My Joomla site was hacked! How to Clean a Site - JoomShaper

My Joomla site was hacked! How to Clean a Site

25 January 2016
Hits 135,505
9 min read
My Joomla site was hacked! How to Clean a Site

Something just isn’t right with your Joomla site. Maybe you’re seeing white screen, or dark background with hacker/his country flag, weird links/adverts in bottom section, or perhaps your site redirects to a another site (not yours). If you are lucky, you will get a notification from your host support that you have got infected files. A sad reality about running site on CMS is that sometimes they could get hacked. We all know exactly how stressful it can be for you and your client. Real nightmare.

There a number of practical steps you can take to address the problem once it's happened, and prevent it from happening again.

What to do if your CMS site has been hacked and How To fix a hacked Joomla website 

Step 1: Make a full backup of site

Make a backup even with suspicious code inside - all kind of copy is precious. Make sure you also back up your website database. This full copy should be on your computer hard drive. This step should be your first priority.

Step 2: Scan your website

We strongly suggest to scan your site using online tools:

Visit also the following URL and replace with your own site address. 

Important note!  None of those online scanners are able to scan whole folder/files structure of CMS - it means that those tools not always will show you a warning message.  If yes, you can be 99% sure that is something wrong with website, something "evil" is hidden. It also means that this site injure was made at least few days/weeks/months ago.


This step is even more important : scan all files from current website copy(backup) using a anti-malware tools (PC/Mac/Linux) :

  • Malwarebytes Anti-Malware (Free)
  • ClamAV (Free)

and your already installed antivirus as well.

Especially if computer tool will find something, delete those files not only locally but also on hosting.

CPanel Virus Scanner

Running cPanel virus scanner is always helpful and recommended, it can be done even as a first checking step. The virus scanner in Hosting cPanel searches for viruses, trojan horses, malware, and other threats. Use option named: "Scan Public Web Space" - it scans the public_html directory in your account, looking for infected web site files. If there are a lot of files in the directory, the scan may take some time (mostly about 3-10 min) to complete.

If the virus scan finds any infected files, you can specify what to do with the files:

  • Disinfect: When this option is selected, the virus scanner removes harmful content from the file.
  • Quarantine: When this option is selected, the virus scanner moves the file to the quarantine directory.
  • Destroy: When this option is selected, the virus scanner deletes the infected file. It means that you have to upload later a fresh one from clean package.
  • Ignore: When this option is selected, the virus scanner leaves the infected file unchanged.

Finally, ask your host to scan your site for additional infected files. Many hosts will provide a list of files, though very few of them give you much direction on addressing the problem. Clean up all kinds of infected files. If you're not sure if this Joomla core file or not. Just open it and compare with clean Joomla installation or Extension package. If you are not sure, delete anyway, because all Joomla core files can be replaced with easily.

Step 3: Turn off site

#1 Offline Method

You have to enable offline mode for every visitor coming. In Joomla you can do this from back-end and via FTP. We suggest to use 2nd method. Find configuration.php file in root Joomla folder and open using HTML editor and change one line:

FROM: public $offline = '0';

TO: public $offline = '1';

BTW you can also change a little bit text inside offline_message, maybe add company contact phone and longer description about company - for temporary period of course.

#2 IP Block

The other solution, probably even better would be: disable your site and allow access only from your own IP addresses. This way you will quarantine your site for all strangers, so that hackers will not be able to edit your files and Joomla! database. In addition, search engines (Google, Bing) will also may block your site and display warning messages - so prevent if you still can go it. The easiest way is to edit your .htaccess file and allow access only from your own IP address. Use the following two lines of code:

deny from all
allow from YOUR_IP_ADDRESS 

* Replace YOUR_IP_ADDRESS with your own IP address, for example use: site.

Step 4: Manual Scan via FTP

This is very hard part and success may depend of your experience, meticulousness and precision.

First check those : /tmp , /cache, /images folders with subfolder for php files. Remove found files without any doubt.

Malicious files can be hidden deep in the directory structure and may look like legitimate files.  Most often hackers add additional files that look like the popular core file name, and are easy to ignore such as:

  • Adm1n.php
  • admin2.php
  • contacts.php
  • cron.css
  • css.php
  • do.php
  • hell0.php
  • solo.php
  • x.php
  • test.php or test.html or tests.php
  • uploadtest.html etc.

If you will find them you can delete them even without checking code inside.

decodeSecond, search for files that contain base64 (commonly used by hackers)  but remember that base64 and eval codes are also used in several unharmed plugins/components. Most smart hackers always upload the backdoor file as the first thing. This allows them to regain access even after you find and remove the exploited extension. If you have found susicius looking code inside files please use UnPHP (PHP Decoder) a free online service for analyzing obfuscated and malicious PHP code. It handles simple obfuscation methods that chain functions like eval(), gzinflate(), str_rot13(), str_replace() and base64_decode(). Even if not whole code will be discovered it helps anyway.

Remember: Malicious code is frequently "masked" by PHP functions like: substr eval gzinflate, base64_decode and preg_replace and all related associated with regular expressions.

Use computer program which allows you to search phrase in file, so you will be able to find for example hidden mostly by hacker(s):



 if (md5($_POST







Example of "fake/redirect" files uploaded by unknow hacker:

fake file

fake2 file

hacked template

back door joomla

framework infected

fake mails

In most cases new files will have new file data - so you can discover them checking a uploaded date in last coupe of days/hours - not by you or your team member.

