Close this search box.
Close this search box.

Cleaning up an infected Joomla web site


You can scan your website using Sucuri Site Check.

Cleaning the infections and securing your site

Clean the infections

If you have a backup of Website files prior to detection of virus infection, then download the backup from the server and replace the infected one.

If you do not have a backup, then you have to remove the malicious code yourself. For example, many viruses add an iframe script to the bottom of every javascript file. Use “find and replace” function in your editor to remove this script in every file.

Change passwords

Change your ftp, cpanel, joomla, database passwords. Make sure you use strong passwords. You can generate strong passwords here.

Change your Joomla administration credentials

Enter Joomla backend and use user manager to change your username and password.

Change your user database credentials

Enter the cpanel of your website. This should be given by the hoster. In databases, delete the old user and create a new one.

Now open configuration.php and change these lines

var $user = 'new_username';
var $password = 'new_password';

Set proper folder permissions

Change your folder permissions. You can use fileZilla to do so.

  1. Right click on you public folder and set 644. Check “Recurse into subdirectories” and select “Apply to files only”.
  2. Wait for the process to finish and then right click on your public folder again and set 755. This time check “Recurse into subdirectories” and select “Apply to folders only”.

Check out this article for more.

Find current joomla version

In order to find joomla version go to libraries/cms/version/version.php.

Within the first 50 lines, you should see the following two lines:

const RELEASE = ‘3.6’;
const DEV_LEVEL = ‘5’;

Release stands for the minor version. In this case, it’s Joomla 3.6.

Dev level is the specific maintenance version, which gets added to the end of the minor version to make: 3.6.5

Now download the correct joomla version from here and replace the infected one (also remove all other files).

Joomla errors when running on localhost

Try to downgrade your PHP. You can also try upload Joomla 3.9 which is compatible to PHP 7.4.

Upgrade Joomla

Upgrade Joomla to its latest version. To do so:

  1. Click components > Joomla! update.
  2. Run the update.

Changing your super admin password

  1. Navigate to phpMyAdmin and select the database for the Joomla! site in the left-hand drop-down list box. This will show the database tables on the left side of the screen.
  2. Find and click on the table with “_users” appended in the list of tables (note: you may have a prefix that is not jos_, simply go to the _users table for your prefix).
  3. Click on the “Browse” button in the top toolbar. This will show all of the users that are set up for this site.
  4. Find the user whose password you want to change and press the Edit icon for this row.
  5. A form will display that allows you to edit the password field. Copy the value d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199
    into the password field and press the Go button. phpMyAdmin should display the message “Affected rows: 1”. At this point, the password should be changed to “secret”.
  6. Log in with this user and password and change the password of this user to a secure value. Check all of the users using the User Manager to make sure they are legitimate. If you have been hacked, you may want to change all of the passwords on the site.

Which folders do I need to download?

  • components
  • plugins
  • templates
  • media
  • images
  • administrator/components

Leaning Resources

  • How to remove malware from your site article.
  • Security Checklist/You have been hacked or defaced Joomla article.