Joomla Malware: How to Detect, Clean, and Harden Your Joomla Site

Table of Contents

Joomla is the world's second most popular content management system after WordPress — powering millions of websites across government, educational, and commercial sectors. That popularity makes it a constant target for attackers. Joomla malware infections range from subtle SEO spam injections to complete backdoor takeovers that serve malware to visitors. This guide covers detection, removal, and hardening for compromised Joomla installations.

Why Joomla Sites Get Infected

Joomla infections typically exploit:

Outdated Joomla core: Joomla releases security updates frequently. Running an outdated version is the most common vulnerability exploited. Major CVEs like CVE-2015-8562 (remote code execution in Joomla 1.5–3.4) and more recent PHP object injection vulnerabilities have been widely exploited.

Vulnerable extensions: Third-party Joomla extensions (components, modules, plugins) vary widely in code quality. A single vulnerable extension can compromise the entire site. The Joomla Vulnerable Extensions List (vel.joomla.org) tracks known vulnerable extensions.

Weak credentials: Default or weak admin passwords, particularly when the admin panel is publicly accessible.

Compromised hosting: Shared hosting environments where another site on the same server is compromised can lead to cross-site contamination.

Outdated PHP/server software: Outdated PHP versions introduce vulnerabilities independent of Joomla itself.

Signs of Joomla Malware Infection

  • Unexpected redirects: Visitors (especially from Google) are redirected to spam or malware sites
  • Google Search Console warnings: Security Issues section shows malware or hacked content alerts
  • Spam pages in search results: Google shows pages on your site promoting pharmaceuticals, gambling, or other spam content
  • Hosting provider warnings: Your host suspended the account or flagged it for malicious content
  • Unfamiliar admin accounts: Unknown user accounts in the Joomla admin panel
  • Modified files: Core Joomla files have been changed (timestamp changes in file manager)
  • Injected ads: Additional advertising appearing on your site that you didn't add
  • Slow performance: Unexpected server resource usage from malicious processes

Step 1: Take a Full Backup

Before any remediation, create a complete backup:
- All files (via FTP/SFTP or hosting control panel file manager)
- Database (via phpMyAdmin or hosting backup tools)

Store the backup outside your server. This preserves evidence and protects against data loss during cleanup.

Step 2: Scan for Malware

Free Tools

Sucuri SiteCheck (sitecheck.sucuri.net): Free external scanner checking public-facing pages for malicious content and blacklist status.

Akeeba Admin Tools (free version): Joomla extension with file change detection and basic security scanning.

Wordfence is WordPress-specific — for Joomla, the equivalent is RSFirewall! (commercial) or Admin Tools by Akeeba.

Server-Side Scanning

For thorough detection, scan files directly on the server:

ClamAV (free, open source): Available on most Linux hosting environments.

clamscan -r /path/to/joomla/ --infected --log=/tmp/clamscan.log

Maldet (Linux Malware Detect, free): Specifically designed for shared hosting environments and detects common PHP webshell and injection patterns.

PHP Malware Finder: Open-source tool specifically for finding PHP malware in web application files.

Step 3: Identify and Remove Malicious Files

Common Malicious File Locations

  • images/ directory: Should only contain images — PHP files here are always suspicious
  • tmp/ directory: Malware droppers often reside here
  • administrator/ templates: Modified to include backdoors
  • Core Joomla files: Particularly index.php, configuration.php, .htaccess

Malicious Code Patterns

Search for these PHP patterns in files:

grep -r "eval(base64_decode" /path/to/joomla/
grep -r "eval(gzinflate" /path/to/joomla/
grep -r "FilesMan" /path/to/joomla/  # common webshell indicator
grep -r "passthru\|shell_exec\|system(" /path/to/joomla/

These functions are not used in legitimate Joomla code and indicate backdoors or webshells.

Replace Core Files

Download the Joomla version matching your installation from downloads.joomla.org. Replace all core directories:
- /administrator/
- /libraries/
- /plugins/ (system plugins)
- /includes/
- Root PHP files (index.php, etc.)

Do NOT replace configuration.php (your site settings) or the images/ directory (your content).

Check configuration.php

Your configuration.php should not contain eval(), base64_decode(), or any obfuscated code. Compare with a clean Joomla installation's configuration.php structure.

Step 4: Clean the Database

Attackers often inject content into the Joomla database:

Check #__content (articles) and #__modules (modules) for injected JavaScript, iframe tags, or links to spam domains.

In phpMyAdmin, run:

SELECT * FROM `[prefix]_content` WHERE `introtext` LIKE '%eval(%';
SELECT * FROM `[prefix]_modules` WHERE `content` LIKE '%<script%';

Check #__users for unknown administrator accounts:

SELECT * FROM `[prefix]_users` WHERE `usertype` = 'Super User';

Step 5: Close the Vulnerability

Find and close the entry point:

  • Update Joomla to the latest version immediately
  • Audit all extensions: Remove any unused extensions. Update all active extensions.
  • Check the Joomla Vulnerable Extensions List (vel.joomla.org) for your installed extensions
  • Change all passwords: Joomla admin, FTP/SFTP, cPanel/hosting, database

Step 6: Harden Your Joomla Installation

Move the administrator folder or restrict access by IP address via .htaccess

Enable two-factor authentication for all admin accounts (built into Joomla since 3.x)

Restrict file permissions: Directories should be 755, files should be 644. The configuration.php should be 444 (read-only)

Install Admin Tools (Akeeba): Provides Web Application Firewall, file change detection, and security scanner for Joomla

Use Cloudflare: Free CDN/WAF that blocks malicious requests before they reach your server

Disable unused plugins: Each active plugin is an attack surface

Move configuration.php above the web root if your hosting allows (so it's not web-accessible)

FAQ

How did malware get into my images/ folder?
Attackers often use vulnerable file upload functions in extensions to upload PHP files disguised as images. Some servers execute PHP files in the images directory — change this via .htaccess or server configuration.

Should I restore from backup or manually clean?
If you have a clean, verified backup from before the infection, restoring is faster and more reliable. If your backup is also infected, manual cleaning is necessary.

Will updating Joomla remove the malware?
No — the update closes the vulnerability that allowed infection but does not remove malware already in the files. Clean the infection first, then update.

How long does Joomla malware removal take?
Manual cleanup: 3–8 hours. Professional services: 24–48 hours. Restore from clean backup: 1–2 hours.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: