{"id":14303,"date":"2019-02-06T10:29:34","date_gmt":"2019-02-06T09:29:34","guid":{"rendered":"https:\/\/names.co.uk\/blog\/?p=14303"},"modified":"2019-02-06T10:33:45","modified_gmt":"2019-02-06T09:33:45","slug":"help-my-joomla-site-has-been-hacked-what-can-i-do","status":"publish","type":"post","link":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","title":{"rendered":"Help! My Joomla site has been hacked – what can I do?"},"content":{"rendered":"

End users are seeing malware infection warnings. No wait, now they can\u2019t get in – of course not, your host has just suspended your website. To cap it all you receive a blacklist warning from Google. Perfect!<\/p>\n

Having your Joomla website hacked is a nightmare. You will need to work out what happened, clean the site and request removal of the suspension\/blacklist warnings. Investigating and cleaning your site will take time, but with decent admin skills, you will recover it. Joomla security is an in-depth subject but we will touch on some of the key points here, including how not to be in this position again.<\/p>\n

Scan<\/strong><\/h2>\n

Clearly, you\u2019re not the first victim; experts such as Sucuri [1] and Comodo [2] provide tools for scanning websites, and Joomla provides plans for managed websites.<\/p>\n

Infected files<\/strong><\/h2>\n

Hackers often modify files in the Joomla core. You may be able to spot this by checking for recently modified files, for example:<\/p>\n

find .\/ -type f \u2013mtime -10 — to list files modified in the last 10 days<\/p>\n

A more thorough check is to compare the current system with a reliable backup, or with a clean copy of Joomla from GitHub. Use the diff command with the \u2013r to compare all sub-folders<\/p>\n

Check for files that are not present in the clean copy, files in the wrong folder, and for encoded files.<\/p>\n

Compromised user accounts<\/strong><\/h2>\n

A hacker may have penetrated the website through a user account with a weak password and\/or admin rights. Check for possible compromised accounts in the Administrator area:<\/p>\n

    \n
  1. Recently added users (registration date)<\/li>\n
  2. Users logged in at strange times e.g. during the middle of their night (for example)<\/li>\n<\/ol>\n

    Clean up your website<\/strong><\/h2>\n

    After checking the file system and user accounts thoroughly, clean up the website.<\/p>\n

      \n
    1. Clean the file system by restoring modified files from a backup, or known clean copy<\/li>\n
    2. Clean the database using a tool such as PHPMyAdmin [4] to remove rogue content. De-install the tool as part of your final steps.<\/li>\n
    3. Reset all user passwords. At this point you should insist that all end users run a scan; malware present on a user\u2019s machine can spread to your website<\/li>\n
    4. Local test your website and ask your host to put the site back online<\/li>\n
    5. Request Google etc. to remove the blacklist<\/li>\n<\/ol>\n

      Protect your website<\/strong><\/h2>\n

      Now that your attention is firmly on the consequences of being hacked, it\u2019s a good time to implement Joomla security steps<\/p>\n

        \n
      1. Plan how you will keep Joomla updated, especially releases which fix security issues. The current version is 3.9.2 – if your site is running 3.8 or earlier you should update as soon as possible<\/li>\n
      2. Limit accounts with Administrator privileges – set the lowest possible access<\/li>\n
      3. Increase the security for end users – enforce strong passwords and (if this is acceptable for your user base) use two-factor authentication<\/li>\n
      4. Use a firewall to protect against brute force and denial of service attacks<\/li>\n
      5. Establish a backup regime – plan when to take backups and where they will be stored. Importantly – test the process to restore from a backup<\/li>\n
      6. Check your site status using the Google safe browsing report [3]<\/li>\n<\/ol>\n

