downloads.
• Test details, which provide information about the latest Google scan that found the malware.

Use free security monitoring tools, such as Google Webmasters Central, Bing Webmaster Tools and Norton SafeWeb to check website security reports.
You can also check modified files manually. Using FTP you can browse the directory structure to find malicious files and delete them. In particular, check whether there are malicious files disguised as legitimate files in folders such as /tmp, /cache or /images-several common examples: test.html, tests.php, contacts.php, cron.css, css.php.

Fixing the Hacked Website

After obtaining information about the location of potential malware, infected users, and threat assessment, choose a complete site cleanup. Compare the infected file with previous backups to assess the scope of the modification and delete malicious changes. Use a database management panel (such as PHPMyAdmin) or a tool such as Search-Replace-DB or Adminer to clean up the compromised Joomla database.
The next step will be to protect all user accounts. Often, hackers leave multiple backdoors so that they can gain access again even after cleaning up the website.
Backdoors are usually embedded in files that look legitimate but are located in the wrong directory. Therefore, the files must be completely removed from the backdoor, otherwise there is a threat of re-infection.

Clean up Hacked database tables

To remove the malware infection from your Joomla! Database, you need to open a database management panel, such as PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.First, start cleaning the infected database. Joomla SQL injection can create new database users. To find new users created after a certain date, use the following code:
Select * from users  as u
AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('My_Date', '%M %d %Y '));
Once a rogue user is found. Therefore, use the SQL statement Drop User to delete them;
To manually remove malware infections from Joomla! Database Table:

• Log in to the database management panel.
• Before making changes, back up the database.
• Search for suspicious content (for example, spam keywords, links).
• Open the table with suspicious content.
• Manually delete all suspicious content.
• Test to confirm that the site can still function normally after the change.
• Delete any database access tools you may have uploaded.

You can search your Joomla manually! Database, used for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Please note that Joomla also uses these features! Extensions are for good reasons, so make sure you test changes or get help to avoid accidentally breaking your site.

Secure the server

If the hosting provider detects a malware infection on a website, it may temporarily suspend your website to prevent it from infecting other websites hosted on the same shared server.
Even if the installation is safe, a malfunctioning server can also lead to Joomla hacking. Although there are many Joomla security issues. Some key points to remember are:

• Close all open ports.
• Delete unused subdomains.
• Regularly check for configuration issues.
• If you want to share the server, perform subnetting. Or use VPN.
• Prevent error messages from leaking information.
• Provide strong and random passwords for FTP accounts and databases!
• Make sure to use a firewall or some kind of security solution.

Fix file permissions

• First of all, please make sure that no user can upload executable files such as .php, .aspx, etc. Only image files can be uploaded to the server.
• Now proceed to set the file permissions of the server. Probably the most sensitive file is the .htaccess file. Therefore, appropriate file permissions must be set. Set your .htaccess permissions to 444 (r–r–r–) or 440 (r–r––).
• Also, please make sure that your PHP files will not be overwritten. Therefore, you need to set *.php to 444 (r–r–r–).
• The most important thing is to use popular Joomla extensions. Joomla is a fairly large CMS and popular extensions are more quickly updated in the event of vulnerabilities.

Check Hacked or Modified Files

If any scan or diagnostic page shows malicious domains or payloads, you can start by looking for those files on Joomla! Network Server. By comparing the infected files with known normal files (from official sources or reliable clean backups), you can identify and delete malicious changes.
To manually remove the malware infection from your Joomla! file:

• • Log in to the server via SFTP or SSH.
  • Before making changes, create a backup of the site files.
  • Search your files to refer to the malicious domain or payload you pointed out.
  • Identify the recently changed files and verify that they are legal.
  • View files marked by the diff command during the core file integrity check.
  • Use clean backups or official sources to restore or compare suspicious files.
  • Remove any suspicious or unfamiliar code from your custom file.

• Test to confirm that the site can still function normally after the change.

