Joomla hacked? What to do if a Joomla site has been hacked

Q: What should I do if my Joomla site has been hacked?

If your Joomla site has been hacked, it should be protected from further external access as quickly as possible. Joomla offline mode alone is usually not enough, as injected malicious files often remain directly accessible. After that, backups should be created, suspicious files checked, logs analyzed, and the point of entry identified.

Q: Is a Joomla update enough after a hack?

No. An update can close a known security vulnerability, but it does not remove malicious code that has already been injected. If backdoors, spam scripts, web shells, or manipulated files are already on the webspace, the installation must also be cleaned up specifically and then secured.

Q: How can I tell that my Joomla website has been hacked?

Typical signs include unexpected redirects, spam pages in the Google index, warnings from the hoster, unknown administrators, foreign files, or suddenly appearing PHP files in upload directories. A significantly changed website behavior or blocked email sending can also indicate a compromise.

Q: Can an old backup solve the problem completely?

Not always. Malicious code is often injected well before the visible outbreak. If the backup used is not truly clean, the actual backdoor may remain and the hack can reappear later. That is why, before restoring, it should be checked as precisely as possible when the breach began.

Q: How does the cleanup of a hacked Joomla site typically work?

In general, the website and access credentials are secured first, then backups are created and the intrusion is analyzed. After that, malicious code, backdoors, and manipulated files are removed, vulnerabilities are closed, passwords are changed, and Joomla as well as extensions are brought up to a secure state. Finally, additional protection against renewed attacks is put in place.

Q: Which current security vulnerabilities play a role in Joomla hacks?

In addition to outdated installations, security vulnerabilities in extensions, templates, or frameworks are also a typical entry point. The key point is this: even if the vulnerability has since been closed by an update, an already compromised website still needs to be checked for injected files, backdoors, and spam remnants.

Q: How quickly can a hacked Joomla site be cleaned up?

This depends on the scope of the attack, the condition of the website, and the availability of clean backups. Smaller cases can often be resolved quickly, while more complex compromises with multiple entry points or heavily manipulated files require significantly more analysis. Above all, it is important not only to remove symptoms, but to properly close the root cause.

Q: What does it cost to clean up a hacked Joomla site?

The costs depend on the amount of work involved and the technical condition of the installation. If malicious code, spam remnants, outdated extensions, or an unresolved entry point are already present, the effort is greater than in a clearly definable isolated case. What matters is not only the removal of the malicious code, but also the long-term securing of the site.

24/7 immediate help - fast assistance and proven steps for a hacked website

If your Joomla site has been hacked, immediate and thorough action is essential. Hacked Joomla websites often show signs such as redirects, spam in the Google index, unfamiliar files, unknown administrators, or warnings from the hosting provider. Important: a simple update is often not enough if malicious code or a backdoor has already been injected.

Typical signs that a Joomla site has been hacked

Redirects to external or dubious websites
SEO spam or strange URLs in the Google index (Japanese Keyword Hack)
Warning from the hosting provider due to malware or spam sending
unknown administrators or suddenly installed extensions
PHP files in /images/, /tmp/, /cache/ or /logs/
suspicious files in /administrator/cache/
the website suddenly becomes slow, unstable, or blocked

Joomla hacked through the Astroid Framework – current attack wave (CVE-2026-21628)

Joomla websites are currently being attacked more frequently via a critical vulnerability in the Astroid Framework. Affected versions are 2.0.0 through 3.3.10 - an update to at least version 3.3.12 is absolutely required. Typical traces of a successful attack through this vulnerability are:

the plugin BLPayload, JCachePro or similarly named, unknown extensions
Suspicious PHP files in /administrator/cache/, /images/ or /tmp/
files disguised as images or SVGs but containing PHP malicious code
SEO spam pages in the Google index that are invisible to visitors

Important: An update alone closes the vulnerability for new attacks, but does not remove malicious code or backdoors that have already been injected. If your Joomla site was hacked via the Astroid Framework, a complete cleanup followed by hardening is necessary.

→ Astroid Framework security vulnerability

Joomla hacked? These are the steps you should take now

Step 1: Disable the website - freeze the file system
If a compromise is definitely confirmed and your hosting provider has not yet imposed a block, disabling the hacked website is strongly recommended to prevent further damage. Activating offline mode in the Joomla configuration is not enough. Injected malicious files deep within the Joomla directories that are typically left behind after a hack (spam scripts, backdoors, web shells, and other malware) would still remain directly accessible.
To effectively block access, there are two options:

.htaccess password protection (example.org/xssen.php)
Rename/redirect the base directory (set up a maintenance page)

After changing the FTP credentials, the file system is protected from further external access and the damage analysis can begin.

Step 2: Download backups - analyze the breach - identify the vulnerability

Temporarily disable local real-time antivirus protection
Otherwise even the FTP download could fail due to a virus alert
Download the infected file system while preserving timestamps
(option in the FTP program)
Faster: Create and download a backup as a ZIP archive via SSH, the web control panel, or Akeeba Backup. When unpacking locally with WinRAR or 7-Zip , the timestamps are preserved.
Inspect recently modified files
Go through the host's malware logs
Local scan of the data with good antivirus software
Check the Joomla root directory
- Usually only index.php, configuration.php, .htaccess & robots.txt are needed

Note the timestamp (file modification time) for each malicious code finding.
Warning! This may also be falsified and subtly adjusted to match the other files in the respective directory. The timestamps of the directories should also be considered.
Based on this:

Analyze the web server access logs
- Suspicious POST entries
- Typical attack patterns

You can find a small tool and further tips for analysis here.
Can the time of the hack be narrowed down precisely? Backup available?

