Joomla Malware Scanner: Find and remove malicious code

Joomla Malware Scanner - anyone searching for that usually already has a bad feeling. The site suddenly redirects to a dubious shop, Google shows a red warning, or the host reports spam being sent from its own server. A scanner is then the first tool: it scans files and the database for malicious code, shows you what does not belong there, and helps with removal. This article explains what a Joomla Malware Scanner really does, how to scan properly - and introduces the free HTProtect scanner that we use every day.

Updated: 26 June 2026

Contents

What a Joomla malware scanner really does

A malware scanner is not a magic wand, but a search tool. It systematically goes through your Joomla installation - file by file, table by table - and compares what it finds with known patterns of malicious code. Web shells, backdoors, injected loaders, manipulated configuration files. Anything suspicious ends up on a list that you then work through.

The crucial point that many underestimate: a scanner finds, it does not heal on its own. The real work is assessing and removing the findings. A good scanner takes exactly that off your hands - it separates real malicious code from harmless code that only looks similar by chance, and removes the findings cleanly without breaking your site. That is where the wheat is separated from the chaff.

It is also important to understand the difference from a firewall. A Firewall (WAF) tries to stop attacks from getting in at all. A scanner comes into play when it has already happened. Both complement each other, but anyone searching for a scanner usually already has a serious problem. So let us start there.

How you can tell that your Joomla site has been hacked

Some hacks shout, others whisper. The loud ones you notice immediately; the quiet ones eat away at your Google ranking for months before anyone becomes suspicious. These are the symptoms customers describe to us most often:

• The red Google warning: "This site may harm your computer" or "Deceptive site" in the browser. Google has detected malicious code or a redirect and actively warns visitors away. From that point on, traffic drops.
• Sudden spam sending: The host blocks the mailbox or the entire package because thousands of emails are being sent through your server. Strato and other hosts often like to block the entire package then.
• Unexpected redirects: Visitors end up on shady shops, gambling sites, or fake prize draws - often only when they come via Google or from a mobile phone. On your own computer everything looks normal, which makes the search so tricky.
• Unauthorized admin accounts: In the backend, a super user appears that nobody created. Hidden admin accounts are a clear sign that someone wanted persistent access.
• Hijacked .htaccess: Sudden redirects that you never set up anywhere - the attacker has written rules into .htaccess.
• Defacement: The homepage displays a чужд message, often with a hacker pseudonym. Rare, but impossible to miss.
• SEO spam: Suddenly, Japanese or pharmaceutical search results for your domain appear in Google - pages you never created.

Honestly: if even one of these applies, scanning is mandatory. And not just the obvious spot, but everything. A hack is almost never just one file.

What a scanner finds on a Joomla site

So you understand what such a scanner is actually looking for, here are the classics we encounter every day in Joomla cleanups.

Web shells and backdoors in the file system

A web shell is a PHP file that gives the attacker remote control - upload files, execute commands, dig around in the database, all through the browser. Notorious names are c99, r57 or wso, but smart attackers disguise them as wp-conf.php, system.php or cache.php hidden among real files. A backdoor is more subtle: often just a few lines tucked inconspicuously into an existing file and loading new malicious code with every call.

eval/base64 loaders and disguised JCE shells

The classic example: obfuscated code that uses eval(), base64_decode(), gzinflate(), or str_rot13() to unpack its actual payload only at runtime. In the editor, it looks like a jumble of letters, but for the server it is a clean command. Particularly devious are shells disguised as images in the upload folders - a file called logo.gif that actually contains PHP and was uploaded via the old JCE vulnerability. That is exactly why the upload folders (images/, media/, tmp/) should be at the top of every scan list.

Injections in configuration.php and templates

The configuration.php in the main directory is a popular hiding place because it is loaded on every page request anyway. So a smuggled one-liner at the top or bottom of this file will definitely run too. The same applies to the index.php files of active templates. We often see the so-called "Vietnamese One-Line Snippet": a PHP wrapper inserted before the actual template code that can even cause the site to crash in the worst case.

Malicious .htaccess, SEO spam, and defacement

Not all malicious code is PHP. Some attacks hide in the .htaccess file and redirect search engine visitors somewhere different from normal users. SEO spam, in turn, often hides in the database - in articles, modules, or configuration values as an invisible link farm. A complete scanner must therefore check both: the file system and the database.

How to scan your Joomla site (step by step)

No matter which tool you use - the process is always similar. This is how we approach it:

1. Backup first. Before you delete anything, back up the current state - including the database. It may sound paradoxical, but it is important: if something goes wrong during cleanup, you can roll back. How to restore it is explained in the article Restore Akeeba Backup.
2. Start a full scan. Let the scanner run across the entire file system and the database, not just the folder that stands out. On large sites this can take time - a good scanner runs through without timing out.
3. Assess the findings. Take a quick look at each hit. Is it real malicious code or a false alarm? Encrypted loaders, unfamiliar files in upload folders, and modified core files are almost always real.
4. Remove, not just delete. Pure malicious files are removed. For infected but otherwise legitimate files (for example configuration.php), remove only the injected part and keep the rest.
5. Find the entry point. The most important step - and the one most people forget. An outdated extension? A compromised password? As long as the gap remains open, you will be reinfected within days.
6. Follow-up check. After cleanup, scan again, change passwords and the Joomla secret, delete unknown admin accounts, and end sessions.

