Even with strong security, any website can get hacked. When your Joomla site is compromised, quick and structured action is the key to recovery. This guide walks you through the steps to clean, restore, and secure your hacked Joomla website safely.
1. Identify the Signs of a Hacked Joomla Site
First, confirm whether your site is actually hacked. Common indicators include:
- 🚨 Unexpected redirects or pop-ups.
- 🔐 Admin access locked out or new suspicious users created.
- ⚠️ Google warning: “This site may be hacked.”
- 💀 Unknown files, slow performance, or strange error messages.
- 📧 Spam emails sent from your domain.
2. Put the Site in Maintenance Mode
Prevent further damage or data theft by taking the site temporarily offline:
- In Joomla, go to
System → Global Configuration → Site. - Set Site Offline to “Yes”.
- Or use an
.htaccessrule to allow only your IP during cleanup:
Order deny,allow
Deny from all
Allow from 123.123.123.123
3. Back Up the Infected Site (Before Cleaning)
It might sound strange, but you should always back up the hacked version before making changes. This allows forensic analysis later if needed.
- Use Akeeba Backup to export a full archive.
- Save it locally, not on the server.
4. Scan for Malware and Modified Files
Next, identify which files were compromised:
- SecurityCheck Pro – detects injected code, backdoors, or altered core files.
- RSFirewall – performs deep file integrity scans.
- Sucuri SiteCheck – scan your public site for blacklisting and malware signatures.
5. Compare Against a Clean Joomla Installation
Download the same Joomla version from the official website. Compare your current installation using a diff tool or command line:
diff -rq /var/www/html /var/www/clean-joomla/
Replace any modified or unknown core files with originals from the clean version.
6. Restore from a Clean Backup (If Available)
If you have a recent, verified backup (via Akeeba Backup), restoring it is the fastest and safest method. Make sure to:
- Scan the backup locally before restoring.
- Change all database, admin, and FTP passwords afterward.
7. Clean the Database
Sometimes hackers insert malicious scripts or links into your Joomla database. To clean it:
- Access your database using phpMyAdmin.
- Search for suspicious code (e.g.,
iframe,base64_decode, oreval(). - Remove malicious entries carefully or restore from a clean SQL dump.
8. Change All Passwords and API Keys
After cleaning:
- 🔑 Reset all Joomla user passwords (especially Super User).
- 🔐 Update hosting control panel, FTP, and database credentials.
- 🚫 Revoke API keys for extensions if compromised.
9. Update Joomla Core and Extensions
Outdated components are a leading cause of hacks. Once cleaned:
- Update Joomla to the latest stable version.
- Update all installed extensions and templates.
- Uninstall any plugins you don’t use anymore.
10. Strengthen Security to Prevent Re-Hacking
Now that your site is restored, apply proactive measures:
- Install a firewall extension like Admin Tools Pro.
- Enable 2FA for all admin users.
- Harden file permissions and secure
configuration.php. - Schedule automatic malware scans weekly.
Conclusion
Recovering from a Joomla hack requires patience and systematic cleanup. Always start by isolating the site, scanning for infections, and restoring verified files. Once you’re back online, take proactive steps to prevent future attacks — regular backups, updates, and firewalls will save you next time.
