Joomla Websites That Have Been Hacked
We've noticed an increase in new website hosting clients coming to us with hacked Joomla!™ websites. In the past 7 weeks, we've upgraded and cleaned six such sites. In many cases, the client's existing website hosting company had taken their website offline until the issues were resolved because in all these cases there were malicious files in place on the host's server.
It's an unfortunate situation because in today's world businesses need a well designed and functioning website to attract new customers, or often to qualify their company to prospects that have been solicited with other marketing efforts. When your website is offline it can't fulfill these outcomes.
Even worse, your company's reputation can be hurt greatly if the hackers have installed malicious scripts to send our spam from your domain. No none likes to receive spam emails, and if they originate from your corporate domain that's sure to hurt business. Spam originating from your domain can also cause your domain to be blacklisted, meaning that your legitimate emails may be blocked on the receiving end.
Why Do Joomla Websites Get Hacked?
The biggest cause of hacked Joomla websites is not keeping the software up to date. The current versions allow an easy "click to update", but older versions can't be updated quite so easily. If you are on Joomla 1.x series, the upgrade actually requires a full migration to the current Joomla 3.x series. The older versions are no longer actively supported for new security releases, meaning that they are open targets for hackers.
Vulnerable extensions can also give malicious users a doorway into your hosting account. There is a list of known vulnerable extensions maintained at https://vel.joomla.org/, and if your website uses any of these you should take corrective actions right away.
Can My Non-Joomla Website Get Hacked Too?
Yes, over the years we've assisted many clients whose websites were built on WordPress, other content management systems (CMS), or plain HTML websites.
In general, websites that are built with a CMS or E-commerce software are more vulnerable to attack because they have functionality in place that allows users to be added. But a website built solely on HTML can also be vulnerable, especially by the hosting login credentials being compromised.
What Can I Do To Protect My Website?
Here are some of the basic steps that will help protect your website:
- Never use the default username 'admin'. Since most sites leave this default in place, the hackers only have to guess the password to gain access. You should take steps to create unique usernames for administrator accounts.
- Use strong passwords. You can easily generate complex and hard to crack passwords using tools like http://passwordsgenerator.net/.
- Do not share administrator logins with multiple users. Each administrator should have their own unique login. TIP- use a password vault like https://lastpass.com/ to make it easy to use secure passwords.
- Keep your web server software updated. Some attacks may be possible even if your website is secure due to security issues with the software that powers the web server.
- Keep your website software updated. Update at least once a month, and immediately whenever critical security releases are available. Tip- sometimes an update can break your website! See the next item...
- Make sure that your host backs up your website daily. Having a backup copy means that you can quickly go back to a previous state, before you were hacked or before an upgrade caused a problem. Do note that you would do best to maintain a series of backups because you might not discover a hack right away.
- Monitor your outgoing email. A sudden spike in emails sending from the server could mean that a malicious script is sending spam.
What If My Website Has Been Hacked?
It's usually best to contract a professional to help with the clean up. You may find do-it-yourself guides online, but this can be difficult work for a novice. And since the hackers' techniques constantly evolve, a company experienced in dealing with these issues will better understand all the potential threats that may exist.