10 Reasons Why Your Joomla Website Got Hacked

We have at least 3 times every week where a customer comes to us with a hacked Joomla website. Usually, the Joomla website will be either filled with hidden malicious content, is redirected to another website with malicious content, has all its data erased, or is simply does not show up.

Here are, according to our experience, the top 10 reasons on why your Joomla website got hacked:

  1. Your website has very old extensions installed: This is the top and most common reason behind a hacked Joomla website. You should always keep your extensions up-to-date, and if you’re using an extension that is no longer supported, then try to find an alternative. If not, have a developer take a look at that extension to ensure it has no vulnerability issues.
  2. You’re using an older version of Joomla: We know that it’s hard to keep your Joomla website up-to-date with the latest version, especially if you have a lot of extensions (components, modules, plugins) that will be broken if you upgrade Joomla. But you must do this, you can’t keep on using an outdated version forever.
  3. You have write permissions on your .htacess file: By default, your .htaccess file has write permissions on it because Joomla has to update it, especially when you’re using SEF. The problem is that this will leave your .htaccess vulnerable to attacks that aim at changing it. You should always set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–).
  4. You have write permissions on your *.php files: Neither the web server nor the world should have write permissions on your Joomla *.php files. You should ensure that the permissions of all your *.php are set to 444.
  5. Allowing users to upload scripts: For example, if a component accepts images, you should ensure that only images are allowed to be uploaded. Users should not be able to upload scripts (such as *.php files)
  6. Giving execute permissions on public directories: In this context, public directories mean those directories where users are able to upload their files to. Imagine someone uploading a file to one of your upload directory (in a way or another). If that file is a script, and if that directory allows for scripts to run, then the individual can easily run the malicious script. Public (upload) directories should all be given a permission of 766 (owner can read, write, and execute. The rest can only read and write).
  7. Using non-prominent extensions: You should always use extensions that are used and tested by many people. Using an extension that is used by very few people is not a good practice, and can get your website hacked (attacker can use several techniques such as XSS, SQL injection, etc…). In case you feel obliged to use such an extension, have a developer review it for security.
  8. Giving credentials to untrusted developers: You shouldn’t give your website credentials to untrusted developers. And, if you really have to, then change all your passwords once the developer is done working. We have already explained how to change your Joomla database password with no downtime.Note: At itoctopus, we immediately destroy the customer’s website credentials once we’re finished working on it.
  9. Giving all the possible permissions to the database user: Once your Joomla website is setup, the database user should only INSERT rows, UPDATE rows, DELETE rows, and CREATE tables. He should not DROP tables or DROP the database. Ensure that only the necessary permissions are given for the Joomla database user.
  10. Feeling confident that your website cannot get hacked or that no one would hack your website: Regardless of whether you have a small charity website or a huge school website, your website is susceptible for hacking. Many hackers use software to scan the Internet for websites with vulnerabilities and attack them, just because they can! Always take your website’s security seriously, don’t think that if you’re too small no one would consider hacking your website, or that if you’re too big you are secure enough and no one would be able to hack your website.

We suggest you go through the list above, and see where you comply and where you don’t, and if you have any questions, then contact us (or better yet, call us), and we’ll definitely help you!

8 Responses to “10 Reasons Why Your Joomla Website Got Hacked”
  1. Pingback by Our Joomla Emergency Services | itoctopus — July 12, 2011 @ 9:04 pm

    […] Their website is hacked: This is usually due to an out-of-date Joomla installation, a weak extension, or some “loose” permissions on the Joomla’s core and/or template files. (Check this list of potential reasons on why a Joomla website is hacked). […]

  2. Pingback by Hacked .htaccess File on Joomla | itoctopus — August 28, 2011 @ 8:28 am

    […] are many reasons on why a Joomla website gets hacked, but regardless of the reason, we are always there to help, and as usual, at lightning speed! So […]

  3. Pingback by How to Create a Custom Form in Joomla? | itoctopus — September 28, 2011 @ 5:13 am

    […] our clients suffer from vulnerability issues (XSS and SQL injection – which can result in the hacking of the Joomla website) so we had to secure these extension after installing them. It usually takes us 1 day to install a […]

  4. Pingback by 10 Security Tips for Your Joomla Website | itoctopus — November 4, 2011 @ 6:50 am

    […] article, 10 reasons why your Joomla website got hacked, was well received by our readers (clients and visitors alike). In this post, we want to list the […]

  5. Comment by NomDeGuerre — July 9, 2012 @ 4:33 pm

    You forgot number:

    0. Joomla! security sucks!

    Never forget that programmers have a 0th finger. ;P

  6. Pingback by 20 Benefits of Using Joomla | itoctopus — July 31, 2012 @ 11:16 am

    […] We have discussed before, in depth, the reasons why a Joomla website get hacked. […]

  7. Comment by C. H. — August 30, 2012 @ 1:58 am

    Just a tweak to the page. In #3 you mention .htaccess file permissions and what to change them to. The example provided isn’t correct. May just be a typo, but reckoned I’d post the correct values (as my site looks to have been hit by an .htaccess rewrite and I found it by reading this page):

    set your .htaccess permission to 444 (r-xr-xr-x) or maybe 440 (r-xr-x-r-x)

    Should read instead:
    set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–)

    I set mine to 444 from 644 (rw-r–r–) and the page still worked, so thanks for the tip!


  8. Comment by Fadi — August 31, 2012 @ 8:08 am

    Hi C.H.,

    Fixed – sorry for the oversight. It is important to mention though that if you have a malicious php file on your website, then it might be able to overwrite the .htaccess file even if its permissions are set to 444. (If Apache has full permissions on that folder)

Leave a comment