HOW TO CLEAN A HACKED JOOMLA! SITE

Identify, remove, and harden your site after a hack.

Sucuri is committed to helping Joomla! administrators identify and clean their hacked websites. We put together this guide to help website owners walk through the process of identifying and cleaning a Joomla! hack. This is not meant to be an all-encompassing guide, but should help address 70% of the infections we see.

Anaheim, CA • US • Home of Sucuri's
Kimmy HR Administrator/Corporate Travel

Step 1

IDENTIFY HACK

1.1 Scan Your Site

You can use tools that scan your site remotely to find malicious payloads and malware locations.

To scan Joomla! for hacks:

  1. Visit the SiteCheck website.
  2. Click Scan Website.

  3. If the site is infected, review the warning message.

  4. Note any payloads and locations (if available).

  5. Note any blacklist warnings.

If you have multiple websites on the same server we recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

Common Indicators of a Hacked Joomla! Website

  • Blacklist warnings by Google, Bing, McAfee, etc.
  • Unexpected or abnormal browser behaviors
  • Spam keywords in search engine content
  • Host suspended your site for malicious activity
  • File modifications or Joomla! core integrity issues
  • Malicious new users in the Joomla! dashboard.

Note

A remote scanner will browse the site to identify potential security issues. Some issues do not show up in a browser; instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners. Learn more about how remote scanners work.

Tools to scan your website:

1.2 Check Modified Files

New or recently modified files may be part of the hack. Your core Joomla! files should also be checked for malware injections.

Note

We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

The quickest way to confirm the integrity of your Joomla! core files is by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.

You can find all Joomla! versions on GitHub. Using an SSH terminal, you can download Joomla! locally. The following commands use version 3.6.4 as an example of the clean files and public_html as an example of where your Joomla! installation is located.

To check core file integrity with SSH commands:

  • $ mkdir joomla-3.6.4
  • $ cd joomla-3.6.4
  • $ wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz
  • $ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz
  • $ diff -r joomla-3.6.4 ./public_html

The final diff command will compare the clean Joomla! files with your installation.

To manually check recently modified files:

  1. Log into your server using an FTP client or SSH terminal.

  2. If using SSH, you can list all files modified in the last 15 days using this command: $ find ./ -type f -mtime -15

  3. If using SFTP, review last modified date column for all files on the server.

  4. Note any files that have been recently modified.

Unfamiliar modifications in the last 7-30 days may be suspicious and require further investigation. You can also try using other online scanners and Joomla! extensions to look for indicators of compromise, malicious payloads, and other security issues.

Scan your site with Joomla! security extensions:

1.3 Audit User Logs

Verify your Joomla! user accounts, especially administrators and super-administrators.

To check for malicious users in Joomla!:

  1. Log into your Joomla! Administrator area.

  2. Click Users on the menu item and select Manage.

  3. Review the list, especially ones with a recent Registration Date.

  4. Remove any unfamiliar users that were created by hackers.

  5. Check the Last Visit Date of legitimate users.

  6. Confirm any users that logged in at suspicious times.

Note

Wait to change user passwords until after you have completely cleared the site of malware. This ensures that hackers no longer have access to any user accounts..

You can also parse your server logs if you know where they are stored and how to search for requests to the administrator area of Joomla! Users logging in at unusual times or geographic locations may have been compromised.

1.4 Check Diagnostic Pages

If your Joomla! site has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Joomla! website.

To check your Google Transparency Report:

  1. Visit the Safe Browsing Site Status website.

  2. Enter your site URL and search.

  3. On this page you can check:

    • Site Safety Details: information about malicious redirects, spam and downloads.
    • Testing Details: most recent Google scan that found malware.

If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up as they are free to use:

Step 2

FIX HACK

Now that you have information about potentially compromised users and malware locations, you can remove malware from Joomla! and restore your website to a clean state.

Pro Tip:

The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

Note

Some of these steps require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove Joomla! malware.

2.1 Clean Hacked Website Files

If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Joomla! web server. By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.

Caution

It is important that you compare the same version of your Joomla! core files and extensions. Core files on the 2.x branch are not the same as the 3.x branch and so on.

Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

To manually remove a malware infection from your Joomla! files:

  1. Log into your server via SFTP or SSH.

  2. Create a backup of the site files before making changes.

  3. Search your files for reference to malicious domains or payloads you noted.

  4. Identify recently changed files and confirm whether they are legitimate.

  5. Review files flagged by the diff command during the core file integrity check.

  6. Restore or compare suspicious files with clean backups or official sources.

  7. Remove any suspicious or unfamiliar code from your custom files.

  8. Test to verify the site is still operational after changes.

If you can't find the malicious content, try searching the web for malicious content, payloads, and domain names that you found in the first step. Chances are that someone else has already figured out how those domain names are involved in the hack you are attempting to clean.

Diff tools to compare suspicious files with known-good copies:

2.2 Clean Hacked Database Tables

To remove a malware infection from your Joomla! database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from Joomla! database tables:

  1. Log into your database admin panel.

  2. Make a backup of the database before making changes.

  3. Search for suspicious content (i.e., spammy keywords, links).

  4. Open the table that contains suspicious content.

  5. Manually remove any suspicious content.

  6. Test to verify the site is still operational after changes.

  7. Remove any database access tools you may have uploaded.

You can manually search your Joomla! database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by Joomla! extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

2.3 Remove Hidden Backdoors

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Joomla! sites.

Backdoors are usually embedded in files that are named just like legitimate files within the official Joomla! framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /components, /modules, and /templates.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • gzinflate
  • eval
  • exec
  • create_function
  • location.href
  • curl_exec
  • stream
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file
  • strrev
  • file_get_contents
  • encodeuri
  • wget

Caution

These functions can also be used legitimately by Joomla! extensions, so be sure to test any changes because you could break your site by removing benign functions.

