Is My Joomla Website Hacked?

The fact that you're reading this guide is a good indicator that you've been hacked. You've probably seen something very suspicious and when it comes to being hacked, everyone who has approached Blue Bridge to help them recover their site has been correct in identifying symptoms of the attack.

What Are Signs Your Joomla Website Has Been Hacked?

• Notification from your web host that your site has been hacked and is being taken off-line until you resolve it (glaringly obvious, but you can trust that they're right.)
• An email from another web host informing you that your site has been compromised and has been reported. Providing that they are not trying to sell anything to you, this is a strong indicator.
• Notification from Google that your site has been delisted from their results.
• Warnings appearing in your browser when you try to visit your site or emails from your visitors alerting you to them having received warnings.
• Your website inexplicably breaking one day and showing errors. Particularly, if the errors mentioned reference another domain or spam information, this is a strong indicator that your site has been hacked. Websites can break through server software upgrades, so it's important to keep in mind that this is just a symptom and not a clear sign.
• Re-routing of traffic to third-party websites when you visit certain pages.
• Odd inconsistencies in your analytics referring to third-party websites that you have no contact with.
• Broken images suddenly appearing on your site.
• Browser notifications that a download has been initiated when you visit certain pages. E.g. "This site attempted to force a download and may be hacked."
• Your search engine traffic dropping off abruptly.
• You find links to third party websites that you did not place.
• There are super administrators you don't recognize in your user manager.

If you have more than one symptom, it's extremely likely that you've been attacked, but any one of these is a strong sign in itself.

How Else Can You Tell if Your Joomla Site Has Been Hacked?

There are a few online hacked site scanners like VirusTotal and Quttera.  Unfortunately, because of the arms race between hackers and security professionals, you can't really rely on a bill of clean health. Often a hacked Joomla site will come up secure when it's not. This is because they have a few problems:

1. They don't have full access to your site files and database and can only detect a limited number of successful attacks.
2. Because of the number and type of attacks and because attacks are continually changing, they can only detect within a spectrum of attacks.
3. They can't recognize attacks designed to detect external scans. Scripts that check request information before responding are becoming increasingly common.

Blacklists

You can get a better indicator that your site has been compromised if it appears on a blacklist. A blacklist is an enormous list of sites that have been identified as having bad behavior. Blacklists are for both spam email and for websites. The most popular blacklists gather their information from a variety of sources.

However, even if your site is not on a blacklist, that is still not a guarantee that it has not been hacked.  Blacklists will eventually register the your site has been hacked, but it may take months before a successful attack trips one of their tests.

Anytime you see several of the symptoms above you can be confident that you've been compromised, especially if you appear on any blacklists. 

In the next section, we'll look at it some techniques to root out infected files and clean your site up.

Section 3: How to Find Hacked Joomla Files