Fix Joomla Hack and Upgrade for Security

Joomla is a very popular Content Management System (CMS) that can help make your website publishing life easier. However just like any other software, if you don’t keep it up to date, you could be opening yourself up for some headaches down the road.

Nothing is worse than having your website suddenly defaced with messages you don’t approve of, malicious hacks running on your site possibly infecting your visitors, and losing rank in search engines.

Securing Joomla

In this guide, I’ll try to cover all the Joomla security basics of making sure these problems don’t happen to you.

secure joomla logo

Ensure Current Joomla Version is Secure

If you have the now very out-of-date installation of Joomla 1.5 still running on the Internet, chances are your website is getting attacked on a semi-regular basis. Unfortunately with all the known exploits for Joomla 1.5 in the wild, it’s probably just a matter of time before one of them successfully hacks your Joomla website.

Below is a table of the various versions of Joomla, and how old they are. The End of Life date marks the date in which there is no further support for bugs or security of that release making them more prone to attacks.

Joomla Version BranchLatestRelease DateLast ReleaseEnd of LifeUpgrade Path
1.51.5.26January 22 2008March 27 2012September 2012Migrate to 2.5
1.61.6.6April 22 2009July 26 2011August 2011One-click to 2.5
1.71.7.5July 19 2011February 2 2012Feburary 2012One-click to 2.5
2.52.5.14January 24 2012August 01 2013December 31st, 2014One-click to 3.x
3.03.0.4September 27 2012February 4 2013May 2013One-click to 3.1
3.13.2.0April 24 2013November 6 2013Nov 2013One-click to 3.2
3.23.2.0November 6 2013November 6 2013April 2014One-click to 3.3
3.33.3.4April 20 2014September 23 2014September 2014One-click to 3.4
3.43.4.8February 24 2015December 24 2015December 2015One-click to 3.5
3.53.5.1March 21 2016April 05 2016April 2016One-click to 3.6
3.63.6.5July 12 2016December 13 2016December 2016One-click to 3.7
3.73.7.5April 25 2017August 17 2017Release of 3.8 (TBD)One-click to 3.8

Find and Clean Up a Joomla Hack

If your website has been attacked and compromised sometimes it will be very apparent. You might have malicious redirects taking your visitors to some other website, content appearing on your website that you didn’t create, and typically your account’s resource usage will be higher when under attack or running any hacks.

Here are some common things you can look at if you suspect your Joomla website is under attack or hacked:

  1. Check to see if the Google Safe Browsing Diagnostic page has detected any known malware running on your website. If your domain name was example.com, you would use the following URL to check: https://www.google.com/safebrowsing/diagnostic?site=example.com

    You can also use the Sucuri Security free website malware scanner, again access by a URL like:
    https://sitecheck.sucuri.net/results/example.com
  2. Follow our recovering after a hack guide which goes over updating your cPanel and FTP passwords, and also scanning your local computer to ensure you aren’t uploading malicious files unknowingly to the server.
  3. Clean up a .htaccess hack if your website is redirecting visitors or search engines to other sites without your consent.
  4. Clean up a code injection attack if you notice strange behavior from your pages, or if you see injected keywords or other types of spam in your content.
  5. Enable raw access logs in cPanel so that you have a historical record of your website requests, this can be handy when trying to track down malicious activity.
  6. Block unwanted users with your .htaccess file to prevent possible hack attempts from known bad IP addresses or User-Agent strings.

Reinstall Joomla After a Hack to Prevent Further Exploits

While you might be able to clean up most traces of an attack and hack against your Joomla website, once an attacker has successfully exploited a part of your site, it can be extremely hard to ensure that all traces of the hack are removed.

A lot of times once a Joomla site has been hacked, it gets added to a list by the attacker, and then they’ll more than likely keep coming back trying to exploit it again and again until you’ve upgraded to protect yourself from the exploits available in the wild.

Below I’ll walk you through the process of taking a Joomla 1.5 site that has been hacked, reinstalling Joomla itself to rule out any malicious files still being on your account, and then upgrading to Joomla 2.5 to help ensure the same hack isn’t allowed to be uploaded to the website again.

  1. Log into your Joomla admin to double-check you have the latest version of Joomla 1.5 already, which should be Joomla 1.5.26. If you have an older release of Joomla 1.5 you need to first upgrade from an existing Joomla 1.5x version.
    Joomla Admin Dashboard
  2. Using your favorite FTP client, you’ll want to download all of your current folders and files for Joomla to your local computer. In this case, I’m using FileZilla, connecting to my site example.com, navigating to the /public_html directory where Joomla is installed, then simply selecting all the folders and files by clicking on one and then hitting Ctrl-A to select all. Then I’m dragging them all to a local folder called /Downloads/Joomla that I created.
  3. Next, you’ll want to backup your Joomla database in cPanel, so that you have a copy of that as well. At this point, you now have all the physical files that make up your Joomla website. In the event that the steps below for reinstalling Joomla and upgrading it do not work for you, you’ll at least be able to restore your site back to its hacked state.
  4. Now that you have all of your Joomla files downloaded locally that are potentially hacked, you should be able to safely remove them from the server. This can be done by simply selecting all of your Joomla files in your FTP client, and then hitting Delete on your keyboard. If your main website is running Joomla, this would be all the files in the /public_html directory.
    Please note you might have other files on your account other than just Joomla. If you delete these as well and don’t re-upload them from the local copies you’ve downloaded, they will no longer be present on your account.
  5. Download the last release of Joomla 1.5 by clicking on this link for Joomla 1.5.26. You should now have a Joomla_1.5.26-Stable-Full_Package.zip archive downloaded to your local computer. This contains all of the core files needed to run a Joomla website.
  6. Upload the Joomla_1.5.26-Stable-Full_Package.zip to your now what should be blank /public_html directory.
  7. Access the FileManager in cPanel and navigate to your /public_html directory. Then right-click on the Joomla_1.5.26-Stable-Full_Package.zip file you uploaded, and click on Extract.


