{"id":5219,"date":"2019-02-06T09:34:18","date_gmt":"2019-02-06T09:34:18","guid":{"rendered":"https:\/\/www.register365.com\/blog\/?p=5219"},"modified":"2019-02-06T09:34:18","modified_gmt":"2019-02-06T09:34:18","slug":"help-my-joomla-site-has-been-hacked-what-can-i-do","status":"publish","type":"post","link":"https:\/\/www.register365.com\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","title":{"rendered":"Help! My Joomla site has been hacked – what can I do?"},"content":{"rendered":"

End users are seeing malware infection warnings. No wait, now they can\u2019t get in – of course not, your host has just suspended your website. To cap it all you receive a blacklist warning from Google. Perfect!<\/p>\n

Having your Joomla website hacked is a nightmare. You will need to work out what happened, clean the site and request removal of the suspension\/blacklist warnings. Investigating and cleaning your site will take time, but with decent admin skills, you will recover it. Joomla security is an in-depth subject but we will touch on some of the key points here, including how not to be in this position again.<\/p>\n

Scan<\/strong><\/h2>\n

Clearly, you\u2019re not the first victim; experts such as Sucuri [1] and Comodo [2] provide tools for scanning websites, and Joomla provides plans for managed websites.<\/p>\n

Infected files<\/strong><\/h2>\n

Hackers often modify files in the Joomla core. You may be able to spot this by checking for recently modified files, for example:<\/p>\n

find .\/ -type f \u2013mtime -10 — to list files modified in the last 10 days<\/p>\n

A more thorough check is to compare the current system with a reliable backup, or with a clean copy of Joomla from GitHub. Use the diff command with the \u2013r to compare all sub-folders<\/p>\n

Check for files that are not present in the clean copy, files in the wrong folder, and for encoded files.<\/p>\n

Compromised user accounts<\/strong><\/h2>\n

A hacker may have penetrated the website through a user account with a weak password and\/or admin rights. Check for possible compromised accounts in the Administrator area:<\/p>\n

    \n
  1. Recently added users (registration date)<\/li>\n
  2. Users logged in at strange times e.g. during the middle of their night (for example)<\/li>\n<\/ol>\n

    Clean up your website<\/strong><\/h2>\n

    After checking the file system and user accounts thoroughly, clean up the website.<\/p>\n

      \n
    1. Clean the file system by restoring modified files from a backup, or known clean copy<\/li>\n
    2. Clean the database using a tool such as PHPMyAdmin [4] to remove rogue content. De-install the tool as part of your final steps.<\/li>\n
    3. Reset all user passwords. At this point you should insist that all end users run a scan; malware present on a user\u2019s machine can spread to your website<\/li>\n
    4. Local test your website and ask your host to put the site back online<\/li>\n
    5. Request Google etc. to remove the blacklist<\/li>\n<\/ol>\n

      Protect your website<\/strong><\/h2>\n

      Now that your attention is firmly on the consequences of being hacked, it\u2019s a good time to implement Joomla security steps<\/p>\n

        \n
      1. Plan how you will keep Joomla updated, especially releases which fix security issues. The current version is 3.9.2 – if your site is running 3.8 or earlier you should update as soon as possible<\/li>\n
      2. Limit accounts with Administrator privileges – set the lowest possible access<\/li>\n
      3. Increase the security for end users – enforce strong passwords and (if this is acceptable for your user base) use two-factor authentication<\/li>\n
      4. Use a firewall to protect against brute force and denial of service attacks<\/li>\n
      5. Establish a backup regime – plan when to take backups and where they will be stored. Importantly – test the process to restore from a backup<\/li>\n
      6. Check your site status using the Google safe browsing report [3]<\/li>\n<\/ol>\n

