PREV
NEXT

  • Joomla! Hacked?

    Best practices and professional emergency help for hacked Joomla websites

Joomla hacked? What to do when your Joomla website has been compromised

24h Emergency Help - fast help and a proven approach for hacked websites

If your Joomla website has been hacked, immediate and careful action is crucial. Hacked Joomla websites often reveal themselves through redirects, spam in the Google index, foreign files, unknown administrators, or warnings from the hosting provider. Important: A simple update is often not enough if malicious code or a backdoor has already been injected.

Typical signs that a Joomla website has been hacked

  • Redirects to external or untrustworthy websites
  • SEO spam or suspicious URLs in the Google index (Japanese Keyword Hack)
  • Warning from the hosting provider due to malware or spam sending
  • Unknown administrators or suddenly installed extensions
  • PHP files in /images/, /tmp/, /cache/ or /logs/
  • Suspicious files in /administrator/cache/
  • The website suddenly becomes slow, unstable, or blocked

Joomla hacked via Astroid Framework – current wave of attacks (CVE-2026-21628)

Joomla websites are currently being targeted more heavily through a critical vulnerability in the Astroid Framework being attacked. Versions 2.0.0 through 3.3.10 are affected - an update to at least version 3.3.12 is absolutely required. Typical signs of a successful attack via this vulnerability include:

  • the plugins BLPayload, JCachePro or similarly named, unknown extensions
  • suspicious PHP files in /administrator/cache/, /images/ or /tmp/
  • Files disguised as images or SVGs that actually contain malicious PHP code
  • SEO spam pages in the Google index that are invisible to visitors

Important: A simple update closes the vulnerability for new attacks, but it does not remove any malicious code or backdoors that have already been injected. If your Joomla website was hacked via the Astroid Framework, a full cleanup followed by proper hardening is necessary.

Astroid Framework Security Vulnerability

Joomla hacked? These are the steps you should take now


Schritt 1: Webseite deaktivieren - Dateisystem einfrieren Joomla Backup
If a compromise has been clearly confirmed and your hosting provider has not yet suspended the site, disabling the hacked website is strongly recommended to prevent further damage. Activating offline mode in the Joomla configuration is not enough. Injected malicious files hidden deep inside the Joomla directories, which are typically left behind after a hack (spam scripts, backdoors, web shells, and other malware), would still be directly accessible.
There are two ways to effectively block access:

After changing the FTP credentials the file system is protected from further external influence, and damage analysis can begin.

Schritt 2: Sicherungen herunterladen - Einbruch analysieren - Lücke finden

  • Temporarily disable local real-time virus protection
    Otherwise, the FTP download could already fail because of a virus alert
  • Download the infected file system while preserving the timestamps
    (option in the FTP program)
    Faster: Create and download a backup as a ZIP archive via SSH, web control panel, or Akeeba Backup. When extracting locally with WinRAR or 7-Zip the timestamps are preserved.
  • Inspect recently modified files
  • Review the hosting provider's malware logs
  • Run a local scan of the data with good antivirus software
  • Check the Joomla root directory
    • Usually only index.php, configuration.php, .htaccess, and robots.txt are needed

For every malware finding, note the timestamp (file modification time).
Attention! This may also have been manipulated and quietly aligned with the other files in the respective directory. The timestamps of the directories should also be taken into account.
Based on this:

  • Analyze the web server access logs
    • Suspicious POST entries
    • Typical attack patterns

You can find a small tool and additional analysis tips here.
Can the exact time of the hack be narrowed down? Is a backup available?

Schritt 3a: Backup wiederherstellen

If you are certain that a clean backup from before the hack exists and bringing it up to the current state does not involve too much effort, this can be a way to get the malware problem under control for good. The restoration should take place with access protection in place until everything has been fully updated and secured.
Warning: Malicious code is often injected discreetly long before a hack becomes noticeable (dormant backdoors).
These would allow the webspace to be hacked again and again.

Schritt 3b: Dateisystem bereinigen
Experts only

  • Verification of the core files (e.g. via WinMerge)
    • In particular, non-core files in (/administrator)/libraries should be checked
  • Search /images, /media and other upload directories for malicious code (*.php)
  • Inspect /cache, /tmp, /logs - then empty them (do not delete index.html)
  • Examine /bin, /cli, /language, /includes (*.php) - all fairly clear and manageable
  • Check template files (index.php) for
    Details
    Last Updated: 21 March 2026

Additional Services

What Our Customers Say About Us

“The migration of our Joomla website from PHP 5.3 to PHP 7 was completed super fast, affordably, and with flawless results. Very good and friendly communication.”
– H. Bergmann

“Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars”
– Fernando V.

“I didn’t know how to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out—everything was extremely affordable, fast, and done well!”
– Klaus-Peter

“The site looks great—everything just like before—and now running on PHP 7.2. I’m impressed—many heartfelt thanks!”
– Dr. Ingo Wuddel

“Since we run an online shop, it was very important for us that our website be fully available again for our customers as quickly as possible. All work was carried out extremely quickly and to our complete satisfaction.” – Löwen Handels GmbH

“Very fast, professional, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.”
– Heino B.

“The contact was especially friendly, and some additional cosmetic work was taken care of on their own initiative—as if it were the most natural thing in the world. I am relieved and very grateful.”
– R. Mayer

“Superb. In an absolute emergency, when 2 domains were suspended by Strato due to a hacker attack, both domains were temporarily brought back online the very same day.”
– I. Radchenko

“Outstanding service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏”
– Tien Sy Vuong

Website-Bereinigung.de Support Service
5.0 205 Reviews > 5
Google Reviews

Contact Options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact Form

Schedule a Call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm