Kill *everything* that sets permissions to world write. Period. No exceptions. They're hacker attacks just waiting to happen.

Some hosts don't set their php modules to run in the user's account, rather than the webserver's. The best solution to that is to find another host who knows how to secure their server. If you can't migrate to another host, then some items need to be world writeable, but if that's the case, check those areas every single day, and delete *anything* you don't think should be there. My serious recommendation for any extension that requires world write (chmod 777) is to drop it and instead install an extension written by competent developers.

There are times when you might need something world writeable because you're making a change (ideally, this should be never). Go out with your FTP client or file manager and set the permissions to write, make the change, and set them back again.

It's a shame, since I know the folks behind JCal Pro, but back before the pro version was created, I was hacked via that extension, so I stopped using it.

Now, go to the Vulnerable Extensions List (http://docs.joomla.org/Vulnerable_Extensions_List). This list contains all the extensions with known security problems. Look for any extensions you use, and if they're there, check and see if the vulnerability has been fixed. If not, DON'T USE IT! (We'll never get devs to fix their extensions unless people are willing to stop using the faulty ones.)

If you've been hacked through an extension, report it to the security team, they'll verify the vulnerability and add it to the list, so everyone else can tighten up their site.

I've just sadly fallen foul of a seemingly prolific hacker (DiNeLson) who thankfully seems to have only deleted my Admin a/c on a quite important nonprofit site I manage but who then went on to completely delete my entire personal site. However, I recognise the fact that the other site may not have got off as lightly as it might appear as I can't imagine the guy has a conscience or he'd not have done what he did to the 2nd, so am presuming he's done something else more hidden on the site. I've certainly been guilty of all the security failings possible through lack of knowledge, making the errant assumption that as long as my U/N & P/W were strong that would suffice.

Now my difficulty is in the inordinate amount of work he's causing me to not only recover my own site, but more importantly ensure the other 2 far more important sites (church & charity) are locked down a lot more than right now. I've zilch knowledge on PHP really and although I'm trying to work my way through the Joomla checklist, am still struggling quite a bit in understanding a lot of what I'm reading.

You mention about FTP - I'm lost on the logic of that TBH. I use FTP for server actions so how does enabling it make any difference to security? Ideally I'd love to have someone handhold me through much of what it would take to get these sites safer as the guy left a voice file stating that he'd be back and quite possibly indeed will, esp if he's still got access to the charity site and gleefully watching my woeful attempts to block him.

I've zilch idea how he gained entry but given I've not cloaked the login page would imagine he took the route of least resistance, being it. I've installed jSecure but having issues with it not letting me put in a key to change the login URL, so it's little safer now as anyone who uses it would know precisely what the default is but I'm hopeful of fixing that at least, although I figure it's a simplistic notification mod really.

The charity site hasn't funds to put into website security to any major degree as it's a tiny charity but we do take orders through Virtuemart (I've just deleted all the previous users from it) and it's my biggest worry. TBH everything's worrying me and I'm disabled myself so not in a position to cope easily with the impact of this problem, but know it has to be sorted and I'm the sole webmaster across all 3 sites.

Any suggestions you could give to enable me to better learn what I need to do or how to better understand the jargon? Think I'm just too tired and sore to take half of it in :(.

Just appreciate having somewhere to come and offload on it!
Thanks, Romayne

Hi Romayne, Sorry for the security problems you're encountering. I personally know nothing about Joomla!, but found 7 security checklists for ya. -NP

Yeh - I've been through those but my diff is that what I can understand I have sort of done, but there's more I don't understand than bits I do and that's my problem. Desperaely need someone with know-how to point me in the right direction or give me a slightly less techie walkthrough. I'm not a complete novice but certainly much of this stuff has me utterly lost, so in the meantime I'm thinking that shelling out for a Com might be a safer way to go but can only afford to do that for one site. Thanks for replying anyway :)

Good practices before and after you have been hacked.

• I would HIGHLY recommend upgrading to the latest version of Joomla (if your using 1.5 upgrade to the latest 1.5).
• Make sure .htaccess files are set-up correctly.
• CHANGE YOUR DATABASE PASSWORD! -- They may have saved these details.
• Make sure settings are not 777!
• And make sure globals are OFF

Hope this helps.
Josh

Just coming back on this topic to let you know what I did in the end. I've 3 sites to keep safe, so firstly ensured each was indeed running the most recent updates from Joomla - this now proves awkward in that I can't yet migrate up to 1.6 as templates are still lagging well behind, & I can't find any that I feel would suit the sites though am continuing to check daily. But I've managed to so far keep the sites relatively safe by using the Jsecure mod on them which at least prevents them gaining access easily to the Admin page. I've also then changed all the database prefixes and moved temp folders/files etc outside of the root folder as was also suggested. Finally on the most important of the 3 sites I've installed RsFirewall which does a fairly good job of helping me see where problem areas are and automatically fixing some of the issues I'd really know little about. The interesting thing is that up until about 3 weeks ago I was getting continual hits from specific IP addresses many of which I managed to block but suspect they're proxies anyway - just weird how things seem to have gone very quiet all of a sudden!

And for the other 2 sites, I just now ensure that as well as taking my weekly database backups I also do a full site download especially of extensions etc that have changed so that if the worst should ever happen again, I won't be in the dire situation of being unable to upload a working site.

I read somewhere though that Joomla is making it quite tough on developers of both extensions and templates alike with their constant updates and versions etc, but I'm hopeful that most of the ones I use will at least soon be updated to the 1.6 so that I can finally upgrade to that version as I love many of the additional features.