Step 3a: Restore backup

If you are sure that a clean backup from before the hack exists and bringing it up to date is not too much work, this can be a way to sustainably get the malware problem under control. The restore should take place behind access protection until everything has been fully updated and secured.
Warning: Often malicious code is quietly injected long before a hack becomes noticeable (dormant backdoors).
These could be used to hack the web space again and again.

Step 3b: Clean up the file system
Experts only

Verification of core files (e.g. with WinMerge)
- In particular, non-core files in (/administrator)/libraries should be checked
/images, /media and other upload directories should be searched for malicious code (*.php)
Inspect /cache, /tmp, /logs - then empty them (do not delete index.html)
/bin, /cli, /language, /includes should be examined (*.php) - all fairly manageable
Check template files (index.php) for <script injections
Check .htaccess files

Potentially, any directory not yet examined may contain malicious code.

The depths of the /components, /modules, /layouts & /plugins directories are especially tricky hiding places. With plenty of experience, current detection patterns, and a good instinct, these files can also be found.

Step 4: Close the vulnerability - change passwords - fully update Joomla

To avoid your Joomla website being hacked again, updates should be carried out regularly. This is the only way to maintain the highest possible level of security.

Joomla! 5+ security check

For non-hacked sites
Updates, spam protection & hardening

149 € incl. VAT [ Book now ]

Joomla maintenance contract

1 year of technical support
Backups, updates & security

from €35 incl. VAT/month [ Details ]

Frequently asked questions about hacked Joomla sites

What should I do if my Joomla site has been hacked?

If your Joomla site has been hacked, it should be protected from further external access as quickly as possible. Joomla offline mode alone is usually not enough, as injected malicious files often remain directly accessible. After that, backups should be created, suspicious files checked, logs analyzed, and the point of entry identified.

Is a Joomla update enough after a hack?

No. An update can close a known security vulnerability, but it does not remove malicious code that has already been injected. If backdoors, spam scripts, web shells, or manipulated files are already on the webspace, the installation must also be cleaned up specifically and then secured.

How can I tell that my Joomla website has been hacked?

Typical signs include unexpected redirects, spam pages in the Google index, warnings from the hoster, unknown administrators, foreign files, or suddenly appearing PHP files in upload directories. A significantly changed website behavior or blocked email sending can also indicate a compromise.

Can an old backup solve the problem completely?

Not always. Malicious code is often injected well before the visible outbreak. If the backup used is not truly clean, the actual backdoor may remain and the hack can reappear later. That is why, before restoring, it should be checked as precisely as possible when the breach began.

How does the cleanup of a hacked Joomla site typically work?

In general, the website and access credentials are secured first, then backups are created and the intrusion is analyzed. After that, malicious code, backdoors, and manipulated files are removed, vulnerabilities are closed, passwords are changed, and Joomla as well as extensions are brought up to a secure state. Finally, additional protection against renewed attacks is put in place.

Which current security vulnerabilities play a role in Joomla hacks?

In addition to outdated installations, security vulnerabilities in extensions, templates, or frameworks are also a typical entry point. The key point is this: even if the vulnerability has since been closed by an update, an already compromised website still needs to be checked for injected files, backdoors, and spam remnants.

How quickly can a hacked Joomla site be cleaned up?

This depends on the scope of the attack, the condition of the website, and the availability of clean backups. Smaller cases can often be resolved quickly, while more complex compromises with multiple entry points or heavily manipulated files require significantly more analysis. Above all, it is important not only to remove symptoms, but to properly close the root cause.

What does it cost to clean up a hacked Joomla site?

The costs depend on the amount of work involved and the technical condition of the installation. If malicious code, spam remnants, outdated extensions, or an unresolved entry point are already present, the effort is greater than in a clearly definable isolated case. What matters is not only the removal of the malicious code, but also the long-term securing of the site.

Details: Last Updated: 21 March 2026

We'll take care of it for you!

Cleanup of a hacked Joomla site
Fixed price: from €299 249 €*

Analysis of the point of entry
Updates included (from J! 3.x)
24/7 service
Advanced protection
Detailed final report
6 months guarantee (extendable)

→ Request a Quote - Joomla hacked

30 % discount for clubs and private individuals

Helpful tools

xsSen .htaccess Generator
Directory protection

Akeeba Backup
Backup & restore

Access Log Analysis ToolFind active backdoors & spam scripts

Notepad++
Recursive search & replace

WinMerge
Compare directories & files

Why hire a professional?

We do not just superficially clean hacked Joomla websites, but also check the point of entry, malicious code, suspicious users, manipulated files, and typical spam remnants in the index. Especially in current attacks via extensions or templates, it is usually not enough to simply “quickly install an update.”

Why an old backup is not always the solution

Many hacked Joomla sites were already compromised days or weeks before the visible issue appeared. If you simply restore some older backup, the actual backdoor may remain unnoticed. That is why, before restoring, log analysis should always be used to check when the breach likely began and whether the backup is really clean.

Joomla! hacked?