The most common mistake we see: people delete the one suspicious file, breathe a sigh of relief - and miss the three backdoors that were placed there precisely for this case. Cleanup means thorough or not at all.

HTProtect: the free Joomla malware scanner directly in Joomla

Our own scanner grew out of this very day-to-day work. HTProtect - the free Joomla security component includes a full-featured malware scanner that runs directly in your Joomla installation. No upload to an external service, no telemetry, nothing leaves your server. Here is what it can do and why.

Detection that really works

The scanner combines two approaches. A signature engine detects known malicious patterns based on regularly updated definitions - and these definitions are cryptographically signed so no one can tamper with them in transit. In addition, it uses heuristics to spot suspicious structures even when the exact signature is not yet known: nested eval constructs, code in upload folders, unusually encoded blocks. This is supplemented by curated crowd reports - findings from real cleanups are reviewed and fed back into the definitions. No tool detects 100 percent; that would be snake oil. But this mix of signatures, heuristics and practical feedback very reliably finds what actually appears on Joomla sites.

Remove findings in bulk

Anyone who has ever dealt with a heavily infected site with hundreds of affected files knows the hassle: click each one individually, confirm, move on. HTProtect can delete selected findings in bulk - hundreds at once, processed in batches so the server does not run into a timeout. What would otherwise be an hour of clicking is reduced to a few minutes.

Integrated editor instead of a blunt instrument

Not every infected file should be deleted. If the injection is inside a legitimate file, you only want to cut out the malicious code and keep the rest. The built-in editor opens the file directly, you remove the injected line and save - even very large files reliably, because HTProtect bypasses the typical server and ModSecurity limits where normal editors fail.

Read-only folders are unlocked

A nasty trick: attackers set their folders to chmod 555, making them read-only so you cannot simply delete their malicious code. Many cleanup attempts fail right here - silently. HTProtect automatically unlocks such folders for deletion and then restores the permissions afterward.

Runs through even huge sites

The scan is performed in chunks and can be resumed. It runs through tens of thousands of files without hitting a timeout, with a progress bar. And the second time around, a delta scan checks only what has changed since the last run - that is fast and makes regular checks practical in the first place.

Core files in view

The scanner specifically looks where injections do the most damage: in configuration.php and in the active templates. Injected code in these locations is reported instead of getting lost in the noise.

In short, the HTProtect scanner finds the typical Joomla threats: web shells, backdoors, eval and base64 loaders, JCE shells disguised as GIFs, malicious .htaccess, manipulated JCE profiles, SEO spam and defacement. It runs completely free, directly in Joomla, from Joomla 2.5 to 6 and on PHP 7.4 to 8.5.

Use the HTProtect malware scanner for free

Scanner, batch deletion, integrated editor and server shield in one free component for Joomla 2.5 to 6. Directly in Joomla, without uploading to third parties, without telemetry.

→ View and download HTProtect

Prevention is better than scanning

As useful as a scanner is - the nicest hack is the one that never happens. That is why HTProtect includes, beyond the scanner, an entire toolkit for prevention: an exploit shield (a small WAF) that blocks known attacks on JCE, Novarain, Astroid, com_ajax-LFI or the Web Services API and keeps its rules up to date via live updates. It also hardens the main .htaccess, blocks PHP execution in the upload folders and protects the /administrator directory with a password. A watchdog sounds the alarm if the .htaccess changes or a new admin account appears, a security traffic light shows the status at a glance, and updates are secured. Anyone who wants to dive deeper will find the details in the Practical guide to securing Joomla.

When it is too late or too complex

Sometimes a hack is too deep or too tangled to clean up yourself on the side - or time is running short because the host is threatening to suspend the site. Then we take care of it. We clean hacked Joomla sites professionally, find the entry point and make sure it does not happen again right away. No hard sell - just in case you would rather let someone handle it who does this every day.

Frequently asked questions

How do I recognize malware on my Joomla site?
Typical signs include a Google warning in the browser, sudden spam sending, redirects to foreign pages (often only via Google or from a mobile phone), unknown admin accounts, or a drop in search engine rankings caused by SEO spam. However, only a full scan of the file system and database provides certainty - many backdoors are invisible from the outside.

Is the HTProtect Malware Scanner free?
Yes, completely. HTProtect is a free Joomla component, and the scanner including batch delete and editor is included. There is no paid Pro tier that you would need for scanning.

Which Joomla and PHP versions does the scanner support?
Joomla 2.5 through 6 and PHP 7.4 through 8.5. So it also runs on older Joomla sites that are no longer maintained - which are statistically hacked most often.

Is an online scanner enough, or do I need to scan on the server?
Online services like Sucuri SiteCheck or VirusTotal only see what is visible from the outside - a redirect, visible spam, a blacklist entry. They do not find web shells and backdoors in the file system. For a real cleanup, you need to scan where the code lives: on the server, in files and in the database. That is exactly what a scanner that runs in Joomla does.

Does the scanner also find malicious code in the database?
Yes. Many attacks are not in files, but as injected scripts or hidden link farms in articles, modules, or configuration values. A full scan checks both the file system and the database.

What do I do if the scanner finds something?
First secure it, then assess it, then remove it - and be sure to close the entry point, otherwise the site will be infected again soon. Delete pure malware files; for infected core files, remove only the injected part. If that feels too risky or the site is business-critical, we will handle the professional cleanup.

Questions or something unclear? Feel free to write it in the comments below the article.

• Next