Note: While this article focuses on Joomla!-based web sites, it does not mean to assert that Joomla! is less secure than other popular CMSs like Wordpress, Drupal, etc. In fact, Joomla! is a particularly strong open-source platform with a worldwide network of developer-contributors who are well aware of security issues. This is, in fact, one of the strong benefits of any major open-source system. Any web site, regardless of its platform or CMS (if any) can be targeted by hackers. If you have a wordpress or Drupal web site, you can effectively replace every instance of "Joomla" below with your own CMS. All of the vulnerabilities will likely be the same. The recommended fix, though, will differ from site to site because I'm focusing on a Joomla-based one here.
Quite unfortunately, one way that Marketing Portland acquires new clients sometimes (and increasingly lately!) is when Joomla web sites fall victim to hackers. Hacking is probably the worst problem web developers face -- worse even than our working to make sites function and look good on new and old versions of IE, Chrome, Firefox, Safari, tablets, phones, PCs, etc. If you think that's awful, try telling a client that his or her site has been hacked and it's going to cost $$$$ to return it to functionality, with no absolute guarantee that it can't happen again, with the primary benefit of spending all of that money being that the site works again (i.e., no improvements to show for all of that investment), and with the potential for even more cost if the source of the hack is an important old component that now needs to be replaced with something else (which adds even more to the cost of the fix). Let me tell you... When you've done dozens of these types of fixes, you really come across some awful, scary, malicious stuff. This is stuff you do NOT want on your server at all.
Removing malicious files is one thing, of course. But figuring out how they got there in the first place is another. Some of the ways this can happen include:
- Outdated Joomla installs. When Joomla releases even small updates (e.g., from 2.5.1 to 2.5.2), they publish a list of things in those updates. Quite often, these are security-related patches. So, if you're not current, you are likely hosting a site with a security vulnerability. Keep your site updated to the extent that you can. Put some thought into this earlier rather than later: How will you update your site? Do you need a development server to test updates on prior to updating production? Who will handle these? Will you always update right away or wait a while? What other extensions are you running that may be affected by an update, and how does that inform your strategy for updating? Are you aware of "core hacks" to your Joomla install? (Hopefully you're using template overrides instead, if possible!) Anyway, all of these things (and more) need to be considered. But, if you're running an old version, just know that there are usually ways hackers can determine what version you're running. I won't go into all of that here, but just imagine that your server hosts thousands of files. Many of these are visible (such as graphics, text files, XML files, for example) to anyone who knows where they should be. So, a lot of these things are like beacons on the internet, broadcasting your tech particulars to all who care to look. So, it's not like you can just keep quiet and hope no one knows you're not up to date.
- Vulnerable Joomla extensions. So, when you run Joomla or Wordpress or anything, you usually will build on top of that base system with whatever your site needs, right? Well, those things go out of date, too. Over time, people find security holes in them, and these become the target (aka the attack vector or means of access ot the server). Similar to the description above, these things are fairly easily found by hackers. Personally, these are the types of hacks I find most. Usually, the extension has some exploit that allows a user to get an executable file (such as a PHP file) onto your server in a location that can be found and executed. Once this happens, the server is basically totally under the control of the hacker. I mean, imagine that for a moment... If someone can place ONE php file on your server, then he or she can control effectively your entire server and database. The examples I've seen are pure evil, ranging from little scripts that connect to the DB and setup a super admin to huge suites of tools packed into a single PHP file that are there to inflict crazy amounts of damage to a site.
- Vulnerable code. Well, this is similar to the above, only the vulnerability is in a custom-coded feature rather than a formal extension. For example, say you have a form on your site with no validations or something. You could be vulnerable to SQL injection, file upload potential (as described above), or other types of things. I say other because there are just some really high-tech types of vulnerabilities out there. I don't claim to understand them all. I had one client recently approach me about a site that had "Man in the Middle" security needs; I passed on it, as it's just not a type of consulting I provide here. Of course, it's one thing to know what you don't know, but it's scarier (as Rumsfeld famously remarked) to consider that you "don't know what you don't know!"
- Vulnerable server and security configurations. There are many ways to tighten up security to ward off would-be hackers and those sniffing around your server who shouldn't be. For example, all Joomla sites (similar to Wordpress) have a distinct address for the administrative login. Trust me: Joomla consultants laugh a little when clients provide the URL for the admin login page. We know it already, and so do the hackers out there -- the latter being not so great, really. So, you can do things rather easily like lock that page down. I like Akeeba Admin Tools for that, and I've met other consultants who use similar tolls (such as RS Firewall) for similar functionality. The point is: Get these tools onto your site! (They do a whole lot more than the single example I've given here.)
