Fix Joomla Hack and Upgrade for Security
Joomla is a very popular Content Management System (CMS) that can help make your website publishing life easier. However just like any other software, if you don't keep it up to date, you could be opening yourself up for some headaches down the road.
Nothing is worse than having your website suddenly defaced with messages you don't approve of, malicious hacks running on your site possibly infecting your visitors, and losing rank in search engines.
In this guide I'll try to cover all the Joomla security basics of making sure these problems don't happen to you.
Ensure current Joomla version is secure
If you have the now very out of date installation of Joomla 1.5 still running on the Internet, chances are your website is getting attacked on a semi-regular basis. Unfortunately with all the known exploits for Joomla 1.5 in the wild, it's probably just a matter of time before one of them successfully hacks your Joomla website.
Below is a table of the various versions of Joomla, and how old they are. The End of Life date marks the date in which there is no further support for bugs or security of that release making them more prone to attacks.
|Joomla Version Branch||Latest||Release Date||Last Release||End of Life||Upgrade Path|
|1.5||1.5.26||January 22 2008||March 27 2012||September 2012||Migrate to 2.5|
|1.6||1.6.6||April 22 2009||July 26 2011||August 2011||One-click to 2.5|
|1.7||1.7.5||July 19 2011||February 2 2012||Feburary 2012||One-click to 2.5|
|2.5||2.5.14||January 24 2012||August 01 2013||December 31st, 2014||One-click to 3.x|
|3.0||3.0.4||September 27 2012||February 4 2013||May 2013||One-click to 3.1|
|3.1||3.2.0||April 24 2013||November 6 2013||Nov 2013||One-click to 3.2|
|3.2||3.2.0||November 6 2013||November 6 2013||April 2014||One-click to 3.3|
|3.3||3.3.4||April 20 2014||September 23 2014||September 2014||One-click to 3.4|
|3.4||3.4.8||February 24 2015||December 24 2015||December 2015||One-click to 3.5|
|3.5||3.5.1||March 21 2016||April 05 2016||April 2016||One-click to 3.6|
|3.6||3.6.5||July 12 2016||December 13 2016||December 2016||One-click to 3.7|
|3.7||3.7.5||April 25 2017||August 17 2017||Release of 3.8 (TBD)||One-click to 3.8|
We also recommend checking up on the latest Joomla Security news which covers recent exploits discovered in the Joomla core, and also the vunerable Joomla extensions which have been discovered recently.
Find and clean up a Joomla hack
If your website has been attacked and compromised sometimes it will be vary apparent. You might have malicious redirects taking your visitors to some other website, content appearing on your website that you didn't create, and typically your account's resource usage will be higher when under attack or running any hacks.
Here are some common things you can look at if you suspect your Joomla website is under attack or hacked:
Check to see if the Google Safe Browsing Diagnostic page has detected any known malware running on your website. If your domain name was example.com, you would use the following URL to check:
You can also use the Sucuri Security free website malware scanner, again access by a URL like:
- Follow our recovering after a hack guide which goes over updating your cPanel and FTP passwords, and also scanning your local computer to ensure you aren't uploading malicious files unknowingly to the server.
- Clean up a .htaccess hack if your website is redirecting visitors or search engines to other sites without your consent.
- Clean up a code injection attack if you notice strange behavior from your pages, or if you see injected keywords or other types of spam in your content.
- Enable raw access logs in cPanel so that you have historical record of your website requests, this can be handy when trying to track down malicious activity.
- Block unwanted users with your .htaccess file to prevent possible hack attempts from known bad IP addresses or User-Agent strings.
Reinstall Joomla after a hack to prevent further exploits
While you might be able to clean up most traces of an attack and hack against your Joomla website, once an attacker has successfully exploited a part of your site, it can be extremely hard to ensure that all traces of the hack are removed.
A lot of times once a Joomla site has been hacked, it gets added to a list by the attacker, and then they'll more than likely keep coming back trying to exploit it again and again until you've upgraded to protect yourself from the exploits available in the wild.
Below I'll walk you through the process of taking a Joomla 1.5 site that has been hacked, reinstalling Joomla itself to rule out any malicious files still being on your account, and then upgrading to Joomla 2.5 to help ensure the same hack isn't allowed to be uploaded to the website again.
- Log into your Joomla admin to double-check you have the latest version of Joomla 1.5 already, which should be Joomla 1.5.26. If you have an older release of Joomla 1.5 you need to first upgrade from an existing Joomla 1.5x version.
Using your favorite FTP client, you'll want to download all of your current folders and files for Joomla to your local computer.
In this case I'm using FileZilla, connecting to my site example.com, navigating to the /public_html directory where Joomla is installed, then simply selecting all the folders and files by clicking on one then hitting Ctrl-A to select all. Then I'm dragging them all to a local folder called /Downloads/Joomla that I created.
Next you'll want to backup your Joomla database in cPanel, so that you have a copy of that as well.
At this point, you now have all the physical files that make up your Joomla website. In the event that the steps below for reinstalling Joomla and upgrading it do not work for you, you'll at least be able to restore your site back to its hacked state.
Now that you have all of your Joomla files downloaded locally that are potentially hacked, you should be able to safely remove them from the server.
This can be done by simply selecting all of your Joomla files in your FTP client, and then hitting Delete on your keyboard. If your main website is running Joomla, this would be all the files in the /public_html directory.
