What to do after (and before) your site got hacked

25 June 2026

Following the various zero‑days in popular Joomla extensions that were discovered in June 2026, we have been asked what to do to “clean up” your site after it has been hacked. Let’s explore some options.

Using a backup

In an ideal world you have recent, tested backups. Your backup from before the hack can be restored without problem and you are happy with it. In this ideal world you only need to follow a few easy steps:

  1. Keep a copy of your backup archive files. Make sure you have a copy of all archive files. By default they are stored in administrator/components/com_akeebabackup/backup and have extensions of .jpa, .jps, .zip, as well as .j01, .j02, … or .z01, .z02, … Remember to download all of them. The .jXX files belong to the same‑named .jpa or .jps archive, whereas the .zXX files belong to the .zip archive. They are not separate archives; they are parts of the same archive.
  2. Delete all files. Delete every file from your site. Extracting a backup archive only creates new files and overwrites existing ones; it does not delete files that did not exist at backup time. There is no point restoring a backup only to leave the malicious files from the hack on your server. Deleting everything beforehand addresses this issue.
  3. Upload Kickstart and the backup archive files. Upload Kickstart together with the backup archive file(s) and run Kickstart to extract them.
  4. Run the restoration, replacing all database tables. Proceed with the restoration as described in the documentation. When you reach the *Database Restoration* step, look at the right‑hand sidebar. Set With Existing to Drop Same Prefix. This will remove all Joomla database tables before restoring them from the backup.

This should be enough to clean up your site. If you are not entirely sure, you can of course follow the steps below as well.

Manual clean‑up

If you do not have a backup, or if it is practically unusable, all is not lost. The goal now is to clean the site carefully, reduce the risk of further damage, and preserve the ability to roll back each change you make.

  1. Take a backup before doing anything else.

    Before making any changes, take a full backup of the site. If something breaks, this lets you revert one step instead of worsening the situation.

    After every step below that changes your site, take another backup. This is tedious and time‑consuming, but it can save you if something goes badly wrong.

  2. Put the site offline.

    Set the site offline in Joomla’s Global Configuration.

    Also enable Admin Tools’ *Emergency Off‑Line* feature. This makes the site accessible only from your current IP address, preventing everyone else from accessing it while you work.

  3. Harden access with Admin Tools.

    Make sure you are using Admin Tools’ .htaccess Maker.

    Ensure that both *Frontend Protection* and *Backend Protection* are enabled (they are enabled by default).

    Also enable *Administrator Password Protection* and the *Secret URL Parameter* feature. These help prevent hacked files from being executed via the web and stop unauthorised administrators from logging in.

  4. Kick out all active users.

    Use Admin Tools’ *Purge Sessions* feature.

    This logs out all other users, including anyone who may currently have unauthorised access.

  5. Clear cache and temporary files.

    Clear Joomla’s cache.

    Delete all files from the administrator/cache directory.

    Then use Admin Tools’ *Clean Temp‑Directory* feature. This removes possibly hacked files from locations that may not be scanned and that should already be protected from web access by .htaccess Maker.

  6. Review user‑group permissions.

    Go through all user groups.

    Only the following groups should have elevated permissions:

    • Super Users should have the *Super User* privilege.
    • Administrators should have the *Administrator* privilege.
    • Super Users, Administrators and Managers should have the *Backend Login* privilege.

    If any other group has elevated permissions, adjust them accordingly.

  7. Review privileged users.

    Examine all users in the Super Users, Administrators, Managers and any other privileged groups.

    Confirm that only people who absolutely need access still have it.

    For any user you do not recognise, disable the account and change its e‑mail address. This helps ensure there are no rogue users who can make changes without your consent.

  8. Reinstall Joomla core files.

    Go to System → Update → Joomla.

    Click *Check for Updates*, then click *Reinstall Joomla! Core Files*.

    This refreshes Joomla’s core files in case any of them were modified. After this step, files shipped with Joomla itself should be considered clean.

  9. Reinstall or update all extensions.

    Ideally reinstall and/or update every extension used by the site.

    This ensures that extension files are replaced with clean copies and that known vulnerabilities are patched where updates are available.

  10. Run the PHP File Change Scanner.

    Run Admin Tools’ *PHP File Change Scanner*.

    This may take a while and will probably report many files. Do not panic; most reported files are not malicious.

    If a reported file belongs to Joomla core or to an installed extension, compare it with the same file from the official installation ZIP package. If the file matches the one in the ZIP package, mark it as safe.

  11. Identify and remove suspicious files.

    After reviewing the scan results, you will likely end up with either no files left to check or only a few suspicious files.

    Suspicious files often have odd names and are commonly found in directories where PHP files should not exist, such as media or images.

    Delete the files you have confirmed to be suspicious.

  12. Bring the site back online.

    At this point the site should be clean.

    Disable Admin Tools’ *Emergency Off‑Line* mode, then disable Joomla’s offline mode.

    Your site should now be cleaned, hardened and back online. Keep the backups you created during the process until you are confident the site is stable, and continue monitoring it closely for any signs of reinfection or unauthorised access.

What to do going forward

In the wise words of Benjamin Franklin, “an ounce of prevention is worth a pound of cure”. While you can never be absolutely invulnerable to every conceivable hack, you can at least make it extremely hard for your site to be compromised – and have reliable backups to fall back on should things go awry.

Admin Tools Professional provides the tools to harden your site. Its Web Application Firewall blocks most attacks before they reach Joomla. If an extension contains a vulnerability that bypasses Joomla (and therefore Admin Tools), the .htaccess Maker still protects you. Frontend Protection and Backend Protection ensure that any malicious files uploaded by an attacker cannot be executed, mitigating the risk. Using the *Monitor Super User Accounts*, *Administrator Password Protection* and *Secret URL Parameter* features, you can be confident that no new privileged accounts will be created without your knowledge, and even if they are, they will not be able to log in.

Akeeba Backup Professional can take frequent, off‑site backups automatically, making it easy to revert to a clean version of your site when needed. With two decades of experience backing up sites of all sizes and on every kind of hosting, chances are we already have a solution that matches your use case.

Use Akeeba Panopticon to keep a keen eye on your sites. You will never miss a critical security update in the Joomla core or in third‑party extensions. This is especially useful if you manage more than a small handful of sites. It is free and self‑hosted.