Joomla Malware: How to Detect, Clean, and Harden Your Joomla Site
Table of Contents
Joomla is the world's second most popular content management system after WordPress â powering millions of websites across government, educational, and commercial sectors. That popularity makes it a constant target for attackers. Joomla malware infections range from subtle SEO spam injections to complete backdoor takeovers that serve malware to visitors. This guide covers detection, removal, and hardening for compromised Joomla installations.
Why Joomla Sites Get Infected¶
Joomla infections typically exploit:
Outdated Joomla core: Joomla releases security updates frequently. Running an outdated version is the most common vulnerability exploited. Major CVEs like CVE-2015-8562 (remote code execution in Joomla 1.5â3.4) and more recent PHP object injection vulnerabilities have been widely exploited.
Vulnerable extensions: Third-party Joomla extensions (components, modules, plugins) vary widely in code quality. A single vulnerable extension can compromise the entire site. The Joomla Vulnerable Extensions List (vel.joomla.org) tracks known vulnerable extensions.
Weak credentials: Default or weak admin passwords, particularly when the admin panel is publicly accessible.
Compromised hosting: Shared hosting environments where another site on the same server is compromised can lead to cross-site contamination.
Outdated PHP/server software: Outdated PHP versions introduce vulnerabilities independent of Joomla itself.
Signs of Joomla Malware Infection¶
- Unexpected redirects: Visitors (especially from Google) are redirected to spam or malware sites
- Google Search Console warnings: Security Issues section shows malware or hacked content alerts
- Spam pages in search results: Google shows pages on your site promoting pharmaceuticals, gambling, or other spam content
- Hosting provider warnings: Your host suspended the account or flagged it for malicious content
- Unfamiliar admin accounts: Unknown user accounts in the Joomla admin panel
- Modified files: Core Joomla files have been changed (timestamp changes in file manager)
- Injected ads: Additional advertising appearing on your site that you didn't add
- Slow performance: Unexpected server resource usage from malicious processes
Step 1: Take a Full Backup¶
Before any remediation, create a complete backup:
- All files (via FTP/SFTP or hosting control panel file manager)
- Database (via phpMyAdmin or hosting backup tools)
Store the backup outside your server. This preserves evidence and protects against data loss during cleanup.
Step 2: Scan for Malware¶
Free Tools¶
Sucuri SiteCheck (sitecheck.sucuri.net): Free external scanner checking public-facing pages for malicious content and blacklist status.
Akeeba Admin Tools (free version): Joomla extension with file change detection and basic security scanning.
Wordfence is WordPress-specific â for Joomla, the equivalent is RSFirewall! (commercial) or Admin Tools by Akeeba.
Server-Side Scanning¶
For thorough detection, scan files directly on the server:
ClamAV (free, open source): Available on most Linux hosting environments.
clamscan -r /path/to/joomla/ --infected --log=/tmp/clamscan.log
Maldet (Linux Malware Detect, free): Specifically designed for shared hosting environments and detects common PHP webshell and injection patterns.
PHP Malware Finder: Open-source tool specifically for finding PHP malware in web application files.
Step 3: Identify and Remove Malicious Files¶
Common Malicious File Locations¶
images/directory: Should only contain images â PHP files here are always suspicioustmp/directory: Malware droppers often reside hereadministrator/templates: Modified to include backdoors- Core Joomla files: Particularly index.php, configuration.php, .htaccess
Malicious Code Patterns¶
Search for these PHP patterns in files:
grep -r "eval(base64_decode" /path/to/joomla/
grep -r "eval(gzinflate" /path/to/joomla/
grep -r "FilesMan" /path/to/joomla/ # common webshell indicator
grep -r "passthru\|shell_exec\|system(" /path/to/joomla/
These functions are not used in legitimate Joomla code and indicate backdoors or webshells.
Replace Core Files¶
Download the Joomla version matching your installation from downloads.joomla.org. Replace all core directories:
- /administrator/
- /libraries/
- /plugins/ (system plugins)
- /includes/
- Root PHP files (index.php, etc.)
Do NOT replace configuration.php (your site settings) or the images/ directory (your content).
Check configuration.php¶
Your configuration.php should not contain eval(), base64_decode(), or any obfuscated code. Compare with a clean Joomla installation's configuration.php structure.
Step 4: Clean the Database¶
Attackers often inject content into the Joomla database:
Check #__content (articles) and #__modules (modules) for injected JavaScript, iframe tags, or links to spam domains.
In phpMyAdmin, run:
SELECT * FROM `[prefix]_content` WHERE `introtext` LIKE '%eval(%';
SELECT * FROM `[prefix]_modules` WHERE `content` LIKE '%<script%';
Check #__users for unknown administrator accounts:
SELECT * FROM `[prefix]_users` WHERE `usertype` = 'Super User';
Step 5: Close the Vulnerability¶
Find and close the entry point:
- Update Joomla to the latest version immediately
- Audit all extensions: Remove any unused extensions. Update all active extensions.
- Check the Joomla Vulnerable Extensions List (vel.joomla.org) for your installed extensions
- Change all passwords: Joomla admin, FTP/SFTP, cPanel/hosting, database
Step 6: Harden Your Joomla Installation¶
Move the administrator folder or restrict access by IP address via .htaccess
Enable two-factor authentication for all admin accounts (built into Joomla since 3.x)
Restrict file permissions: Directories should be 755, files should be 644. The configuration.php should be 444 (read-only)
Install Admin Tools (Akeeba): Provides Web Application Firewall, file change detection, and security scanner for Joomla
Use Cloudflare: Free CDN/WAF that blocks malicious requests before they reach your server
Disable unused plugins: Each active plugin is an attack surface
Move configuration.php above the web root if your hosting allows (so it's not web-accessible)
FAQ¶
How did malware get into my images/ folder?
Attackers often use vulnerable file upload functions in extensions to upload PHP files disguised as images. Some servers execute PHP files in the images directory â change this via .htaccess or server configuration.
Should I restore from backup or manually clean?
If you have a clean, verified backup from before the infection, restoring is faster and more reliable. If your backup is also infected, manual cleaning is necessary.
Will updating Joomla remove the malware?
No â the update closes the vulnerability that allowed infection but does not remove malware already in the files. Clean the infection first, then update.
How long does Joomla malware removal take?
Manual cleanup: 3â8 hours. Professional services: 24â48 hours. Restore from clean backup: 1â2 hours.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.