# Did my webmaster goof up?



## ZZZZZ (Oct 1, 2014)

I am a retired webmaster. I'm about 4 years behind on technology, so beware that some of what I know may be obsolete.

I used Joomla extensively. It is a content management system, not server software. Joomla runs on top of the server software usually Windows, Apple, Linux, etc.

Joomla can offer some degree of hack protection, but it all depends on which extensions and modules have been installed and how they are configured.

Joomla is not quite as bad as Swiss cheese, but it is definitely vulnerable. The Joomla organization sends out security bulletins fairly often, with instruction to upgrade xyz to plug vulnerabilities. So a lot depends on if your webmaster kept everything up to date and tight.

But regardless, if your webmaster was doing his job he was running site backups every week or month or whatever (depending on how often the content on the site changes). So with a few hours of effort, he should be able to restore the site to the most recent backup.

I did everything by the Joomla book and I still had a couple of sites hacked (by Russkies), but that was years ago. They are even smarter now and they keep finding better ways to cover their tracks. They are damned good, and they are persistent. 

Hope this helps.
.
.


----------



## papereater (Sep 16, 2016)

Thanks, ZZ. Our site hardly ever changes, so I would think back ups should be useful(?), right? He did say he was going to try to patch the damage. Shouldnt he be able to pull up the back up and restore? 

I am planning to talk with him Monday AM for sure, just wanted different perspectives here.....


----------



## ZZZZZ (Oct 1, 2014)

The backup should provide everything needed to fully restore it. 

Depending on the nature of the hack and the damage, he may or may not be able to "patch" it. It might be best to do a total reinstall of Joomla and then restore the backup.
.
.


----------



## supers05 (May 23, 2015)

I've only done hosting as a pet projects and ultra basic web design using wordpress and joombla. Nothing professionally, so take this with a grain of salt. 

More modern, isolated setups use VMs. (Virtual machines setup as appliances) It makes backups super easy, and sites are highly isolated, but slightly more expensive for the host. (therefore it costs more for you) 

The other method is using Apache to create the virtual segregation. It works great, but one service runs everything. So if a hacker compromises a mis-configuration in main service, they may have access to the every site on that server. 

Zz is right about joomla. It's more of a platform framework on top of server. It accelerates design and building of websites. It has it's own set of vulnerabilities, which get patched on a regular basis, but it's never enough. 

If your host service can't perform a complete restore to some older version within days, they aren't all that great at their job. How often they perform backups and how quick they restore is what you pay for. 

Now the there's a difference between a host service and a web designer. Sometimes they are the same person in small 1 man shops. Personally, I don't like being tied to bring tied to one person so tightly. 

It's hard to compare prices, as every site is different. I suggest getting some extra quotes. 

Good luck. 

Cheers!


----------



## getrex (Sep 14, 2016)

I have been doing web design for 18 years and I would tell him that he can pay you 3500 for not keeping the website backed up in some way. Seriously.. I wouldn't pay extra. This was his mistake, not yours. Even an old backup is better than none.

The only question is whether or not there is damage to the database. Joomla's files can just be reuploaded with the same version. But if the database was messed up... that becomes a lot harder to fix. Have him reupload Joomla and all of the plugins (save the config files first). Then he should copy a fresh config file over and compare the contents with the old one. If nothing suspicious can be found in there then copy it back into Joomla. Then open the site and see if it is back to normal.

If there are problems after that then he needs to do an inventory of all of the site pages to see what needs to be fixed and then rebuild those pages. If your site is mostly static you may be able to use the Way Back Machine to get some of those pages back.

Can't give any further advice without seeing the site for myself. Good luck!


----------



## papereater (Sep 16, 2016)

Good advice, people. Tomorrow is crunch time. I willl call him, see what he did the last 3 days, and go from there. Hoppefully, he DID back up recently, and fix it. Geez..........

Thanks to all here.


----------



## papereater (Sep 16, 2016)

getrex said:


> I have been doing web design for 18 years and I would tell him that he can pay you 3500 for not keeping the website backed up in some way. Seriously.. I wouldn't pay extra. This was his mistake, not yours. Even an old backup is better than none.
> 
> The only question is whether or not there is damage to the database. Joomla's files can just be reuploaded with the same version. But if the database was messed up... that becomes a lot harder to fix. Have him reupload Joomla and all of the plugins (save the config files first). Then he should copy a fresh config file over and compare the contents with the old one. If nothing suspicious can be found in there then copy it back into Joomla. Then open the site and see if it is back to normal.
> 
> ...


Im gonna copy your post (and others here) and bounce all of this off of my webmaster.......See what his response is.


