You can be security conscious and still get hacked ! I was way back in the day. I can help you and give you some tips to move you forwards in getting back to a healthy website.
Suspect you might have been hacked ? Well there can be a few symptoms. And the issue is google doesn't tell you before your rankings take a dive. Remember google is not a system to tell you if you are in bad shape but it does provide some great clues. The webmasters console is the place to start to look for clues.
The symptoms can include the following:
So one example of looking for clues in the console is in the crawl > crawl errors menu on the left side. If you are serious about your website you should already know about the console and have a login. If not then I encourage you to get started with the web property in question. I also recommend that you add both www. and non www. versions to the tool. You will need to be able to prove that you own the website in some capacity.
Within the crawl errors page you can make decisions about blocking some content using your robots.txt file covered in an article on this blog. You might not need to do that so check the tabs for not found section like this:
Of course in your site you need to look through the console to discover the urls as they may not show up here if they are not 404ing. One thing you can do right now is the site: operator for use in google. If you are not familiar with search operators in google here is a good guide.
while in google.com use this to check yoursite.com for the occurance of viagra - you can check other terms such as prescription, drugs etc you get the idea..this unfortunately needs doing the minute you suspect you have been hacked. Google finds these links as that is the need of the hacker in fact. So it is also his weakness.
Inside the backend of joomla check the components > redirects component. There can be some funny urls in here.