         <\/p>\n

        Keep safe – have a plan for if the worst happens!<\/p>\n

         <\/p>\n

        [1] https:\/\/sucuri.net\/<\/a><\/p>\n

        [2] https:\/\/www.comodo.com\/<\/a><\/p>\n

        [3] https:\/\/transparencyreport.google.com\/safe-browsing\/search<\/a><\/p>\n

        [4] https:\/\/www.phpmyadmin.net\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        End users are seeing malware infection warnings. No wait, now they can\u2019t get in – of course not, your host has just suspended your website. To cap it all you… Read more →<\/a><\/p>\n","protected":false},"author":17,"featured_media":14261,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[176],"tags":[],"class_list":["post-14303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"yoast_head":"\nHelp! My Joomla site has been hacked - what can I do?<\/title>\n<meta name=\"description\" content=\"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Help! My Joomla site has been hacked - what can I do?\" \/>\n<meta property=\"og:description\" content=\"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\" \/>\n<meta property=\"og:site_name\" content=\"names.co.uk blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/namesco\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-02-06T09:29:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-02-06T09:33:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\" \/>\n\t<meta property=\"og:image:width\" content=\"945\" \/>\n\t<meta property=\"og:image:height\" content=\"425\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Nathan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Namesco\" \/>\n<meta name=\"twitter:site\" content=\"@Namesco\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nathan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\"},\"author\":{\"name\":\"Nathan\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471\"},\"headline\":\"Help! My Joomla site has been hacked – what can I do?\",\"datePublished\":\"2019-02-06T09:29:34+00:00\",\"dateModified\":\"2019-02-06T09:33:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\"},\"wordCount\":564,\"image\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"articleSection\":[\"Security\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\",\"url\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\",\"name\":\"Help! My Joomla site has been hacked - what can I do?\",\"isPartOf\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"datePublished\":\"2019-02-06T09:29:34+00:00\",\"dateModified\":\"2019-02-06T09:33:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471\"},\"description\":\"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage\",\"url\":\"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"contentUrl\":\"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png\",\"width\":945,\"height\":425,\"caption\":\"What is an SSL Certificate?\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"names.co.uk\",\"item\":\"\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/www.names.co.uk\/blog\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Security\",\"item\":\"https:\/\/www.names.co.uk\/blog\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Help! My Joomla site has been hacked – what can I do?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/#website\",\"url\":\"https:\/\/www.names.co.uk\/blog\/\",\"name\":\"names.co.uk blog\",\"description\":\"Welcome to the names.co.uk blog where we talk about domain names, web hosting, online shops, website builders and lots of other cool web related stuff. Stick around for offers and competition news too!\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.names.co.uk\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471\",\"name\":\"Nathan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=mm&r=g\",\"caption\":\"Nathan\"},\"description\":\"Nathan has been with team.blue since 2005 and has a background in Technical Support. He is passionate about helping customers find the best product for them and use it to its full potential. In his free time, he can often be found on a train travelling around the beautiful British countryside, or curled up on the sofa at home reading a good book.\",\"url\":\"https:\/\/www.names.co.uk\/blog\/author\/nathan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Help! My Joomla site has been hacked - what can I do?","description":"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","og_locale":"en_GB","og_type":"article","og_title":"Help! My Joomla site has been hacked - what can I do?","og_description":"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","og_url":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","og_site_name":"names.co.uk blog","article_publisher":"https:\/\/www.facebook.com\/namesco\/","article_published_time":"2019-02-06T09:29:34+00:00","article_modified_time":"2019-02-06T09:33:45+00:00","og_image":[{"width":945,"height":425,"url":"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","type":"image\/png"}],"author":"Nathan","twitter_card":"summary_large_image","twitter_creator":"@Namesco","twitter_site":"@Namesco","twitter_misc":{"Written by":"Nathan","Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#article","isPartOf":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/"},"author":{"name":"Nathan","@id":"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471"},"headline":"Help! My Joomla site has been hacked – what can I do?","datePublished":"2019-02-06T09:29:34+00:00","dateModified":"2019-02-06T09:33:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/"},"wordCount":564,"image":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage"},"thumbnailUrl":"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","articleSection":["Security"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","url":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/","name":"Help! My Joomla site has been hacked - what can I do?","isPartOf":{"@id":"https:\/\/www.names.co.uk\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage"},"image":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage"},"thumbnailUrl":"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","datePublished":"2019-02-06T09:29:34+00:00","dateModified":"2019-02-06T09:33:45+00:00","author":{"@id":"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471"},"description":"End users are seeing malware infection warnings. No wait, now they can\u2019t get in - of course not, your host has just suspended your website. To cap it all A Joomla website hacked is a nightmare. You will need to work out what happened, clean up and request removal of the suspension\/blacklist warnings.","breadcrumb":{"@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#primaryimage","url":"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","contentUrl":"https:\/\/www.names.co.uk\/blog\/wp-content\/uploads\/2019\/01\/Your-online-security.png","width":945,"height":425,"caption":"What is an SSL Certificate?"},{"@type":"BreadcrumbList","@id":"https:\/\/www.names.co.uk\/blog\/help-my-joomla-site-has-been-hacked-what-can-i-do\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"names.co.uk","item":"\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/www.names.co.uk\/blog\/"},{"@type":"ListItem","position":3,"name":"Security","item":"https:\/\/www.names.co.uk\/blog\/category\/security\/"},{"@type":"ListItem","position":4,"name":"Help! My Joomla site has been hacked – what can I do?"}]},{"@type":"WebSite","@id":"https:\/\/www.names.co.uk\/blog\/#website","url":"https:\/\/www.names.co.uk\/blog\/","name":"names.co.uk blog","description":"Welcome to the names.co.uk blog where we talk about domain names, web hosting, online shops, website builders and lots of other cool web related stuff. Stick around for offers and competition news too!","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.names.co.uk\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/c4a24823b87b0d365a83bb36d095d471","name":"Nathan","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.names.co.uk\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b849f2ae94026a2583ec808f66065701dbebe5ca9a87e51fab1269f2853c4a71?s=96&d=mm&r=g","caption":"Nathan"},"description":"Nathan has been with team.blue since 2005 and has a background in Technical Support. He is passionate about helping customers find the best product for them and use it to its full potential. In his free time, he can often be found on a train travelling around the beautiful British countryside, or curled up on the sofa at home reading a good book.","url":"https:\/\/www.names.co.uk\/blog\/author\/nathan\/"}]}},"_links":{"self":[{"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/posts\/14303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=14303"}],"version-history":[{"count":2,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/posts\/14303\/revisions"}],"predecessor-version":[{"id":14307,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/posts\/14303\/revisions\/14307"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/media\/14261"}],"wp:attachment":[{"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=14303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=14303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.names.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=14303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}