         <\/p>\n

        Keep safe – have a plan for if the worst happens!<\/p>\n

         <\/p>\n

        [1] https:\/\/sucuri.net\/<\/a><\/p>\n

        [2] https:\/\/www.comodo.com\/<\/a><\/p>\n

        [3] https:\/\/transparencyreport.google.com\/safe-browsing\/search<\/a><\/p>\n

        [4] https:\/\/www.phpmyadmin.net\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        End users are seeing malware infection warnings. No wait, now they can\u2019t get in – of course not, your host has just suspended your website. To cap it all you… Read more →<\/a><\/p>\n","protected":false},"author":22,"featured_media":5181,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-5219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"yoast_head":"\nHelp! My Joomla site has been hacked - what can I do?<\/title>\n<meta name=\"description\" content=\"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Help! My Joomla site has been hacked - what can I do?\" \/>\n<meta property=\"og:description\" content=\"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\" \/>\n<meta property=\"og:site_name\" content=\"Register365 Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/register365\" \/>\n<meta property=\"article:published_time\" content=\"2019-02-06T09:34:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\" \/>\n\t<meta property=\"og:image:width\" content=\"945\" \/>\n\t<meta property=\"og:image:height\" content=\"425\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Nathan\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nathan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.register365.com\/blog\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\",\"url\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\",\"name\":\"Help! My Joomla site has been hacked - what can I do?\",\"isPartOf\":{\"@id\":\"https:\/\/www.register365.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"datePublished\":\"2019-02-06T09:34:18+00:00\",\"author\":{\"@id\":\"https:\/\/www.register365.com\/blog\/#\/schema\/person\/b8684be81b9b651f59d97f7bac864748\"},\"description\":\"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\",\"url\":\"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"contentUrl\":\"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"width\":945,\"height\":425,\"caption\":\"secure website\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Register365\",\"item\":\"\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/www.register365.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Security\",\"item\":\"https:\/\/www.register365.com\/blog\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Help! My Joomla site has been hacked – what can I do?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.register365.com\/blog\/#website\",\"url\":\"https:\/\/www.register365.com\/blog\/\",\"name\":\"Register365 Blog\",\"description\":\"Welcome to the Register365 blog! Keep up to date with our latest news and product updates, find out more about our Free Online Business Training, and share your comments with us!\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.register365.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.register365.com\/blog\/#\/schema\/person\/b8684be81b9b651f59d97f7bac864748\",\"name\":\"Nathan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.register365.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=identicon&r=g\",\"caption\":\"Nathan\"},\"description\":\"Nathan has been with team.blue since 2005 and has a background in Technical Support. He is passionate about helping customers find the best product for them and use it to its full potential. In his free time you'll find him on a train travelling through some beautiful countryside, or curled up on a sofa with his head in a book.\",\"url\":\"https:\/\/www.register365.com\/blog\/author\/nathan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Help! My Joomla site has been hacked - what can I do?","description":"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","og_locale":"en_GB","og_type":"article","og_title":"Help! My Joomla site has been hacked - what can I do?","og_description":"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","og_url":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","og_site_name":"Register365 Blog","article_publisher":"https:\/\/www.facebook.com\/register365","article_published_time":"2019-02-06T09:34:18+00:00","og_image":[{"width":945,"height":425,"url":"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","type":"image\/png"}],"author":"Nathan","twitter_misc":{"Written by":"Nathan","Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.register365.com\/blog\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","url":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","name":"Help! My Joomla site has been hacked - what can I do?","isPartOf":{"@id":"https:\/\/www.register365.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage"},"image":{"@id":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage"},"thumbnailUrl":"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","datePublished":"2019-02-06T09:34:18+00:00","author":{"@id":"https:\/\/www.register365.com\/blog\/#\/schema\/person\/b8684be81b9b651f59d97f7bac864748"},"description":"A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","breadcrumb":{"@id":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage","url":"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","contentUrl":"https:\/\/www.register365.com\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","width":945,"height":425,"caption":"secure website"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.names.co.uk\/2019\/02\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Register365","item":"\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/www.register365.com\/blog\/"},{"@type":"ListItem","position":3,"name":"Security","item":"https:\/\/www.register365.com\/blog\/category\/security\/"},{"@type":"ListItem","position":4,"name":"Help! My Joomla site has been hacked – what can I do?"}]},{"@type":"WebSite","@id":"https:\/\/www.register365.com\/blog\/#website","url":"https:\/\/www.register365.com\/blog\/","name":"Register365 Blog","description":"Welcome to the Register365 blog! Keep up to date with our latest news and product updates, find out more about our Free Online Business Training, and share your comments with us!","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.register365.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.register365.com\/blog\/#\/schema\/person\/b8684be81b9b651f59d97f7bac864748","name":"Nathan","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.register365.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=identicon&r=g","caption":"Nathan"},"description":"Nathan has been with team.blue since 2005 and has a background in Technical Support. He is passionate about helping customers find the best product for them and use it to its full potential. In his free time you'll find him on a train travelling through some beautiful countryside, or curled up on a sofa with his head in a book.","url":"https:\/\/www.register365.com\/blog\/author\/nathan\/"}]}},"_links":{"self":[{"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/posts\/5219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/comments?post=5219"}],"version-history":[{"count":1,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/posts\/5219\/revisions"}],"predecessor-version":[{"id":5221,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/posts\/5219\/revisions\/5221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/media\/5181"}],"wp:attachment":[{"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/media?parent=5219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/categories?post=5219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.register365.com\/blog\/wp-json\/wp\/v2\/tags?post=5219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}