Consider that the code may be confused or obscured by functions such as base64_decode, gzinflate, eval or other regular expression related functions. You can use a PHP decoder or online service to analyze the obfuscated code to reveal its actual function.
There is another quick way to find the modified files by using diff command in terminal.This can be used for comparison. To use the SSH command to check the integrity of the core file, do the following:
$ mkdir joomla$ cd joomla
First, we created a directory called joomla and switched to that directory.
$ wget https://github.com/joomla/joomla-cms/releases/download/3.9.22/Joomla_3.9.22-Stable-Full_Package.zip
$ tar -zxvf Joomla_3.9.22-Stable-Full_Package.zip
The wget command downloaded the Joomla file from GitHub. Second line of code then extract them.
$ diff -r joomla-3.9.22 ./public_html
Finally, the diff command here is comparing content. This time we are looking for In the public_html file. Similarly, you can check multiple files. Moreover, the file It can be checked manually. Just use any FTP client to log in and check the files. SSH protocol Allows you to list file modifications.
$ find ./ -type f -mtime -15
The SSH command here shows the files modified in the last 15 days. Similarly, you can change the time stamp. Please note if there are any recently modified files!

Check user Logs

The system log is the best tool to identify the cause of a Joomla hack. The system log records all previous activities. Therefore, whenever XSS or SQL injection is performed, there will always be a request record. In addition, hackers often create new administrator accounts. If you wish to check any suspicious users, then:

• Log in to your Joomla! Administrator area.
• Click User on the menu item, and then select Manage.
• Check the list, especially the list with the most recent registration date.
• Delete all unfamiliar users created by hackers.
• Check the last access date of legitimate users.
• Confirm all users who logged in at the suspicious time.
• If you know where the server logs are stored and how to search for requests to the Joomla administrator area, you can also parse the server logs!
• Users who log in at unusual times or geographic locations may have been compromised.
• If you see users logging from unknown IPs, remove them.

Post Hack Security

Update the Joomla Core, templates and Extensions

Most of the time a Joomla hack takes place due to unpatched files. Hence, the first step to follow post cleaning the hack is a Joomla update. Updates essentially remove vulnerable extensions and fill in security holes thus providing you with a secure environment.
Currently, the Joomla version 3.9.x is the most stable major version. Those using 1.5.x, 1.6.x, 1.7.x and 2.5.x branches should immediately switch to 3.9.x.
Other than major version update, also update all Joomla core files, components, templates, modules, and plugins.

Reset the credentials

You should reset all user passwords with a unique strong password to avoid re-infection. Reset Joomla password! user account: Log in to your Joomla! website. Click the User menu item. Open each user account. Change user password. Repeat this for every user on your website.

• Reset Joomla password! user account:
• Log in to your Joomla! website.
• Click the User menu item. Open each user account.
• Change user password.
• Repeat this for every user on your website.

You should reduce the number of administrator and super administrator accounts for all website systems. Implement the concept of least privilege. Give people only the access they need to get the job done.

Reinstall of Extensions

After hacking, it is also recommended to reinstall all extensions to ensure that they function properly and there is no residual malware. In addition, delete deactivated/deactivated templates, components, modules or plugins from the web server.
Sometimes, we forget to delete files related to these obsolete modules and plugins, which may still leave loopholes. Therefore, make sure to delete these files as well, as they may contain serious vulnerabilities.
After cleaning the hacked Joomla website, please make a backup. A good backup strategy is at the core of best security practices. Store the backup in a remote location, because storing the backup on the server may also lead to hacking.

Backup the website

The backup acts as a safety net. Now that your Joomla website is clean and you have taken some important post-hacking steps, please make a backup! Having a good backup strategy is the core of a good security posture.
Regular backup of files and database archives can avoid any trouble. Some extensions such as Akeeba Backup provide automatically scheduled backups that can be restored in the future if data is lost due to hacking.