- Junk in the trunk. This is sort of related to the previous item. What I see a lot (especially on sites developed by people still learning) are multiple instances of entire web sites cluttering a server. Quite often I see Joomla sites that still have Wordpress directories on the same server, Joomla sites with huge directories of various backed-up files (including executables), and more. Here's the thing: If any of that old code has vulnerabilities, then your server is still vulnerable. For example, if you have some PHP code in an old backup directory -- say, code that allows a PHP file to be uploaded somehow -- then that is one potential way into your server, which could in turn render the entire server vulnerable. See below for some examples of this.
- People formerly associated with your site who still technically have server access. For people with older sites, some of which have seen many developers come and go, the number of people with server and back-end access might be more than you think. Now, true, most developers wouldn't dare hack a site. But, let's just say that, for security purposes, it's really a best practice to limit access to those who really need it. Even if you hire a consultant for a temporary fix to something, lock him or her out afterward! The next two items on the list will illustrate this problem, as well.
- Bad password policies. This one is such a big deal... I can't tell you how many clients send me a Joomla login that looks like: "Username - admin, Password - password." I also get a lot of "p4ssw0rd" and "pa$$w0rd" and so forth. All of these seem clever, but aren't. Hackers know about these little tricks. In fact, they have means of guessing and brute-force testing vast permutations that include all of the common types of passwords in use by a majority of people. So, don't use "dog" or "cat" or your kid's name, or your birth year, or add "123" to the end, or any of the usual things. (Read this article: Your Clever Password Tricks Aren't Protecting You From Today's Hackers for a longer analysis and suggestions for improving your passwords.)
- Someone's email got hacked. This is another reason to (1) delete accounts and prevent access for old consultants and others with access ot things, and (2) manage your passwords better. Part of that latter item is to NEVER send out passwords and usernames via email. Instead, send them via other means -- over the phone, maybe via text, or my own favorite is via a timebomb-type site like this one: https://gaidi.ca/x/. That site basically makes a little tinyURL-type link to hold the username / password. So, put in a username / password pair, click "1 Hour" or whatever, and then copy the URL of the resulting page. Send THAT to your contact or developer, and he/she can then delete it after they retrieve it. This way, there is no record of the username / password in your email or your contact's, should either ever be compromised.
So, the above items cover most of the ways in which the hacking has occurred (if you've been hacked). But, if so, what now? Okay, that's a little complicated, too. To make it easier, I'm breaking it into two possibilities. In both instances, I'm recommending that a site called MyJoomla be consulted. But, how it's consulted is a different matter. So...
How to Fix a Hacked Joomla! Site
If you are a site owner or developer and you understand code: This one's easy. Go to MyJoomla.com and run a site audit. Then go step-by-step through everything it says (which can take quite a long time!) and do all you can to identify and correct the problem. Your first audit is free, too!
If you are a site owner and you are not technical: This one's a little trickier. Now, if you visit myjoomla.com, you'll no-doubt see their offer for a free site audit. You may be tempted to do this for free, thus saving you the $8 (U.S. price) fee to get an initial report. That's all well and good, except for the fact that, if you're not able to make the recommended corrections yourself (which often require knowledge of code, knowledge of working with servers and files, etc.) the site's probably going to have to be reaudited by a consultant like me. And, to do that, you're going to have to delete some things from your own myjoomla.com account, which can be a little confusing. While I really like their "free audit" offer, it's really not something that two parties can easily work with. So, for most people this means hire a professional to do it for you. You're only adding $8 to the fee, anyway, so it's not worth worrying about.
From there, it's anyone's guess as to what you're in for. Common fixes would include removal of malicious files, hopefully an identification of the offending extension(s), removal of that/those extension(s), possible replacement of whatever lost functionality happens because of the removed extension(s), some time for general cleanup, implementation of additional security measures to keep other hackers at bay, and time for communicating all of that back and forth. It can be a good day's work, or more, depending on site particulars. So, it's not uncommon for a fix to run $500 to $1,000 or more -- and much more for larger / messier sites. (Clarification: That would likely be *my* initial price range for such a fix, and could easily go higher depending on particulars. However, MyJoomla.com has much lower fixed prices for various hack fixes. See here for those.)
If you have a Joomla! site that you suspect has been hacked, I'm happy to take a look for you, so long as you've read the text here. My success rate is fairly good, I'd say, in returning a site to normal. But, I've had a few that were so far gone that the investment in fixing them was really better spent on the beginnings of a new site. It's really a case-by-case thing. I'm also, as a policy, not interested in working on Joomla 1.x sites, unless the service includes a commitment to updating to at least 2.5.x or 3.x. But, feel free to contact me if you're having issues. Thanks, and good luck!