----------



## Colbyt (Jan 27, 2014)

First off there isn't any hack proof software and most likely never will be. I would dump him for being stupid or saying stupid things.

Any time you use one of the mass distributed CMS scripts it is only a matter of time before it needs to be updated or risk getting hacked. The script kiddies spend hours studying the lines of code for places to hack.

If your site is static business site that is not frequently updated pure HTML or PHP pages are the most hack proof option. Hacks become a greater possibility when scripts and databases are used.

Site developers use things like Joomla so they don't have to do much work and /or they don't know how to write code.


----------



## supers05 (May 23, 2015)

Colbyt said:


> ...
> Site developers use things like Joomla so they don't have to do much work and /or they don't know how to write code.


Spoken like a true web 1.0 artifact. There's a time and place for everything. I didn't build sites professionally, but I did build some. I even contributed to a few of the frameworks out there. (mostly to redmine and trac) I was too busy programming professionally to build sites on the side. 

Frameworks and platforms are about not rewriting the same code base over and over again. There's pros and cons to the open source and closed source communities. I won't get into that debate. 

If the customer has the money to build a site from scratch, then all the more power to them. The platforms save them money, while providing a standard level of service. The big name companies out there wouldn't use them, but they also have dedicated staff on this stuff. 

There really isn't anything truly hack proof. The point is just to deter them, and slow them down, cause them to leave traces. Then you'll know what to patch next. Joomla isn't that. 

Cheers!


----------



## ZZZZZ (Oct 1, 2014)

Colbyt said:


> Site developers use things like Joomla so they don't have to do much work and /or they don't know how to write code.


"Things like Joomla" are used to deploy websites quickly and efficiently and to provide content managers with the tools to update and add content quickly and efficiently. CMS allows content managers to add and update without giving them access to the code, dramatically reducing the chance they will "break" anything.

And CMS like Joomla is modular, so entire functions and features can be added or removed easily without risk of breaking the core code.

Using Joomla or other CMS doesn't mean you don't know how to write code, it means you don't have to spend time recreating the wheel and getting bogged down in the weeds as much.

It means the person or company paying the bills has better things to do with their time and money.
.
.


----------



## jlhaslip (Dec 31, 2009)

As I understand the situation, you had a Webmaster build your site using a packaged CMS (Joomla) and everything was good up to the point when a Hacker got into the site and messed things up.
What version of Joomla was it running?
Was it the most recent version?
Did you have a Maintenance Agreement with the Webmaster to update the Joomla package as newer versions were announced?

(see where I am going with this???)

If there was no ongoing maintenance agreement, then I don't see where you might be able to go back to them and place the blame onto their desk. They should have been under contract to arrange for updates when/as mandated by Joomla, or any other CMS package. Partly their fault for not insisting on the Maintenance, and partly your fault for not requesting. I would call it a draw unless there is something you are not telling us. Did they offer the Maintenance agreement and you turned down the offer, maybe?


----------



## getrex (Sep 14, 2016)

He didn't clarify either way but based on the thread title 'my webmaster' you would assume that this was an ongoing service.

Smaller web designers often go with package software for convenience and to save themselves a lot of time. In the old days it was common that a designer would have a set of scripts that they made themselves or got from others that they would then modify to suit each client. Things change. But now that everyone is using the same software you have to spend a lot of time securing it and maintaining that security in the long term.

This is the reality of running a website. You will be attacked. Many times a day in fact (check your traffic logs) by automated bots that scan the entire internet looking for vulnerable installations of common software. The best ways to combat it is to stay up to date on your website software, update server software regularly (if you have access to it), and installing a script that blocks known hack attempts like ZB Block (properly configured!).

ZB Block is very powerful and you have to be careful in how you set it up or you can block half of the internet from viewing your site.


----------



## getrex (Sep 14, 2016)

There are plenty of ways to harden a CMS to make it less vulnerable to attack. One of the main reasons I like ZB Block is that it detects system function commands in the URL request and blocks them. That makes it harder to exploit the software.


----------



## papereater (Sep 16, 2016)

Update:

Thanks for all the feedback, people. Turns out my site was not so badly destroyed. The old site is still up and running (they patched it up ) and they are currently rebuilding a new site. 

Yes, he is my webmaster, and he is daily checking out my site for Chinese and Russian hackers, mostly. he said they hack hundreds of times a day. 

Anyway, crisis is over, and to answer a question above- the Jumla version supposedly was not completely compatable with my older site cuz the site could not allow it to be 100% efficient. He did warn me of this not long ago. Oh well. 

New site should be cool.


----------