    In the Extract window that pops up, in this case, we can just leave the extraction directory set to /public_html and then just click on Extract File(s) so that all of the Joomla core files are placed there.


    It might take a few minutes for the .zip file to finish inflating, once it completes, click on the Close button.
  8. At this point, if you attempt to visit your website where Joomla was installed, you will get the Joomla installation screen, since we effectively just deleted our old Joomla site, and uploaded the new Joomla core files. The next thing you’ll want to do is re-upload your configuration.php file back to the server. This file contains all of the information such as what database Joomla should use.


    You’ll also want to delete the installation folder, as this is a security requirement of Joomla.
  9. Now if you try to go to your Joomla website again, it should have all of your content pulled from the Joomla MySQL database, but it will be now using verified as good and clean core files for Joomla. Hopefully, now any traces of a hack that you found on your account should be gone. However, if you are still seeing some strange activity, this could mean that the attacker successfully exploited your Joomla database, in which case a more thorough investigation of your database would need to be done.

Upgrade Joomla 1.5 to 2.5 to Prevent Hacks

Now that you’ve hopefully successfully removed any hacks from your old Joomla 1.5 site, it is very important to update your installation to Joomla 2.5 so that an attacker doesn’t simply come back and hack your website again.

This technically isn’t an upgrade, but a migration, as the two versions of Joomla aren’t directly compatible. The process can vary greatly depending on the complexity of your Joomla website and what modules or extensions you’ve used. We would strongly recommend at least glancing at the official Joomla documentation that they have for migrating from Joomla 1.5 to Joomla 2.5 before proceeding with the steps below.

  1. You can use the jUpgrade extension which can be directly downloaded from jUpgrade downloads. You should end up with a com_jupgrade-2.5.2.zip archive of the extension.
  2. Login to your Joomla admin. Then hover over Extensions and click on Install / Uninstall.
  3. Under the Upload Package File section, click on Choose file and then browse your local computer for the com_jupgrade-2.5.2.zip file. Then click on Upload files & Install.
  4. Hover over Extensions again, and this time click on Plugin Manager.
  5. In the Filter field, type in mootools and click Go. Beside the System – Mootools Upgrade plugin, click on the red x under the Enabled column to enable the plugin.
  6. Hover over Components, then click on jUpgrade.
  7. Now just click on the big Start Upgrade button to begin the process.


    You should see the jUpgrade upgrade begin and it will update you on the current step in the process. When complete you’ll get a Joomla 2.5 Upgrade Finished! message.
  8. Now if you visit your website with /jupgrade appended to the end, you should see your upgraded Joomla site. jUpgrade leaves your main Joomla 1.5 site still intact so you can test things. Here you can see on my example.com site when accessing the /jupgrade directory the Main Menu for instance has changed.
  9. Now in your FTP client again, create a new folder called old_joomla. This can be done by right-clicking on the server-side of files and selecting Create directory, in the Create directory pop-up enter the name of the directory then click OK.


    Next, click on any of the files or folders, and then hit Ctrl-A to select all the files. Then hit just Ctrl and click on the newly created old_joomla directory to de-select it, and also the jupgrade folder. Then finally drag all of the other selected files into the old_joomla directory.
  10. Now navigate into the jupgrade folder, hit Ctrl-A to select all files, then drag them up into the /public_html directory one level up.
  11. Now you should see the Joomla 2.5 website when just accessing your domain normally, and if you login to the Joomla admin, you’ll notice the new version reflected as well.
    joomla 2.5 upgrade complete main sitejoomla 2.5 upgrade complete admin

Hopefully, you now have a good idea of how to ensure your Joomla website isn’t currently hacked, and if it was how to clean up the hack or reinstall Joomla. Make sure going forward you always keep your Joomla install updated to prevent any further issues, and as always if you’re still having any issues please leave us a comment!

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

0 thoughts on “Fix Joomla Hack and Upgrade for Security

  1. This seems to be a pretty bad one! A few tips:

    1. Be sure to check Google blacklisting status & also do a *’fetch as google’* to check if there’s malware showing up in search results.

    2. It is recommended to find all the external calls from the website to other domains (usually hackers point credit card details to their own domains or emails).

    3. A diff command would go a long way:

    mkdir joomla-3.6.4

    cd joomla-3.6.4

    wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/Joomla_3.6.4-Stable-Full_Package.tar.gz

    tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz

    diff -r joomla-3.6.4 ./public_html

    There are more steps which can be checked from this URL.

    1. Hey thanks for your feedback! Your contribution to our Community Support Center is appreciated. I hope you don’t mind, I marked up your response to format it nicely. Thanks for providing that link as well. It seems like a good resource.

    1. Did you upload the zip package to your public_html directory and extract it? Do you see the folder within your cPanel File Manager?

Was this article helpful? Join the conversation!