If you are not sure if found code inside a file is suspicious and unsafe or not - please use Jotti's malware scanner ( - it is a free service that lets you scan suspicious files with several anti-virus programs. It has several built-in languages translation so check and switch before using.

Do not forget to check also content in .htaccess file or index.php of default template - which may contain a redirecting script to another page or hidden advert.

Also image files may have hidden code, they are fake images - those are php files with jpg or gif extension.

There are so many possibles, and this search/scan process may take you over 2h. Keep repeating described above step until the hack code is gone.

Step 5: Change passwords

Immediately change all passwords, especially your Joomla Super User account and all accounts with administrative permissions on the website. Now from hosting panel change MySQL password for your website database and password for FTP, if it was used in Joomla. Updated (new) database (MySQL mostly) password must be also inserted inside configuration.php file, here:

public $password = 'NEW-MYSQLi-PASSWORD';

Step 6: Update & uninstall

Now make sure all plugins, modules, components and Joomla are up to date. If your are not sure in Extension Manager compare version number with information on developer site. Older versions are more prone to hacks than newer versions. Even if a extermination is disabled, its files could still allow someone to gain access to your site. Get rid of anything you don’t actually use (uninstall it), or keep it up to date at the very least. We strongly suggest to install Joomla 3.x downloaded from each time. You can use this package also to override infected or damaged files. This step can recover your site in most cases.

Step 7: Clam Down Google & Clients

If Google robot was faster than you and identify your site as infected in our search results to protect other users (Google's blacklist). It means no traffic and loss of confidence. This status may take a few days (week) even after cleaning, that's why you have to do extra steps to unlock it faster:

  1. Make sure your site is free from any infected files, code and content.
  2. Turn on your site (in Global Configuration).
  3. Open the Security Issues Report in Google Webmaster Tools then click Request a review. Add your site if you haven’t already.
  4. Also in Google Webmaster Tool and URL Removal tool to request removal of any URLs that were added by hacker.

Once you clean your site and request the review, Google systems will scan your website for malware or unwanted software. If none is found, Google will remove the warning from your web site. But it can take even 48h to happen.

Read also following Unhacking guide:


It's really hard to clean a website after getting hacked. Sometimes hackers hide the code deep down in file(s) or database structure so it's difficult to find them. If you have fresh backup of your CMS (files mostly), consider deleting your content entirely and replacing it with your last known good backup (once you've checked to make sure it's clean and free of hacked content). So yes, you must delete everything (files mostly) before restoring the site from a backup. You can keep /image folder.

One of the best way to avoid hackers accessing your website through outdated plugin, component and module files is simply to keep everything up-to-date!

And the last word. Sorry but we have to tell you old true. It's not possible to make your website 100% hack-proof.

Molly Johnson
8 years ago
that's awesome! its very informative post.
Alex Smirnov
Alex Smirnov
8 years ago
I would also highly suggest using as the first port of call to go to once your Joomla site is hacked, or, better still, for regular preventive scanning. The price per month is less than a slice of pizza and pine of beer, so there is no excuses not to use it.
7 years ago
Don't be deceived by the offer of a free clean
Very unhelpful customer service.

1) In the beginning, the offer of a free clean - does not materialize
2) Charge the cost of 2 site fees with no final invoice, when it was a clean up on a website public_html and the 2nd site was a sub folder in that folder?
3) Kept blaming the biggest host in the world "godaddy" for the audit tool not working, granted that it looks like a good tool - The business model should actually be catered for godaddy anyway.
3) Disagreed with offering any discount or reasonable fees and charge the full price of 2 site clean ups
4) Phil went straight to the small claims court

Therefore avoid since the customer service is totally not to the standard expected from a professional firm.

And you need to make sure you check all the charges and clarify all these before agreeing.
6 years ago
Thank you very much, your article helped me to find the malicious code and get rid of it. After cleansing, stopped to think about further protection. Was choosing between SiteGuarding and (Web Support Revolution). Chose the last one, because they have a ready-made settings for joomls sites protection.
Paul Frankowski
Paul Frankowski
6 years ago
Also SmartHost company have very good protection, with malware scanner built-in.
I am glad, that my post helped you.
6 years ago
Best to harden your Wordpress plugins and consider a new hosting firm. I own a web design agency in Sydney and I use to have my internal devs clean hacked client sites, but it was a painful, long process. I now use these guys to clean and protect client sites:, they've been rock solid. There are plenty of options around
Paul Frankowski
Paul Frankowski
6 years ago
Yes, I met guys from that team on last year Joomla Word Conference.
They have great products and services.
Indeed good hosting is the KEY.
William Harvey
5 years ago
Thanks for sharing this very useful article here. Really it helps to many joomla business website owners, to recover their hacked website with hackercombat com.
Aran Ariel
5 years ago
Thank you for the insightful post - it would like to get more insight as to how hackers penetrate the systems. I have a good hosting service provider, however the support team today seemed a bit shaken from what seems to have been major hack into their systems overnight.

Paul Frankowski
Paul Frankowski
5 years ago
That's why you should always do regular update and use extra htaccess rules and ...less is more.

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.