As of late, we are getting an abnormal number of requests for malware cleanup on Joomla websites (a substantial number of these websites are infected with the Google hack). What’s even more interesting is not the sheer number of such requests, but the fact that the absolute majority of the affected Joomla websites were 3.5.1 (which is the latest Joomla version at the time of writing this article).
Of course, this can be a coincidence, but it’s more like a once-in-a-blue-moon coincidence, because 1) the number of hacked websites that we are getting is abnormally large, 2) the absolute majority of these websites are Joomla 3.5.1 websites (typically, hacked Joomla websites use an old/vulnerable version of Joomla), and 3) we all know that Papa Smurf has better things to do than summoning that blue moon all the time.
We hate to say it, but it seems like there is a critical vulnerability in Joomla 3.5.1 that probably only those with malicious intents know about. In fact, we think that this vulnerability, whatever it is, started with Joomla 3.5.0, but since Joomla 3.5.1 was released shortly after 3.5.0, many have immediately upgraded to 3.5.1, which made it seem that this whole mess started with Joomla 3.5.1.
But how come we haven’t investigated the issue?
So far, all of our clients have elected to solely cleanup their websites and secure them. They didn’t want to spend more money for forensics, which is completely understandable, since forensics is a lengthy and a costly process. Of course, we can do the forensics ourselves (without being commissioned by a client to do it), but the problem is that, between all these hacked Joomla 3.5.1 websites, we don’t have the slightest amount of free time to invest in this investigation.
Is it a better idea to stick with Joomla 3.4.8?
We think so. Joomla 3.4.8 is, in our opinion, the most stable Joomla release in the 3.x line (so far). All the Joomla websites that we fully manage are still using Joomla 3.4.8, and we are not intending on updating them any time soon.
How do we ensure that the websites remain clean after unhacking them?
If you have ever cleaned a hacked Joomla website before, you will probably know that the trick is not cleaning it (although that can be very challenging), but it is keeping it clean.
In order to keep those websites clean after removing all the malware, we ensure that the “index.php” file is the only PHP file that can be directly executed by Apache and we remove direct access to most of the core directories (that shouldn’t be accessed by the outside world) by adding a local .htaccess file with a deny from all directive. We also install a homemade firewall extension on the cleaned websites.
Why are we complaining about this? Doesn’t all of this mean that “business is good” for us?
Well, on the long term, this is not good news. If Joomla is deemed to be an unreliable and insecure CMS by the people using it, then these people will slowly, but surely, walk away to other content management systems, and we will be left with less clients. We don’t want that, and we will try our best to get to the bottom of this issue as soon as we have the time. Meanwhile, if your Joomla 3.5.1 website gets hacked, please contact us. We will clean it, we will secure it, and we won’t charge you much!