You should now have a Joomla_1.5.26-Stable-Full_Package.zip archive downloaded to your local computer. This contains all of the core files needed to run a Joomla website.
Upload the Joomla_1.5.26-Stable-Full_Package.zip to your now what should be blank /public_html directory.
Access the FileManager in cPanel and navigate to your /public_html directory.
Then right-click on the Joomla_1.5.26-Stable-Full_Package.zip file you uploaded, and click on Extract.
In the Extract window that pops-up, in this case we can just leave the extraction directory set to /public_html and then just click on Extract File(s) so that all of the Joomla core files are places there.
It might take a few minutes for the .zip file to finish inflating, once it completes, click on the Close button.
At this point, if you attempt to visit your website where Joomla was installed, you will get the Joomla installation screen, since we effectively just deleted our old Joomla site, and uploaded the new Joomla core files.
The next thing you'll want to do is re-upload your configuration.php file back to the server. This file contains all of the information such as what database Joomla should use.
You'll also want to delete the installation folder, as this is a security requirement of Joomla.
Now if you try to go to your Joomla website again, it should have all of your content pulled from the Joomla MySQL database, but it will be now using verified as good and clean core files for Joomla.
Hopefully now any traces of a hack that you found on your accout should be gone. However if you are still seeing some strange activity, this could mean that the attacker successfully exploited your Joomla database, in which case a more thorough investigation of your database would need to be done.
Upgrade Joomla 1.5 to 2.5 to prevent hacks
Now that you've hopefully successfully removed any hacks from your old Joomla 1.5 site, it is very important to update your installation to Joomla 2.5 so that an attacker doesn't simply come back and hack your website again.
This technically isn't an upgrade, but a migration, as the two versions of Joomla aren't directly compatible. The process can vary greatly depending on the complexity of your Joomla website and what modules or extensions you've used. We would strongly recommend at least glancing at the offical Joomla documentation that they have for migrating from Joomla 1.5 to Joomla 2.5 before proceeding with the steps below.
You should end up with a com_jupgrade-2.5.2.zip archive of the extension.
Then hover over Extensions and click on Install / Uninstall
Under the Upload Package File section, click on Choose file and then browse your local computer for the com_jupgrade-2.5.2.zip file.
Then click on Upload files & Install
Hover over Extensions again, and this time click on Plugin Manager
In the Filter field, type in mootools and click Go.
Beside the System - Mootools Upgrade plugin, click on the red x under the Enabled column to enable the plugin.
Hover over Components, then click on jUpgrade.
Now just click on the big Start Upgrade button to begin the process.
You should see the jUpgrade upgrade begin and it will update you on the current step in the process.
When complete you'll get a Joomla 2.5 Upgrade Finished! message
Now if you visit your website with /jupgrade appended to the end, you should see your upgraded Joomla site. jUpgrade leaves you main Joomla 1.5 site still in tact so you can test things.
Here you can see on my example.com site, when accessing the /jupgrade directory the Main Menu for instance has changed.
Now in your FTP client again, create a new folder called old_joomla. This can be done by right-clicking on the server-side of files and selecting Create directory, in the Create directory pop-up enter in the name of the directory than click OK
Next click on any of the files or folders, and then hit Ctrl-A to select all the files.
Then hit just Ctrl and click on the newly created old_joomla directory to de-select it, and also the jupgrade folder.
Then finally drag all of the other selected files into the old_joomla directory.
Now navigate into the jupgrade folder, hit Ctrl-A to select all files, then drag them up into the /public_html directory one level up.
Now you should see the Joomla 2.5 website when just accessing your domain normally, and if you login to the Joomla admin, you'll notice the new version reflected as well.
Hopefully you now have a good idea of how to ensure your Joomla website isn't currently hacked, and if it was how to clean up the hack or reinstall Joomla. Make sure going forward you always keep your Joomla install updated to prevent any further issues, and as always if you're still having any issues please leave us a comment!
Joomla Community Google+ Hangout #3
June 3rd, 2014
Thank you @RustyJoomla for letting me speak on the Joomla Community Google+ Hangout!
Support Center LoginOur Login page has moved, Click the button below to be taken to the login page.
2018-03-23 12:57 pm
This seems to be a pretty bad one! A few tips:
1. Be sure to check Google blacklisting status & also do a *'fetch as google'* to check if there's malware showing up in search results.
2. It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).
3. A diff command would go a long way:
tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
diff -r joomla-3.6.4 ./public_html
There are more steps which can be checked from this URL.
2018-03-23 2:42 pm
Hey thanks for your feedback! Your contribution to our Community Support Center is appreciated. I hope you don't mind, I marked up your response to format it nicely. Thanks for providing that link as well. It seems like a good resource.
2018-01-24 9:25 am
Since Joomla has made some major changes since 1.5 you cannot upgrade directly. Instead, you must migrate to Joomla 3. Here is a link to the official Joomla documentation on Planning Migration - Joomla 1.5 to 3.
2014-10-12 3:49 pm
just did the upgrade, but in step 8, view new site with extension /jupgrade gives me a 404 page not found error.
2014-10-13 11:38 am
Did you upload the zip package to your public_html directory and extract it? Do you see the folder within your cPanel File Manager?