911 Hack Removal

Complete Guide on Joomla Malware & Hack Removal – Fix Hacked Joomla Website

Updated on: February 14, 2022

Complete Guide on Joomla Malware & Hack Removal – Fix Hacked Joomla Website

Joomla is the second most popular CMS  after WordPress &  is regularly targeted by hackers. The below graph shows that XSS is the most common vulnerability exploited by attackers in Joomla like WordPress. Other reasons of Joomla hacked are Code Injection, SQLi,  etc.

This guide is useful for you if you are looking for a resource to remove malware from your hacked Joomla website. Follow the below links if you are looking for

A hacked Joomla website can be acutely troubling. But, before we begin with the Joomla hack removal process, let’s quickly go through the symptoms a hacked Joomla site shows.

Signs of a Hacked Joomla Website

  • A google search shows ‘This site may be hacked‘ in the meta description.
  • Cryptocurrency mining in the background.
  • Website redirecting to spam
  • Index page defaced or replaced by a Joomla hack.
  • Logging you out of admin account.
  • New admins appear.
  • Page loading gets slow or bulky.
  • Previously non-existent spam starts to appear on your site.
  • The site gets blacklisted by Google for ‘malware‘ or ‘phishing‘.
  • This spam also includes ads and unwanted redirects.
  • Unnatural traffic hike on your site. You can check all this using the Google webmaster tools.
  • CMS or other software may be broken. Especially firewall!
Joomla malware removal

Get the ultimate Joomla security checklist with 300+ test parameters

Joomla Hack & Malware Removal Process

Certain common indicators like Blacklist warnings by Google and other search engines, abnormal browser behavior, modified files, and the presence of malicious new users in the Joomla dashboard exhibit a hacked Joomla website. Mentioned below is a guide to identify and clean your hacked Joomla site:

  1. Identify hack

    Scan your Joomla site to identify malware locations and malicious payloads. Astra’s integrated Joomla security ensures timely monitoring and identification of a hacked Joomla site.

    Thereafter, check for any modified files including your core files. You can do so by manually check your files via SFTP.

    Audit for malicious user accounts and administrators.

    In case your Joomla site shows as blacklisted by Google or other website security authorities, you can check the security status of your Joomla! website by using their diagnostic tools. To check for Google transparency, visit the Safe Browsing Site Status website where you can view

    • Site safety details which give information about malicious redirects, spam, and downloads.
    • Testing Details which inform about the most recent Google scan which discovered the malware.

      Make use of free security monitoring tools like Google Webmasters Central, Bing Webmaster Tools, and Norton SafeWeb to check security reports for your website.

      Related Blog – Search Engine Blacklist

  2. Fixing Joomla hack

    On gaining information about potential malware location, compromised users and threat assessment, opt for a full website clean. Compare infected files with previous backups to assess the extent of modifications and remove malicious changes. Clean hacked Joomla database by using a database admin panel, such as PHPMyAdmin or tools like Search-Replace-DB or Adminer.

    Next step would be to secure all user accounts. Often hackers leave multiple backdoors so as to again gain access even after a website has been cleaned. Backdoors are embedded in legitimate-looking files usually but located in the wrong directories. Therefore, it is imperative to thoroughly cleanse your files from backdoors else there is a threat of re-infection.

    1. Database Cleanup

    Firstly begin cleaning from that infected database. Joomla SQL injection can create new database users. To lookout for new users created after a specific date, use the following code:

    Select * from users  as u

    AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('My_Date', '%M %d %Y '));

    Once rogue users are found. So, Delete them using the SQL statement Drop User;.Not only this, to avoid future infections:

    • Sanitize the user input.
    • Restrict database permissions to the account.
    • Block Database error disclosure to locally only.
    • Use type casting wherever possible.

      2. Securing the Server

      Even when the installation is secure, fault servers can cause a Joomla hack. Although there is a big list of Joomla security issues. Certain key points to remember are:

    • Close any open ports.
    • Remove the unused subdomains.
    • Check regularly for configuration issues.
    • If you are sharing a server go for subnetting. Or use a VPN.
    • Block the error messages leaking info.
    • Give strong and random passwords to FTP accounts and database!
    • Make sure you use a firewall or some sort of security solution.

      3.  Setting Permissions

    • Primarily, ensure that no user can upload executables like .php .aspx etc. Only image files are to be uploaded on the server.
    • Now move on to set the file permissions for the server. Perhaps the most sensitive file is the .htaccess file. So, to set proper file permissions. Set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–).
    • Also, ensure that your PHP files cannot be overwritten. Therefore you need to set *.php  to 444 (r–r–r–).
    • Most importantly use the popular file extensions. Joomla is a pretty big CMS so alternates are always there. Popular extensions get updates faster in case of vulnerability. So try most of the times to go with popular demand!

      4. Check Modified Files in Joomla

      Most of the time the hackers modify your files to inject spam. It can cause a real mess in your
      installation. You might need a fresh installation. To avoid all this ensure you always keep a
      backup. While analyzing the files after a Joomla Hack, the diff command comes handy. It
      helps to check for modified files. All the Joomla files are available publically on Github.
      This can be used for comparison. To check core file integrity with SSH commands:

      $ mkdir joomla$ cd joomla

      Firstly, we created a directory named joomla and switched over to that.

      $ wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/


      $ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz

      The wget command downloaded Joomla files from GitHub. The second line of code

      then extracts them.

      $ diff -r joomla-3.6.4 ./public_html

      Finally, the diff command here is comparing the contents. This time we are looking

      at the public_html file. Similarly, you can check multiple files. Moreover, the files

      can be manually checked. Just log in using any FTP client and check files. SSH

      enables you to list file modifications.