Post Hack Security Tips or Joomla Hack Protection

Implementing the following security measures will protect your Joomla website from most attacks:

Avoid using weak passwords

Weak credentials may eventually leak through brute force vulnerabilities and act as common security vulnerabilities, resulting in compromised security. The easy-to-guess password and the default administrator account make it easier for Hackers to illegally access your Joomla website, thereby exposing a series of malicious activities. Long passwords with multiple characters are more secure than short passwords.

Restrict Access to Admin Panel

Hackers often resort to brute force attacks on easy-to-guess administrator login pages. Therefore, access to the administrator area must be restricted. It is recommended not to use the default administrator login page URL, but to replace it with a specific name.
In addition, the management panel must be password protected. Administrator tools, RSFirewall and other extensions allow Joomla site owners to change their login page URL. This can be a way to prevent Joomla administrator hack.

Use Security Extensions

Using security extensions is very helpful for protecting your Joomla website. These extensions, when properly configured for your site, can prevent any form of malicious activity and cover up security holes. The extension allows you to prevent hacker attacks and close the security holes of the Joomla website.

Use Two Factor Authentication

A two-step verification code (commonly called a one-time password: OPT) makes your Joomla website more secure. Even if your password is guessed or leaked, you must still pass the authentication code to illegally access your account.

Never use Nulled templates or extensions

Never download premium extensions, plugins or any items for free from unauthenticated or unofficial sources. Extensions and templates from unknown sources may be corrupted or contain malware, which may harm your website. Don’t think about saving money here, but spend on authentic sources.

Use SSL Certification

Whenever a user logs into the site, his/her credentials will be sent to the server (no encryption). By using SSL certificates, these credentials will be encrypted before being sent to the server. In this way, SSL certification can provide additional protection for your Joomla website. You can use LetsEncrypt SSL for free.

File Permission

Always manage permissions to files and directories, and never grant full access to permissions 777. Never grant full access or authority to 777, but use 755 for folders, 644 for files, and 444 for configuration.php files.

Update Regularly

Last but not the least, a secure Joomla website is a website that is updated regularly. Each version update has released security enhancements and bug fixes. An outdated version of Joomla or any other outdated extensions/plugins can sneak into hackers.
If your website was hacked long before it was cleaned up, it is likely to be blacklisted. This means that it will not appear in search results to protect users from potential malware infections, so you will not have other visitors and you will lose confidence. Even if you completely clean up your website, it will continue to be blacklisted for several days.
In order to speed up the process, once your website is clean and healthy, please use Google’s Search Console for review. Google will scan your website and if no malware infection is found, it will stop displaying warning messages next to your website’s metadata. But you will have to wait a few days until this happens. Using Search Console, you can also access the URL removal tool to request that all URLs added by malicious hands be removed from the Google index.
After cleaning the website, please take necessary measures to prevent future attacks, such as scanning your website regularly to check for malware infection.

Joomla Hack Fixing Services

The steps listed above can provide you with a DIY guide to recover your website from a hacker attack. However, if you do not have the time or confidence in yourself to complete the work, you can hire an expert to repair the hacked Joomla website. This will cost you, but the time saved may be worth it. Remember, your website is offline every minute -Or worse, losing your reputation online-may mean you have lost dollars.
You can hire professionals to do it. Yes, you can hire us and we will fix your website within a few hours. You can contact us and we will contact you as soon as possible.

Conclusion

If you have a good recent backup and you can more easily repair the website hacked by Joomla, you can avoid half of the headache. It insists on regular backups, because not only hacker attacks, but also a lot of data lost even during website crashes. This proves the importance of regular and tested backups. All modifications made after the last known backup will be lost. Therefore, these backups must be performed frequently, because you never know when your website will be hacked.
Fixing your hacked Joomla website will cost you money or time. But don’t think you’re wasting money, but treat it as an investment in enhancing the security of your website. After repairing and protecting it, your website will receive strong support, and your customers or visitors will trust you and your business more. Chat with our security expert now!