- create an account for themselves in your Joomla user manager, even if you've turned this option OFF in the settings
- when creating that account in step one, they are able to assign it "administrator" rights
The login page was refreshed at 3.5.0, it is also configurable via the admin interface. This alone wouldn't be a giveaway.
Joomla! Security Strike Team
Compounding the issue, the Joomla team revealed this issue four (4) days ago, on October 21. (This gave hackers plenty of time to get ready...)
This could have been be partially mitigated by adding extra protection (at the server level) to the /administrator/ directory. This would typically involve adding an IP-based firewall or an extra password to the directory. If you're interested in having your site examined for potential security issues - whether it is Joomla, Wordpress, Drupal, or another platform - contact us today.