      $ find ./ -type f -mtime -15
      Here this SSH command reveals the files modified in last 15 days. Similarly, you

      can change the time stamp. Look out for any recently modified files!

      5. Check User Logs

      System logs are the best tool to identify the cause of a Joomla hack. System logs record

      all the previous activities that took place. So whenever an XSS or SQL injection takes place,

      there is always a record of the request. Furthermore, hackers tend to create new admin accounts. If you wish to check for any suspicious users, then:

    1. Firstly Login your Joomla Dashboard.
    2. Now, click on Users and select Manage.
    3. Here check for suspicious users. Especially those recently registered.
    4. Now proceed to Remove any unknown users.
    5. Also, check the Last Visit Date.
    6. Find out where the server logs are stored. Use it to identify Joomla SQL injection etc.
    7. If you see users logging from unknown IPs, remove them.

      Moreover, use google diagnostic report to find the cause. It gives you a comprehensive view

      of your site. If your site is blacklisted work closer with Google. The diagnostic report will give

      you the cause for blacklisting. Use it to find and weed out the infection!

What to do post Joomla hack removal?


Most of the time a Joomla hack takes place due to unpatched files. Hence, the first step to follow post cleaning the hack is a Joomla update. Updates essentially remove vulnerable extensions and fill in security holes thus providing you with a secure environment.

Currently, the Joomla version 3.x is the most stable major version. Those using 1.x and 2.x branches should immediately switch to 3.x.

Other than major version update, also update all Joomla core files, components, templates, modules, and plugins.


Post-hack, it is also advised to reinstall all extensions to ensure they are functional and malware residual free. Further, remove defunct/deactivated themes, components, modules, or plugins from your web server. Sometimes, we forget to delete the files related to these abandoned modules & plugins, this may still leave loopholes. Thus, make sure to get rid of the files too as they may contain serious vulnerabilities

After cleaning your hacked Joomla site, make a backup. Having a good backup strategy is at the core of the best security practices. Store your backups in an off-site location, as storing them on a server can also lead to a hack.

Lastly, it is advised to scan your system with a good antivirus. There is a possibility of system compromise if a user with an infected computer has access to your website. Protect your site using a website firewall which basically shields your site from any malicious users or malware threats from the web. Astra’s Web Application Firewall mitigates against any online threats and keeps malware at bay.


Reset all passwords to avoid reinfections. Ensure that you’ve set up two-factor authentication on user accounts. Also, practice the least privilege and give limited access to people who need to do a particular job.

Joomla Post hack security tips

Implementing the following security practices will protect your Joomla site from the majority of attacks:

  1. Regularly update Joomla Version, Extension & Plugins:

    A secure Joomla site is one which is updated regularly. Every version update is released with security enhancements and bug fixes. An outdated version of Joomla or any other outdated extensions/plugins can sneak in hackers.

  2. Use Strong Passwords:

    Weak credentials can be ultimately leaked through Brute Force and act as common security holes, thus leading to compromised security. Easily guessed passwords and default admin accounts make it easier for perpetrators to gain illegal access to your Joomla website, thus exposing it a host of malicious activities.  A long length password with multiple characters makes it for a secure passcode than a  shorter one.

  3. Periodic backups:

    Regularly backing up the archives of your files and databases saves your back in case anything goes wrong. Some extensions like the Easy Joomla Backup provide automatic scheduled backups which can later be restored in case of data loss resulting from a hack.

  4. Restrict access to Admin Page:

    Perpetrators often resort to brute force attacks on easily guessed admin login pages. Thus it is imperative to restrict access to your administrator area. It is advised to not use a default admin login page URL, rather replace it with a specific name. Moreover, the admin panel must be password protected. Extensions like Admin tools, RSFirewall, etc allow a Joomla site owner to change their login page URL

  5. Security Extensions:

    Using security extensions go a long way in securing your Joomla site. These extensions, when configured with your site properly, allow you to block any kind of malicious activity and cover-up security holes. extensions allow you to block hacker attacks and close security holes of your Joomla site.

  6. Using Two-factor Authentication:

    A two-factor authentication code (commonly known as the One time password: OPT) makes your Joomla site even more secure. Even if your password is guessed or leaked, one still has to go through an authentication code to gain illegal access of your account.

  7. Be wary of corrupted downloads:

    Never download premium extensions, plugins or any items for free from unauthenticated or unofficial sources. Plugins from an unknown source may be corrupted or contain malware, which may harm your site. Do not consider saving money here, rather spend on authentic sources.

  8. SSL Certification:

    Whenever a user logs into a site, his/her credentials are sent to a server sans encryption. By using an SSL certificate, these credentials will be encrypted before sending to the server. In this way, an SSL certification provides an additional layer of protection to your Joomla website.

  9. Disable FTP Layer:

    FTP layer is generally not needed in Joomla and it is disabled by default. It is necessary to keep it so, as an enabled FTP layer is a major security hole in Joomla sites.

  10. Proper File and Directory Permissions:

    Always manage permissions to files and directories, and never give full access of permission 777. Never give full access or permission 777, but rather use 755 for folders, 644 for files and 444 for configuration.php files 

It is one small security loophole v/s your entire website or web application

Get your web app audited with Astra’s Continuous Pentest Solution

Tags: ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments

[…] vulnerabilities have been exposed in Joomla this year. If left unpatched it makes multiple Joomla installations […]


[…] However, being popular also makes it a target for spammers and hackers. Often users complain about Joomla hacked sending spam on the community forums. These attacks are fairly common due to the sheer bulk of […]


[…] this CMS is user-friendly. Joomla is also popular due to the wide variety of extensions it offers. Multiple vulnerabilities have been uncovered in Joomla this year. These ranges from Joomla XSS, File intrusion to Joomla […]

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany