You wake up one morning, and you get that nasty email from Google telling you that your Joomla website is hacked. So what do you do? Well, first of all you relax knowing that this can happen to anyone in this galaxy, and then, you follow the below guide:
- Backup your Joomla website (filesystem and database) so you can revert back to a previous backup in case of a major mistake during the cleanup process.
-
Delete all the files under the cache and the tmp folders.
-
Check your .htaccess file(s) for anything malicious. Note that we are using file(s) instead of file since you may have more than one .htaccess file (for example, one under the root directory of your Joomla website, one under the administrator folder, and one in a directory even higher than that of the Joomla root directory [this is typically the case when the Joomla website is operating as an add-on domain or is hosted on a toxic shared hosting environment]).
-
Overwrite your Joomla files with a fresh Joomla install as described here. In short, you will need to find which version of Joomla you are running, download that exact version of Joomla from the official website, remove the installation and the images folder from the downloaded zipped file, and then extract the zipped file onto your website.
-
Run a malware scan (such as maldet) to see if there are still some malicious files. If the scan finds any files, then clean them or delete them (depending on whether these files are actually part of your Joomla website or not). Ensure that your malware scanner is up-to-date before running the scan.
-
Make sure that the index.php file is the only file that can be accessed by the outside world. You can do this with an .htaccess rule – we have explained how to do this in a previous post.
-
Use an external scanner to check if your website is clean:
- If it’s not clean, then try disabling modules/plugins one by one and then repeat the scan each time you disable a module/plugin until the problem is no more. Stop when the website is reported as “clean”, and then examine closely the module/plugin that you have just disabled as it is the one that is hacked and that is poisoning the whole website.
-
If still not clean, then switch to a different template and repeat the scan and see if the problem is fixed. If the problem is fixed, then the hack is somewhere in your template. Either uninstall your template and re-install it or fix the hack manually.
-
If not already done, update your Joomla website to the latest version.
-
Update all the extensions (template, modules, plugins) on your Joomla website to the latest version. This step and the previous step are absolute musts for website protection.
Typically, following the above guide will get your website clean and more secure. If it doesn’t, or if you need help with this guide, then please contact us. Our fees are affordable, our work is top notch, and we will clean your website.