Always remember to compare files using the same Joomla! version.

To remove backdoors by comparing files:

  1. Confirm your Joomla! version by clicking the System menu and opening System Information

  2. Download the same version of known good core files from the version official Joomla! repository.

  3. Log into your server via SFTP or SSH.

  4. Create a backup of the site files before making changes.

  5. In your FTP client, compare your site with the known good download.

  6. Investigate any new files on your server that do not match the known good files.

  7. Investigate any files that are not the same size as the known good files.

Note

The configuration.php file will be on your server but the /installation directory will be missing when comparing a fresh install.

The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it's very rare to see encoding in the official Joomla! repository.

It is critical that all backdoors are closed to successfully clean a Joomla! hack, otherwise your site will be reinfected quickly.

2.4 Fix Malware Warnings

If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting repeat offenders to one review request every 30 days. Be sure your site is clean before requesting a review!

To remove malware warnings on your site:

  1. Call your hosting company and ask them to remove the suspension.

    • You may need to provide details about how you removed the malware.
  2. Fill in a review request form for each blacklisting authority.

    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
    • The review process can take several days.

Note

With the Sucuri Website AntiVirus plans, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews however, such as web spam hacks as a result of manual actions, can take up to two weeks.

Step 3

POST - HACK

In this final step, you will learn how to fix the issues that caused Joomla! to be hacked in the first place. You will also perform essential steps to enhance the security of your Joomla! site.

3.1 Update and Reset

Outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Passwords should also be reset to ensure you are not reinfected if hackers gained access to your credentials.

Update Joomla! Core and Extensions

Update all Joomla! software including core files, components, templates, modules, and plugins.

You should also check your extensions for known vulnerabilities using the Joomla! Vulnerable Extensions List.

To check and update Joomla! extensions:

  1. Make sure you have a recent backup of your site.

  2. Log into your Joomla! Administrator area.

  3. Click Extensions on the menu item and select Manage.

  4. On the sidebar click Update.

  5. Review available updates and apply them.

  6. Remove any extensions that contain known vulnerabilities.

Joomla! 3.x is the most stable major versions as they are still actively developed. Users on 1.x and 2.x branches should strongly consider migrating to 3.x and keep the core files updated.

If you are manually updating core files, you can safely delete directories that are part of the official Joomla! framework (administrator, components, etc), then manually rebuild those same core directories and components.

Caution

Be careful not to overwrite the configuration.php file as this will break your site!

To check and update Joomla! core files:

  1. Make sure you have a recent backup of your site.

  2. Log into your Joomla! Administrator area.

  3. Click System on the menu item and select Joomla! Update.

  4. Click the Check for Updates button.

  5. Review available updates for your Joomla! version.

  6. Click the Reinstall Joomla core files button.

Users on the 1.x branch are strongly encouraged to upgrade to 3.x by following the Jooma! Docs migration guide.

If in the first step SiteCheck identified other outdated software on your server (i.e., Apache, cPanel, PHP), you should update those to ensure you have any available security patches.

Reset User Credentials

You should reset all user passwords with unique, strong passwords to avoid reinfection.

To reset passwords for Joomla! user accounts:

  1. Log into your Joomla! website.

  2. Click the Users menu item.

  3. Open each user account.

  4. Change the user’s password.

  5. Repeat for each user on your site.

You should reduce the number of administrator and super-administrator accounts for Joomla!, and all of your website systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.

Joomla! comes with built-in two-factor authentication on user accounts.

To enable 2FA on your Joomla! user accounts:

  1. Log into your Joomla! website.

  2. Click the Users menu item.

  3. Open your user account.

  4. Click the Two Factor Authentication tab.

  5. Follow the steps to enable 2FA.

  6. Have each user repeat this process.

Note

All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. Some say it’s too difficult to remember multiple passwords. This is true. That's why password managers were created!

It is advisable to reinstall all extensions after a hack to ensure they are functional and free of residual malware. If you have deactivated themes, components, modules, or plugins, we recommend you remove them from your web server.

3.2 Set Backups

Backups function as a safety net. Now that your Joomla! site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.

Here are some tips to help you with website backups:

  • Location

    Store Joomla! backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

  • Automatic

    Ideally your backup solution should run automatically at a frequency that suits the needs of your website.

  • Redundancy

    Store your backups in multiple locations (cloud storage, your computer, external hard drives).

  • Testing

    Try the restore process to confirm your website functions correctly.

  • File Types

    Some backup solutions exclude certain file types such as videos and archives.

Note:

If you are an existing customer, Sucuri offers an affordable system for secure website backups.

3.3 Scan Your Computer

Have all Joomla! users run a scan with a reputable antivirus program on their operating systems.

Joomla! can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.

Here are some antivirus programs we recommend:

Note

You should have only one antivirus actively protecting your system to avoid conflicts.

If your Joomla! Dashboard user’s computers are not clean, your site can get reinfected easily.

3.4 Protect Your Site

You can harden your Joomla! site by restricting file permissions and implementing custom .htaccess rules. We recommend reviewing the Joomla! Security Docs for more information.

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.

Benefits to using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  2. Virtual Security Update

    Hackers quickly exploit vulnerabilities in outdated Joomla! versions and extensions. Unknown flaws are always emerging (called zero-days). A good website firewall will virtually patch your holes in your website software even if you haven’t applied security updates.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your Joomla! administrator area if they aren't supposed to be there, making sure they can’t use brute force automation to guess your password.

  4. Mitigate DDoS Attack

    Distributed Denial of Service (DDoS) attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  5. Performance Optimization

    Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

We offer all of these features with the Sucuri Firewall.